Tnms 14.1 10: Coriant TNMS Installation Manual (IMN, Windows)

TNMS
14.1 10
Coriant TNMS
Installation Manual (IMN, Windows)
Issue: 5 Issue date: July 2014
A50023-K2035-X040-05-76D1
Coriant is continually striving to reduce the adverse environmental

effects of its products and services. We would like to encourage you as
our customers and users to join us in working towards a cleaner, safer
environment. Please recycle product packaging and follow the recom-
mendations for power use and proper disposal of our products and their
components.
The information in this document is subject to change without notice and describes only the
product defined in the introduction of this documentation. This documentation is intended for the
use of Coriant customers only for the purposes of the agreement under which the document is
submitted, and no part of it may be used, reproduced, modified or transmitted in any form or
means without the prior written permission of Coriant. The documentation has been prepared to
be used by professional and properly trained personnel, and the customer assumes full respon-
sibility when using it. Coriant welcomes customer comments as part of the process of contin-
uous development and improvement of the documentation.
The information or statements given in this documentation concerning the suitability, capacity,
or performance of the mentioned hardware or software products are given "as is" and all liability
arising in connection with such hardware or software products shall be defined conclusively and
finally in a separate agreement between Coriant and the customer. However, Coriant has made
all reasonable efforts to ensure that the instructions contained in the document are adequate
and free of material errors and omissions. Coriant will, if deemed necessary by Coriant, explain
issues which may not be covered by the document. Coriant will correct errors in this documen-
tation as soon as possible.
IN NO EVENT WILL CORIANT BE LIABLE FOR ERRORS IN THIS DOCUMENTATION OR
FOR ANY DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, DIRECT, INDIRECT,
INCIDENTAL OR CONSEQUENTIAL OR ANY LOSSES, SUCH AS BUT NOT LIMITED TO
LOSS OF PROFIT, REVENUE, BUSINESS INTERRUPTION, BUSINESS OPPORTUNITY OR
DATA,THAT MAY ARISE FROM THE USE OF THIS DOCUMENT OR THE INFORMATION IN
IT.
This documentation and the product it describes are considered protected by copyrights and
other intellectual property rights according to the applicable laws.
Other product names mentioned in this document may be trademarks of their respective
owners, and they are mentioned for identification purposes only.
Copyright © Coriant 2014. All rights reserved.
f Important Notice on Product Safety

This product may present safety risks due to laser, electricity, heat, and other sources
of danger.
Only trained and qualified personnel may install, operate, maintain or otherwise handle
this product and only after having carefully read the safety information applicable to this
product.
The safety information is provided in the Safety Information section in the "Legal, Safety
and Environmental Information" part of this document or documentation set.
The same text in German:
f Wichtiger Hinweis zur Produktsicherheit

Von diesem Produkt können Gefahren durch Laser, Elektrizität, Hitzeentwicklung oder
andere Gefahrenquellen ausgehen.
Installation, Betrieb, Wartung und sonstige Handhabung des Produktes darf nur durch
geschultes und qualifiziertes Personal unter Beachtung der anwendbaren Sicherheit-
sanforderungen erfolgen.
Die Sicherheitsanforderungen finden Sie unter „Sicherheitshinweise“ im Teil „Legal,
Safety and Environmental Information“ dieses Dokuments oder dieses Dokumentation-
ssatzes.
2 A50023-K2035-X040-05-76D1
Table of Contents
This document has 96 pages.
Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1 Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.1 Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.2 Structure of this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3 Symbols and conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.4 Available documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.4.1 Online Help system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.4.2 User Manual (UMN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.4.3 Installation Manual (IMN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.4.4 Upgrade Manual (UPMN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.4.5 Other documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2 Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.1 Component delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2 Hardware requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.1 Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.3 Supported Operating Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.4 Prerequisites by component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.5 BIOS configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3 Server operating system configuration . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.1 Integrated Lights-Out (iLO) management console. . . . . . . . . . . . . . . . . 19
3.2 Disk configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3 Windows installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.4 HP service pack installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.5 Medium configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.6 Large configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.7 Disk partitioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4 Initial system configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

4.1 Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.2 Virtual memory configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.3 Audit policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.4 FTP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4.4.1 Installing Internet Information Services in Windows Server 2008 . . . . . 25
4.4.2 Configuring the FTP Service in Windows Server 2008 . . . . . . . . . . . . . 26
4.4.3 Installing Internet Information Services in Windows 7 . . . . . . . . . . . . . . 26
4.4.4 Configuring the FTP Service in Windows 7 . . . . . . . . . . . . . . . . . . . . . . 27
4.5 Domain Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.6 System Hosts configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.7 Dynamic Port range configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5 Software prerequisites installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
A50023-K2035-X040-05-76D1 3
5.1 Adobe Reader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

5.2 User Account Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.3 MSXML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.4 MS.NET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.5 Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.5.1 Uninstalling Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5.6 OSI Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.6.1 Installing OSI Stack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.6.2 Configuring OSI stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.6.3 Uninstalling OSI stack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5.7 CopSSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5.7.1 Installing CopSSH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
5.7.2 Configuring CopSSH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
5.7.3 CopSSH Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
5.7.4 CopSSH Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
5.8 Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
5.9 NTI third-party software installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
6 TNMS installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
6.1 Full installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
6.2 Installation of separate components . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
6.3 About the automatic priority updates installation . . . . . . . . . . . . . . . . . . 45
7 Post-installation procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
7.1 Starting services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
7.2 Starting a Client session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
7.3 Logging in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
7.4 Default username and password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
7.5 Changing the password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
7.6 Terminating a Client session. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
7.7 Single Sign-on. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7.8 Standby server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7.9 License keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7.10 Internet Explorer configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7.11 Connection timeout configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7.12 Importing a public certificate from IOC Online Planning (IOC OP) . . . . . 50
8 Backup and restore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

8.1 General description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
8.2 Overview of the Backup and Restore interfaces. . . . . . . . . . . . . . . . . . . 52
8.2.1 Interactive mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
8.2.2 Non-interactive mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
8.3 Backup procedures through the command line . . . . . . . . . . . . . . . . . . . 53
8.3.1 Backing up the Oracle database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
8.3.2 Backing up the TNMS database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
8.3.3 Backing up the LDAP (OpenDS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
8.3.4 Backing up the TNMS database and the LDAP (OpenDS) simultaneously
55
8.3.5 Automating the Backup procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4 A50023-K2035-X040-05-76D1
8.4 Backup procedures through the TNMS client . . . . . . . . . . . . . . . . . . . . 57

8.5 Recovery & Restore procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
8.5.1 Recovering the Oracle database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
8.5.2 Restoring the TNMS database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
8.5.3 Restoring the LDAP (OpenDS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
8.5.4 Restoring the TNMS database and the LDAP (OpenDS) simultaneously .
61
9 Upgrade to TNMS 14.1 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
10 TNMS and TNMS Core working together . . . . . . . . . . . . . . . . . . . . . . . 65

10.1 Configuring common hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
10.1.1 Configuring a Common Netserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
10.1.2 Configuring a Common Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
10.1.3 Configuring a Common standby server . . . . . . . . . . . . . . . . . . . . . . . . . 70
10.2 Importing data from TNMS Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
10.3 Important note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
11 TNMS uninstallation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
12 Security hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
12.1 Physical and hardware hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
12.2 Operating System hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
12.2.1 Microsoft Windows security patches . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
12.2.2 Disable and delete unnecessary accounts . . . . . . . . . . . . . . . . . . . . . . 75
12.2.3 Uninstall unnecessary applications and roles . . . . . . . . . . . . . . . . . . . . 76
12.2.4 Configure Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
12.2.5 Disable unnecessary shares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
12.2.6 Disable Remote Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
12.2.7 Windows Error Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
12.2.8 Additional Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
12.2.9 Digitally signed communications (Local Security Policy) . . . . . . . . . . . . 78
12.2.10 Minimize system services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
12.2.11 Remote Access/Remote Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
12.2.12 Reduce passive FTP port range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
12.3 Networking and firewall configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 81
12.3.1 List of ports to open in the firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
12.3.2 How to configure the Windows firewall . . . . . . . . . . . . . . . . . . . . . . . . . 89
12.4 OEM Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
12.4.1 JBoss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
12.4.2 CopSSH (SFTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
12.4.3 Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
12.4.4 Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
12.5 TNMS Maintenance Packages and Workaround Updates . . . . . . . . . . 90
12.6 User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
12.6.1 Restricting the specified files’ permissions . . . . . . . . . . . . . . . . . . . . . . 92
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
A50023-K2035-X040-05-76D1 5
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
6 A50023-K2035-X040-05-76D1
List of Figures
Figure 1 "Local Security Settings - Audit Policy" window. . . . . . . . . . . . . . . . . . . 24
Figure 2 How to set the TNMS installer to run with administrator rights in Windows
7 and Windows Server 2008.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Figure 3 Backup & Restore console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Figure 4 Changing the Oracle database backup schedule settings. . . . . . . . . . . 54
Figure 5 Backup submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Figure 8 Backup window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Figure 9 Restore submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Figure 12 Distributed TNMS applications (large system). . . . . . . . . . . . . . . . . . . . 65
Figure 13 Distributed TNMS applications (medium system) . . . . . . . . . . . . . . . . . 66
Figure 14 Common Netserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Figure 15 Common Standby Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
A50023-K2035-X040-05-76D1 7
8 A50023-K2035-X040-05-76D1
List of Tables
Table 1 Structure of the manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Table 2 Hardware requirements for new installations of TNMS 14.1 10. . . . . . . 15
Table 3 Hardware recommendations for installations of TNMS 14.1 10 on reused
legacy hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Table 4 Operating System recommendations for TNMS Server, NetServer, Client
and Citrix Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Table 5 TNMS software prerequisites and their installation sequence . . . . . . . 17
Table 6 Paging file size. Note that automatic management is recommended. . . 23
Table 7 RAM requirements and Oracle template files . . . . . . . . . . . . . . . . . . . . 30
Table 8 List of the available arguments in non-interactive mode . . . . . . . . . . . . 52
Table 9 Windows default shares. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Table 10 Firewall rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Table 11 Database-related configurations and security hardenings. . . . . . . . . . . 90
Table 12 Default TNMS user accounts and security hardenings. . . . . . . . . . . . . 90
A50023-K2035-X040-05-76D1 9
10 A50023-K2035-X040-05-76D1
Installation Manual (IMN, Windows) Preface
1 Preface
This Installation Manual contains a complete description of the installation and initial
configuration processes of TNMS.
1.1 Intended audience

This document is intended for commissioners of TNMS.
1.2 Structure of this document

The IMN is a single .pdf file viewable and printable with Adobe Reader.
This document is structured as follows:
Chapter Title Subject

Chapter 1 Preface Provides an introduction for this document.
Chapter 2 Preparation Provides a guide of the hardware and software required for the instal-
lation.
Chapter 3 Server operating system Describes the creation and configuration of the logical drives in the
configuration machine where the server will be installed.
Chapter 4 Initial system configuration Describes the configurations of the operating system required for
TNMS correct functioning.
Chapter 5 Software prerequisites Describes how to install and configure all software prerequisites of
installation TNMS.
Chapter 6 TNMS installation Describes how to install TNMS in your operating system.
Chapter 7 Post-installation proce- Describes all post-installation configurations and actions.
dures
Chapter 8 Backup and restore Guides the TNMS administrator through the B&R procedures.
Chapter 9 Upgrade to TNMS 14.1 10 Describes the migration to version 14.1 10 from a previous TNMS
release.
Chapter 10 TNMS and TNMS Core Describes how to configure TNMS to share resources and data with
working together TNMS Core.
Chapter 11 TNMS uninstallation Describes how to uninstall TNMS.
Chapter 12 Security hardening Describes the existing TNMS security hardenings.
- Abbreviations Contains a list of all acronyms and their long form used in TNMS.
Table 1 Structure of the manual
g Some features described in this documentation may not be available. To identify the
features released for the product, see the Customer Release Notes delivered together
with the product.
A50023-K2035-X040-05-76D1 11
Preface Installation Manual (IMN, Windows)
1.3 Symbols and conventions

The following sections describe the symbols and conventions used in the IMN.
Graphical user interface text
Window titles are placed inside quotation marks. Button names, keys, main or context
menu entries, keystrokes are printed in bold.
Example:
• Click the View menu, and then click Log List....
Commands
Commands and screen output are printed in a monospaced font.
Example:
• Issue
powercfg.exe /hibernate off
Variables
Placeholders are printed in <angle brackets>, and filenames and paths are printed in
italics.
Example:
• Save the log file <NEname>.txt to ../<product installation directory>/bin
Warnings
A safety message indicates a dangerous situation where personal injury is possible.
Example:
f Important Notice on Product Safety:

This product may present safety risks due to laser, electricity, heat, and other sources
of danger.
Notices
A notice is a must. Follow notices to avoid damage, loss or interruption. Example:
w Do not reboot while mirroring.
Notes
A note is an alert. Follow notes to learn about exceptions, side effects or something
obscure or yet unclear. Example:
g Read the Customer Release Notes before installing.
Tips
A tips is a suggestion. Follow tips for convenience or efficiency. Example:
t Before mirroring, limit the size of the root filesystem.
1.4 Available documentation

The following documents are delivered with TNMS:
12 A50023-K2035-X040-05-76D1
Installation Manual (IMN, Windows) Preface
1.4.1 Online Help system

A context-sensitive online help system is provided with TNMS which includes informa-
tion on window contents, menus and meaning of the icons shown, and comprehensive
instructions on the functions offered by the user interface. You can find the tasks and
procedures necessary to operate and administer TNMS on the system’s table of con-
tents.
That is, the Online Help system follows a two-pronged approach:
• Descriptive.
This is for when you want to know what any window element is, in any window. Par-
ticular aspects of TNMS or deeper knowledge of it are routinely provided, together
with topical best practices.
• Operational.
This is for when you want to know how to perform a task.
Help can be invoked in any of the following ways:
• After invoking help from the menu bar, you can search for topics via the table of con-
tents, the index or a word search.
• Clicking the Help button in the current window, which displays information about the
window contents.
• Pressing F1, which displays information about the contents of the active window.
For most windows, F1 help is further available through the main help menu (Help > On
<window name>).
1.4.2 User Manual (UMN)

The UMN is available from Main > Help and displayed in its own Adobe Reader window.
It overviews TNMS’ architecture, describes its features and functions, takes you through
all major operation topics and helps you troubleshoot common issues. This document is
intended for all users of TNMS.
1.4.3 Installation Manual (IMN)

The Installation Manual contains a complete description of the installation procedures of
the TNMS Server, and the uninstallation procedures of the TNMS Server and TNMS
Client.
1.4.4 Upgrade Manual (UPMN)

The Upgrade Manual describes in detail all the upgrade procedures of the TNMS com-
ponents from a previous TNMS release to the current release.
1.4.5 Other documents

TNMS Core and Network Elements
This manual concerns TNMS only. For more detailed information on TNMS Core or the
managed network elements (NEs), see the corresponding documentation.
A50023-K2035-X040-05-76D1 13
Preface Installation Manual (IMN, Windows)
Release notes
Where applicable, contains installation hints, patch descriptions, list of supported NEs,
list of supported cards and any relevant last-minute information.
14 A50023-K2035-X040-05-76D1
Installation Manual (IMN, Windows) Preparation
2 Preparation
2.1 Component delivery

Before installation, be sure that:
• The delivery is complete and in accordance with the delivery units specified in the
delivery note (hardware, software and documentation).
• The components are not damaged in any way.
• Make sure you use the installation packages in the target machine since TNMS
installation from a network drive is not supported.
2.2 Hardware requirements

The tables below give a rough overview of the hardware recommendations for installing
TNMS; running TNMS may require different specifications depending on parameters
such as network architecture (number of Clients) or operation policies (backup, logs).
The final hardware specifications and configuration must be planned specifically for
each customer. Ask Coriant Technical Sales for more information.
Two hardware configurations (Medium and Large) designed for new installations are
provided (Table 2).
g New TNMS installations are not recommended in a distributed environment.
Configuration Characteristics Medium Large

TNMS Server + Base reference model DL360p G8 DL580 G7
Netserver or or
(1 optional client BL460c G8 (blade server) BL660c G8 (blade server)
only for local trou- Minimum CPU (2x) Intel® Xeon® E5-2680/90 (4x) Intel® Xeon® E7-4870
bleshooting) or
(4x) Intel® Xeon® E5-4650
Minimum RAM 32 GB 128 GB
Minimum HDD (4 x) 300 GB HD (2 x) 300 GB internal SSDs
(4 x) 146 GB + (2 x) 300GB for (6 x) 300 GB internal HDs
hardware reuse
TNMS Client Base reference model ESPRIMO E710 E90+ or PY RX100S7
Minimum CPU Intel® i5-3470 or Intel® Xeon® E3-1220v2 4C/4T 3.10 GHz 8 MB
Minimum RAM 8 GB DDR3 1600 GHz
Minimum HDD HD SATA III 500GB 7.2K or HD SATA 6G 500GB 7.2K HOT PL
3.5" BC
Table 2 Hardware requirements for new installations of TNMS 14.1 10
In addition the Legacy hardware configuration is provided (Table 3). This configuration
is designed for the reuse of hardware compatible with TNMS 13.2 1x but not with later
releases.
A50023-K2035-X040-05-76D1 15
Preparation Installation Manual (IMN, Windows)
g A new installation using the Legacy hardware configuration does not support Optical
Management.
Configuration Characteristics Legacy hardware

TNMS Server + Netserver Base reference model PY TX/RX200S7
(1 optional client only for Minimum CPU Intel® Xeon® E5-2420 6C/12T 1.90 GHz 15 MB
local troubleshooting)
Minimum RAM 12 GB
Minimum HDD 2x HD SATA 6GB 500GB 7.2K HOT PL 3.5" BC
TNMS Client Base reference model ESPRIMO E710 E90+ or PY RX100S7
or Minimum CPU Intel® i5-3470 or Intel® Xeon® E3-1220v2 4C/4T 3.10
Common Client GHz 8 MB
Minimum HDD HD SATA III 500GB 7.2K or HD SATA 6G 500GB 7.2K
HOT PL 3.5" BC
TNMS Server Base reference model PY RX/TX300S7
(1 optional client only for Minimum CPU Intel® Xeon® E5-2609 4C/4T 2.40 GHz 10 MB
local troubleshooting)
Minimum HDD 2x HD SAS 6GB 300GB 15K HOT PL 2.5" EP
TNMS Netserver Base reference model ESPRIMO E710 E90+
or
PY RX100S7
Minimum CPU Intel® i5-3470
or
Intel® Xeon® E3-1220v2 4C/4T 3.10 GHz 8 MB
Minimum HDD HD SATA III 500GB 7.2K
or
HD SATA 6G 500GB 7.2K HOT PL 3.5" BC
Common Netserver Base reference model ESPRIMO E710 E90+ or PY RX100S7
(TNMS +TNMS Core) Minimum CPU Intel i5-3470 or
Intel® Xeon® E3-1220v2 4C/4T 3.10 GHz 8 MB
Minimum HDD HD SATA III 500GB 7.2K
or
HD SATA 6G 500GB 7.2K HOT PL 3.5" BC
Table 3 Hardware recommendations for installations of TNMS 14.1 10 on reused legacy hardware
2.2.1 Virtualization
TNMS supports virtualization using VMware ESXi 4.1. However Coriant does not
provide neither is responsible for stability limits or performance in these circumstances.
16 A50023-K2035-X040-05-76D1
Installation Manual (IMN, Windows) Preparation
The requisites of the virtual machines are similar to those presented in Table 2 and
Table 3, except for the CPU that only requires comparable CPU resources.
2.3 Supported Operating Systems

The following table provides the supported operating systems.
Full Installation Server, Netserver Client Citrix Server

Server + Netserver
Microsoft Windows Microsoft Windows Microsoft Windows Microsoft Windows Microsoft Windows
Server 2008 R2 SP1 Server 2008 R2 SP1 Server 2008 R2 SP1 Server 2008 R2 SP1 Server 2008 R2
(x64)1) (x64) 1) (x64) 1) (x64) 1) SP1 (x64) 1)
NTFS NTFS Microsoft Windows 7 Microsoft Windows 7
mandatory mandatory Professional SP1 Professional SP1
(x64) (x32/x64)
Table 4 Operating System recommendations for TNMS Server, NetServer, Client and Citrix Server
1) Both the Microsoft Windows Server 2008 R2 SP1 (x64) Enterprise Edition and the Standard Edition are sup-
ported. However If the machine has more than 32 GB of RAM you must install the Microsoft Windows Server
2008 R2 SP1 (x64) Enterprise Edition, as the Standard Edition cannot allocate more than 32 GB of RAM.
g Throughout this and the following chapters the designation of the several operating
systems is often abbreviated to allow for better readability. Always refer to the table
above for the exact versions supported for TNMS.
2.4 Prerequisites by component

The following table describes which software is required for each component. Attend to
the fact that the table also shows the order in which the components should be installed.
After installing the operating system, the system should be commissioned as follows:
Software Full Server + Server Netserver Client

Installation Netserver
Adobe Reader Mandatory Optional Optional Optional Mandatory
MSXML Mandatory Mandatory Mandatory Mandatory Mandatory
MS.NET Mandatory Mandatory Mandatory Mandatory Mandatory
Oracle 11.2.0.3 Mandatory Mandatory Mandatory - -
OSI Stack Mandatory Mandatory - Mandatory -
CopSSH Mandatory Mandatory - Mandatory -
Citrix XenApp - - - - Optional
Table 5 TNMS software prerequisites and their installation sequence
g A dedicated Java JRE installation is not mandatory given that the installer already
includes the JRE versions required by TNMS. However you can manually install Java
j2re-1.6.0_43 (32 or 64 bit) if required by other software.
A50023-K2035-X040-05-76D1 17
Preparation Installation Manual (IMN, Windows)
To install the Java j2re-1.6.0_43 (32 or 64 bit) use the packages available in the TNMS
prerequisites and follow the default installation procedure. For additional information
refer to the Oracle Java documentation.
Disable all Java automatic updates on the machines where Java is installed. If Java
automatic updates are enabled the system may not work properly.
2.5 BIOS configuration

The following chapter, describes the recommended configurations for the system BIOS.
These refer to HP machines and may differ with other hardware configurations.
To access the BIOS, boot the machine and press F9 in the startup screen.
• Disable the network:
Go to System Options > Embedded NICs > NIC # Boot Options and set to Disabled.
Where # represents the network interface card number.
• Processor options:
• Go to System Options > Processor Options > Intel Virtualization Technology,
and set to Disabled.
• System Options > Processor Options > Intel VT-d, and set to Disabled.
• Power management options:
• System Options >Power management options > HP Power Profile, and set to
Maximum performance.
• System Options > Power management options > HP Power Regulator, and set
to HP Static High Performance Mode
18 A50023-K2035-X040-05-76D1
Installation Manual (IMN, Windows) Server operating system configuration
3 Server operating system configuration

Before installing the server operating system, you must create and configure the logical
drive where Windows will be installed.
The following chapter applies to the recommended medium and large configuration
hardware only and these steps may differ in case you have any other hardware config-
urations.
3.1 Integrated Lights-Out (iLO) management console

This chapter describes how to operate the Integrated Lights-Out (iLO) management
console. This console is used to access the server machine and for administration pur-
poses. Refer to the iLO specific documentation for further information.
Accessing the Integrated Remote Console
Use the following information to access the console:
1. Address: https://<machine IP>
2. Username: <user>
3. Password: <password>
4. In the left panel tree, expand Information > Overview, and in Integrated Remote
Console, click the .NET link.
3.2 Disk configuration

It is recommended that you configure a RAID 1 for the disks where the operating
systems will be installed.
While booting the machine, proceed as follows:
1. When the Press any key to view Option ROM messages appears, click ENTER.
2. When the internal controller displays the message Press <F8> to run the option
ROM Configuration For Arrays Utility, click F8.
3. At the Main Menu, select Create Logical Drive.
4. Using the default settings, create the RAID 1 configuration with the two available
hard drives.
3.3 Windows installation

The steps below refer to the Windows operating system installation using the Integrated
Lights-Out (iLO) management console.
1. Open the iLO management console.
2. Click Virtual Drives menu > Image file menu entry.
3. In the Mount Image File file dialog box, select the Windows 2008 R2 ISO file and
press Open.
4. Restart the machine and boot from CD-ROM (typically by pressing F11 to access to
the boot menu).
The Windows installation is standard with no special configurations or inputs. Just need
to create one NTFS partition on the previous created volume (RAID 1) with ~50% of the
available space. The others 50% will be applied on a new partition to be created after-
wards.
A50023-K2035-X040-05-76D1 19
Server operating system configuration Installation Manual (IMN, Windows)
3.4 HP service pack installation

It is highly recommended to update to the latest HP Service Pack for the corresponding
machine model. This service pack updates drivers, software and firmware to the latest
version. Check the HP support website for downloading the ISO service pack.
1. Open the iLO management console.
2. Click Virtual Drives menu > Image file menu entry.
3. In the “Mount Image File” file dialog box, select the ISO file and press Open.
A new CD-ROM drive is mapped in Windows, providing the content of the service
pack.
Login in Windows and run the CD-ROM setup located via

<drive>:\hp\swpackages\setup.exe
1. In the “HP Smart Update Manager” window, tab “Welcome”, click Next.
2. In tab “Source Selection”, choose the Default Repository and click Next.
3. In tab “Select Targets”, click the machine list item, click Edit Target and insert the
Windows Administrator username, its password and click Next.
4. In tab “Review/Install Updates”, click Install.
The machine may reboot automatically, if not click Reboot Now, choose the appro-
priate delay and click OK.
3.5 Medium configuration

In order to configure a Windows medium configuration, proceed as follows:
1. Login in Windows.
2. Go to Start > All Programs > HP System Tools > HP Array Configuration Utility (64-
bits) > HP Array Configuration Utility (64-bits).
3. In tab Configuration, in “Select an available device...” combo box, select your device
(make sure it is not the “Embedded slot”).
4. In “System and Devices” panel, expand the Smart Array tree and select the first
branch and click Create Array.
5. Select the two available disks and click OK.
6. Click Create Logical Drive to create a new logical drive.
7. Select RAID 1 and keep the default settings. Click Save to finish the operation.
3.6 Large configuration

In order to configure a Windows large configuration, proceed as follows:
1. Login in Windows.
2. Go to Start > All Programs > HP System Tools > HP Array Configuration Utility (64-
bits) > HP Array Configuration Utility (64-bits).
3. In tab Configuration, in “Select an available device...” combo box, select your device
(make sure it is not the “Embedded slot”).
4. In “System and Devices” panel, expand the Smart Array tree and select the first
branch and click Create Array.
5. Select all available disks and click OK.
20 A50023-K2035-X040-05-76D1
Installation Manual (IMN, Windows) Server operating system configuration
6. Click Create Logical Drive to create a new logical drive.

7. Select RAID 5 and keep the default settings. Click Save to finish the operation.
3.7 Disk partitioning

Three new partitions are needed:
• One from the internal disks (D) with the other ~50% available - NTFS
• Two from the disk array - NTFS
In order to configure the disk partitioning for medium and large configurations, proceed
as follows:
1. Go to Start > Search Programs and Files > type Server Manager and press Enter.
2. In “Server Manager”, expand the server tree Server Manager > Storage > Disk Man-
agement.
In case the window ”Initialize Disk” is displayed, click OK keeping the default set-
tings.
3. Identify the disk that contains the C: drive and select the grey partition that displays
an Unallocated area.
3.1 Right-click the unallocated area and select New Simple Volume, click Next.
3.2 Choose the recommended partition size (typically 50% of the disk size) and click
Next.
3.3 Choose the drive letter D to the new partition and click Next.
3.4 In the “Format Partition” window, format this volume with the following settings:
• File system = NTFS
• Allocation unit size = Default
• Choose a volume label for the new partition
• Enable the Perform quick format option
3.5 Click Next and Finish to complete the partition creation step.
4. Identify the disk that does not contain any partition (C, D) and select the grey parti-
tion that displays an Unallocated area.
Next.
4.3 Choose the drive letter E to the new partition and click Next.
5. Identify the disk that contains the E: drive and select the grey partition that displays
an Unallocated area.
Next.
5.3 Choose the drive letter F to the new partition and click Next.
A50023-K2035-X040-05-76D1 21
Server operating system configuration Installation Manual (IMN, Windows)

6. Close the “Disk Manager” window.
22 A50023-K2035-X040-05-76D1
Installation Manual (IMN, Windows) Initial system configuration
4 Initial system configuration
4.1 Before you begin

Before installing complete the following steps:
• Check the system requirements.
• Determine the file system to be used, the partition to be used by the installation and
the components to install.
• The machine where the TNMS Server is installed should use NTFS, as it provides
extra security for the Oracle database files.
• Oracle must be installed in the same machine as TNMS Server.
• How the network, IP addresses and TCP/IP name management will be handled.
• Ensure that the host IP addresses are static, that is, do not use DHCP dynamic
addresses.
• In the machines where the TNMS Server and/or Netserver are installed, disable
“Hibernate” by running the following command as administrator:
powercfg.exe /hibernate off
4.2 Virtual memory configuration

Coriant recommends that you configure your system to automatically manage the
paging file size:
1. Go to Start > Control Panel > System.
2. Click on Advanced system settings.
3. In the System Properties window, go to the Advanced tab and, in the Perfor-
mance area, click on Settings.
4. In the Performance Options window, go to the Advanced tab and click on
Change.
5. In the Virtual Memory window, check Automatically manage paging file size for
all drives.
However, if you prefer to set a limit to the paging file size for Server and Netserver, do
as follows:
1. Follow the steps 1. to 4. above.
2. In the Virtual Memory window, uncheck Automatically manage paging file size
for all drives.
3. Select the system’s drive, select Custom size and enter the paging file size (refer
to table Table 6).
Click Set to save the settings and then OK to close the window.
TNMS Component Legacy Medium Legacy Large Medium Large

Server 12 GB 24 GB 16 GB 64 GB
Netserver 4 GB 4 GB - -
Table 6 Paging file size. Note that automatic management is recommended.
A50023-K2035-X040-05-76D1 23
Initial system configuration Installation Manual (IMN, Windows)
4.3 Audit policy
w Proceed to configuring Audit policy only if your network has legacy, NEC-interfaced
NEs, that is, other than hiT 7300 or hiT 7100.
To enable auditing locally in the installed OS:

1. Open the Local Security Policy settings via Start menu/button > Control Panel
(Windows 7 only) > Administrative tools > Local Security Policy icon.
2. In the tree pane, select “Audit Policy” under “Local Policies”.
Figure 1 "Local Security Settings - Audit Policy" window

3. In the details pane double-click the following policy settings to open the properties
window:
• Audit Account Logon Events, to track user’s logon and logoff - select the
check boxes ‘Success’ and ‘Failure’.
• Audit Account Management, to report changes to user account - select the
check boxes ‘Success’ and ‘Failure’.
• Audit Directory Service Access, to report access and changes to the directory
service - No auditing (no check box selected).
• Audit Logon Events, to report success/failure of any local or remote access-
based logon - select the check boxes ‘Success’ and ‘Failure’.
• Audit Object Access, to report file and folder access - select the check boxes
‘Success’ and ‘Failure’.
g The auditing configuration for the individual object (file or folder) must be set
within its properties.
• Audit Policy Change, to report group policies changes - select the check boxes
‘Success’ and ‘Failure’.
• Audit Privilege Use, to report when permissions (read, write...) are used -
select only the check box ‘Failure’.
24 A50023-K2035-X040-05-76D1
• Audit Process Tracking, to report when process and programs fail (not security
related) - No auditing (no check box selected).
• Audit System Events, to report standard system events (not security related) -
select the check boxes ‘Success’ and ‘Failure’.
4.4 FTP configuration

The following chapter provides you guidance through the needed component services
configuration.
4.4.1 Installing Internet Information Services in Windows Server 2008

To install the FTP server proceed as follows:
1. Open Start > Administrative tools > Server Manager > Roles.
2. Click “Add Roles” to open the “Add Roles” Wizard and click “Next”.
3. In Server Roles, select "Web Server (IIS)” and click “Next”.
4. In Web Server (IIS) click “Next”.
5. In Role Services, select the top end following services from the tree:
• Web Server
• Common HTTP Features
• Static Content
• Default Document
• Directory Browsing
• HTTP Errors
• Health and Diagnostics
• HTTP Logging
• Request Monitor
• Security
• Request Filtering
• Performance
• Static Content Compression
• Management Tools
• IIS Management Console
• IIS Management Scripts and Tools
• Management Service
• IIS Management Compatibility - when you select this option a warning
pops up informing you that two other components must also be installed.
Accept their installation.
• IIS 6 Scripting Tools
• FTP Server
• FTP Service
• FTP Extensibility
6. Click “Next”.
7. In Confirmation, click “Install”.
8. In Results, select “Close”.
9. Reboot your computer.
A50023-K2035-X040-05-76D1 25
Enabling ASP.NET and IIS

The following description details the configuration steps necessary in IIS Manager:
1. Open Start > Administrative tools > Internet Information Services (IIS)
Manager.
The Internet Information Services Manager enables you to configure, control and
troubleshoot IIS and ASP.NET.
2. In the “Connections” panel on the left, expand the server name and click in “Appli-
cation Pools”.
3. In the “Actions” panel on the right, click “Set Application Pool Defaults...”.
This opens the “Application Pool Defaults” window.
4. In the “General” section, set the “Enable 32-Bit Applications” option to “True” and
click “OK”.
4.4.2 Configuring the FTP Service in Windows Server 2008

To configure the FTP Service/Server, follow these steps:
1. Start > Administrative Tools > Internet Information Services (IIS) Manager.
2. In the left pane tree, expand the Default Computer > Sites.
3. In the right pane tree, select “Add FTP Site”. This opens the Add FTP Site window.
4. Enter the FTP site name.
5. In Physical Path, change the folder to “C:\inetpub\ftproot”, click OK and Next.
6. In “Binding and SSL Settings” step, configure the IP Address or leave as default.
7. In SSL, select “Allow SSL”. Click Next.
8. In “Authentication and Authorization Information” step, select “Authentication as
Basic”.
9. In Authorization - Allow access to “All users”, permissions “Read” and “Write”.
10. Click Finish.
4.4.3 Installing Internet Information Services in Windows 7

To install the FTP server proceed as follows:
1. Open Start > Control Panel > Programs and features > Turn Windows features
on or off.
2. Select the top end following services from the tree:
• Internet information Services
• FTP Server
• FTP Service
• FTP Extensibility
• Web Management Tools
• IIS 6 Management Compatibility
• IIS 6 Management Console
• IIS Management Scripts and Tools
• Management Service
3. Click “OK” and confirm.
4. After the installation go to Control Panel > Administrative Tools > Internet Informa-
tion Services (IIS) Manager.
5. Reboot your computer.
26 A50023-K2035-X040-05-76D1
4.4.4 Configuring the FTP Service in Windows 7

To configure the FTP Service/Server, follow these steps:
1. Start > Control Panel > Administrative Tools > Internet Information Services
(IIS) Manager.
2. In the right pane tree, select "Add FTP Site". This opens the Add FTP Site window.
3. Enter the FTP site name, default.
4. In Physical Path, change the folder to "C:\inetpub\ftproot", click OK and Next.
5. In "Binding and SSL Settings" step, configure the IP Address or leave as default.
6. In SSL, select "Allow SSL". Click Next.
7. In “Authentication and Authorization Information” step, select “Authentication as
Basic”.
8. In Authorization - Allow access to "All users", permissions "Read" and "Write".
9. Click Finish.
10. Then expand the tree in the left pane until default FTP. In the default FTP Home area
click on FTP Authentication. Then in the window right click Basic Authentication
and click Enable.
4.5 Domain Verification

Check if a network domain exists. Use the following windows steps:
1. Go to System Properties via, Start > Control Panel > System.
2. In Computer name, domain, and workgroup settings, check the Domain infor-
mation.
• If a network domain exists and both TNMS Core and TNMS belong to it, then
log on to that domain and proceed with the installation as you normally would.
• If a network domain does not exist, then:
• You may skip this configuration, but then you will not have Single Sign On
capabilities in TNMS.
• Contact your network administrator to provide you information details on
how to configure the domain since domain details are specific for your
network.
4.6 System Hosts configuration

Since TNMS uses a static IP address configuration, it is mandatory that the system's
"hosts" file is properly configured with at least "<Server IP> <FQDN>" and "127.0.0.1
localhost".
– Edit Windows’ hosts file (typically, C:\Windows\System32\drivers\etc\hosts) and for
each server insert a line like
xx.xx.xx.xx <full computer name>
where xx.xx.xx.xx is the static IP of the server in question, and full computer name
follows name.domain.com as found in Control Panel > System Properties >
Computer Name > Full computer name of the server in question.
– If all is properly configured, the full computer name (as found in ... > Computer
Name > Full computer name) will appear automatically in the OpenDS Directory
Server Configuration window during the installation procedure.
A50023-K2035-X040-05-76D1 27
w The TNMS installer will check if the hosts file is correctly configured. In case the server
belongs to a domain, make sure FQDN matches the domain.
If no domain exists and the hosts file is not configured, the installation will not proceed.
4.7 Dynamic Port range configuration

The default dynamic port range configuration for Windows Server 2008 and Windows 7
starts at port 49152 and ends at port 65535. This complies with the Internet Assigned
Numbers Authority (IANA) recommendation. Proper installation of TNMS requires the
default port range to be used.
g TNMS enforces this setting during its installation. However, to avoid warnings while
installing TNMS, configure the dynamic port range before the installation (required for
Server and Netserver machines), as described below.
Execute the following procedure to ensure the correct configuration of the Server and
Netserver machines:
1. Open the command line (cmd) as Administrator.
2. Execute the command:
netsh int ipv4 show dynamicport tcp
3. If the reported start port is not 49152, then execute the command:
netsh int ipv4 set dynamicport tcp start=49152 num=16384
persistent
Windows is now prepared concerning dynamic port range configuration.
28 A50023-K2035-X040-05-76D1
Installation Manual (IMN, Windows) Software prerequisites installation
5 Software prerequisites installation

This chapter describes the installation and configuration of all prerequisites in the
recommended installation sequence.
Refer to Table 5 TNMS software prerequisites and their installation sequence to know
which prerequisites are required for each TNMS component.
5.1 Adobe Reader

You can either download the latest Adobe Reader from the Adobe website (recom-
mended) or use the version included in the Prerequisites folder.
Coriant is not responsible for issues or vulnerabilities introduced by Adobe Reader, in
particular when you perform its download.
To install Adobe Reader just follow the standard options shown in its installer. Any
specific information on this see the Adobe Reader documentation.
5.2 User Account Control

When applicable, Windows User Account Control must be disabled in order to continue
with the installation. According to your windows version, the procedure may vary. Typi-
cally, it can be disabled under Control Panel > User Accounts > Change User Account
Control Settings > Never Notify.
Restart the machine after performing this change.
5.3 MSXML
MSXML 4.0 is an XML parser. It must be installed on the system so that network
configuration data can be imported and exported in XML format.
To install MSXML 4.0 SP2 on all supported operating systems, proceed as follows:
1. Double-click the msxml4sp2.msi file in the MSXML directory on the software DVD.
2. A welcome window is now displayed. Press Next to continue.
3. In the End-User License Agreement window, accept the terms of the license
agreement, and press Next to continue.
4. In the Customer Information window, enter a user name and the name of your
company in the appropriate fields. Press Next to continue.
5. In the Choose Setup Type window, press Install Now.
6. The window Installing Microsoft XML Parser and SDK window is now displayed.
The progress of the installation is indicated by the progress bar.
7. Once the installation is complete, the window Completing the Microsoft XML
Parser and SDK Setup Wizard is displayed. Press Finish to complete the installa-
tion.
5.4 MS.NET
Windows Server 2008
MS.NET 3.5 is installed with Windows Server 2008, but requires activation. To activate
.NET 3.5, proceed as follows:
A50023-K2035-X040-05-76D1 29
Software prerequisites installation Installation Manual (IMN, Windows)
1. Go to Administrative Tools > Server Manager > Features.

2. Click Add Features.
3. Select .NET Framework 3.5.1 features.
5.5 Oracle
This section describes the installation of Oracle Database 11g Release 2 (64-bit) for
Microsoft Windows x64. The supported version is 11.2.0.3.
The Oracle Database must be installed in the TNMS Server machine.
Before installing
To successfully install and run TNMS, at least 40GB of free disk space must be avail-
able in the destination machine before installing the Oracle database. RAM
requirements are indicated in Table 7 RAM requirements and Oracle template files.
TNMS Configura- RAM (GB minimal) Oracle template Managers

tion file
Large 128 TNMS_LW.dbt All
Medium 32 TNMS_MW.dbt All
Legacy 8 TMNS_SW.dbt Ethernet and ASON
only
Table 7 RAM requirements and Oracle template files
For the remaining hardware, follow the recommendations described in 2.2 Hardware
requirements. Note that the values in this table are recommended and may vary accord-
ing to the network dimension and the used hardware.
Before installing
By default, the TNMS Database Installer assumes the following directory locations:
• Oracle installation disks: c:\oramedia
• TNMS INSTALLER DIRECTORY: c:\inst
However, it is possible to install from different locations. If you choose to use previous
default directory locations you have to create them manually before you start the instal-
lation. During the installation you will be requested to confirm the directory paths. If you
use different locations you must enter them manually whenever applicable.
1 Create both default directory locations indicated above. If you want to use other
locations, make sure they are accessible from the installer (in a local or mapped
drive).
2 Unzip the Oracle installation disks 1 and 2 to c:\oramedia (in case of recommended
default location. Only the extracted database folder is required. The directory struc-
ture should be as follows:
c:\oramedia\database
3 Copy the folders from the delivered TNMS media to the <TNMS INSTALLER
DIRECTORY> (recommended default location: c:\inst). The directory structure
should be as follows:
30 A50023-K2035-X040-05-76D1
c:\inst\TNMS_Installer
c:\inst\TNMS_Prerequisites
Installation
The following steps guide you through the Oracle Database installation.
1 Go to <TNMS_INSTALLER_DIRECTORY>\TNMS_Prerequisites\Oracle\
installation, right-click the Exec_TNMS_oracle_install.bat file and
select Run as administrator.
A new terminal window opens. The installation log location is c:\temp and the full
path is displayed on the screen.
2 Enter your configuration: Legacy, Medium or Large, by typing Y, M or L, respec-
tively.
3 Enter the drives for the ORADATA, ORALOG and ORATRACE directories, or
accept the default by pressing [ENTER]. Make sure you specify a valid drive letter
followed by the colon sign (for example: “c:”).
4 Enter the TNMS database name, or accept the default by pressing [ENTER]. The
database name must be between 1 and 12 characters long and the first character
must be alphabetic.
The main menu is presented as follows:
0 - Check requirements
1 - Oracle Software Installation
2 - TNMS database creation
3 - TNMS database configuration
4 - Exit
Enter the desired option.
5 Choose option 0 - Check requirements by pressing “0”.
The requirements check is executed, showing the available disk space and free
memory. In case the requirements are met, the following message is displayed: You
can now proceed with Oracle Database installation!
If the requirements are not met, the message Error: The Oracle
installation cannot be done, because some requirements failed
is displayed. Make sure you have enough disk space and memory before continu-
ing.
6 Choose option 1 - Oracle Software Installation.
Press [ENTER] to confirm the default path or enter the Oracle Installer setup.exe
path (if different).
Press [ENTER] to confirm the default path or enter the TNMS.rsp file path (if differ-
ent).
This action opens a new window. Wait until the Oracle Software installation finishes.
The message Successfully Setup Software. Please press Enter to
exit... is displayed. Press [ENTER] to close the window.
7 Choose option 2 - TNMS database creation.
A50023-K2035-X040-05-76D1 31
Press [ENTER] to confirm the default path or enter the template file path for your
configuration:
• TNMS_LW.dbt - large configuration.
• TNMS_MW.dbt - medium configuration.
• TNMS_SW.dbt - legacy configuration.
8 Type the SYS password and then retype it.
Next, type the SYSTEM password and type it again.
Both SYS and SYSTEM passwords must be at least 5 characters long.
The TNMS database is created and the message Database created
successfully is displayed.
If any failure occurs during the TNMS database creation, the message Error
creating database. Check installation requirements is displayed.
Look for errors in the log file indicated on the screen.
9 Choose option 3 - TNMS database configuration.
Press [ENTER] to confirm the default path or enter the TNMSnetca.rsp file path.
Press [ENTER] to confirm the default path or enter the listener.ora file path.
The database is created and the message TNMS Database Configuration
Successful. Oracle Installation finished is displayed.
10 Choose option 4 - Exit.
The Oracle installation and configuration is completed. Restart the machine.
Post-installation verifications
In order to verify the installations check the Oracle Services and the TNMS data-
base:
1. Go to Start > Run and run the command services.msc.
2. The following services should be started:
• OracleOraDb11g_home1TNSListener
• OracleServiceTNMS (if the default database name was “TNMS”)
3. Run the application:
“<Oracle Home>\BIN\LSNRCTL”
and run the command status.
g <Oracle Home> is, by default, “C:\oracle\product\11.2.0\dbhome_1\”
4. Check if your SID exists and if its status is READY:

Instance "tnms", status READY... (if the default database name was
“TNMS”)
5.5.1 Uninstalling Oracle

To uninstall the TNMS database and the Oracle software you must use the uninstallation
tool provided by Oracle. Proceed as follows:
1. Go to Start > All Programs> Accessories > Command Prompt, opposite-click,
select run as administrator and then enter the following command:
“<Oracle Home>\deinstall\deinstall.bat”
32 A50023-K2035-X040-05-76D1
g <Oracle Home> is, by default, “C:\oracle\product\11.2.0\dbhome_1\”
The following steps describe a typical uninstallation procedure. In case the uninstallation
tool requests you additional information, refer to the uninstallation tool documentation
at: http://docs.oracle.com/cd/E11882_01/install.112/e16774/deinstall.htm.
2. When prompted for the Listener Name, enter LISTENER and press Enter.
3. When prompted for the Oracle SID, enter TNMS and press Enter.
4. When prompted for TNMS database modification, enter "n" and press Enter.
(The details of database(s) TNMS have been discovered automatically. Do you still
want to modify the details of TNMS database(s)? [n]: n)
5. When prompted for continuation, enter "y" and press Enter.
(Do you want to continue (y - yes, n - no)? [n]: y)
6. Wait until the uninstallation finishes and then restart the machine.
7. Go to C:\ folder and delete the remaining folders and files.
• C:\oracle
• <PATH>\oradata (path chosen during installation)
5.6 OSI Stack

If QB3 is to be used, an OSI stack must be installed on the NetServer PCs before the
NetServer software.
5.6.1 Installing OSI Stack

To install an OSI stack, proceed as follows:
1. In the software DVD, go to the OSI_Stack directory, opposite-click setup.exe and
click Run as administrator.
2. A welcome window is now displayed. Press Next to continue.
3. In the Choose Destination Location window which is now displayed, a default
installation directory is offered for the OSI stack. Press Next to continue.
4. In the Please select: window, select the NSAP address option best suited to your
company’s network and press Next.
5. In the Getting NSAP window, enter the NSAP address. For example, if you selected
the option NSAP should be derived from MAC address of my ethernet card on
step 4., enter the MAC address of the network card and press Next.
6. In the Start Copying Files ensure that the settings displayed are correct, and if so,
press Next to continue.
7. A setup status window is now displayed, showing the progress of the OSI stack
installation.
8. In the InstallShield Wizard Complete window select the option for restarting the
computer and press Finish to complete the OSI stack installation.
5.6.2 Configuring OSI stack

Once finished the OSI stack installation and the computer rebooted, you need to
proceed with the following set of configurations:
A50023-K2035-X040-05-76D1 33
1. Open OSI stack as administrator via

Start > Control Panel > OSI Stack, right-click OSI Stack and select Run as admin-
istrator.
You may need to switch to the classic view or click “View as small icons” or use the
search field for OSI Stack.
2. Activate the following options:
• Select In “Bind to Network Interface Card” and activate all network interfaces.
• In “OpWin Configuration”, activate "Open Stack, when Operator starts”.
• Activate “Start stack as service".
• Click “ES-IS” Stack parameter to enter the “ES-IS configuration” and disable
“Enable emission of ES hello”. Click “Ok”
3. Exit the OSI Stack Configuration and reboot the machine in order to reset the vari-
ables properly, otherwise you may experience unexpected delays in the service
readiness.
In case you have to check the environment variable OSIPIPE:

1. Click Start > Control panel > System and Security > System.
2. Open the Advanced system settings > Advanced tab.
3. Click the button "Environment variables"
4. In the lower list (user variables), search for OSIPIPE variable.
5. The OSI stack configuration is finished.
5.6.3 Uninstalling OSI stack

To uninstall the OSI stack, follow the next steps:
1. Open Start > Control Panel > Administrative Tools > Services.
2. Select the OSI stack service and press Stop.
3. Open Start > Control Panel > Add/Remove Programs.
4. Select the OSI stack from the software list.
5. Click Uninstall.
6. Confirm the uninstall process with Finish and restart your computer.
5.7 CopSSH
CopSSH is a Secure Shell (SSH) File Transfer Protocol (SFTP) and Secure Copy (SCP)
server used for transferring data to and from some types of NEs.
CopSSH installation is required for netservers only if there are hiT 7100, hiT 7300
or ADVA NEs in your network.
g SFTP / SCP use is recommended since it is more secure than FTP.
g In order to support SFTP or SCP transactions via the LCT, you must install and config-
ure CopSSH in TNMS.
34 A50023-K2035-X040-05-76D1
5.7.1 Installing CopSSH

To install CopSSH 4.7.1 proceed as follows (same procedure for all supported operating
systems):
1. In the software DVD, go to the CopSSH directory, right-click the
Copssh_4.7.1_x86_Installer.exe file and run as administrator
2. The setup wizard’s Welcome window is shown. Click Next.
3. In the License Agreement window click I Agree.
4. Enter an Installation folder or accept the default by clicking Next.
5. Enter the service account credentials.
6. You must select the user that will be used for the CopSSH account service manage-
ment, by choosing one of the following options:
• Keep the default CopSSH user: SvcCOPSSH (the installer generates a random
password). If you choose this option, keep that password for the future (recom-
mended).
Or
• Select a new user (must be different from existing local machine users). In this
case you must provide a username and a password that matches the following
requirements:
- The username must be at least four characters in length.
- Passwords cannot contain the user’s account name or parts of the user’s
complete name exceeding two consecutive characters.
- Passwords must be at least six characters in length.
- Passwords must contain characters from three of the following four categories:
• English uppercase characters (A through Z).
• English lowercase characters (a through z).
• Base 10 digits (0 through 9).
• Non-alphabetical characters (for example: !, $, #, %).
Click Install.
7. Click Close to finish the installation.
5.7.2 Configuring CopSSH

As a security measure, CopSSH’s default user cannot be used to access the machine.
Therefore, new users must be created.
Configuring users in CopSSH:
1. Create a user with limited privileges in the operating system. This user will be used
to perform the SFTP / SCP.
2. Grant the user write privileges on the C:\Program Files (X86)\ICW folder. Go to
Properties, add the user created and give the user modify permissions.
3. Go to Start > Programs > CopSSH, opposite-click on CopSSH Control Panel and
click Run as administrator.
4. In the Status tab, check if the service is running (green button). If not, click on the
red button to start it.
5. Go to Users tab and click Add.
6. Click Forward to begin the CopSSH User Activation wizard.
A50023-K2035-X040-05-76D1 35
7. Choose the current machine for domain and the user you created earlier. Click
Forward.
8. Select Shell access type:
• For ADVA NEs, select “Linux shell and Sftp”.
• For hiT 7100 and/or hiT 7300 NEs, select “Sftp”.
• For ADVA and/or hiT 7300 NEs and/or hiT 7100 NEs, select “Linux Shell and
Sftp”.
In the three options available, only “Password authentication” must remain
checked. Uncheck the other two options “Public key authentication” and “Allow
TCP forwarding”..
Click Forward.
9. Click Apply to activate the user.
Changing the default number of simultaneous sessions
The following mandatory procedure is required in order to support multiple NE requests.
w Note that, if you run the CopSSH's Control Panel after the procedure below, all the
changes to the passwd file will be reset.
1. Edit the file C:\Program Files (x86)\ICW\etc\sshd_config

Below is a sample sshd_config file (after the CopSSH Control Panel has been run
for the first time):
Port 22
Compression delayed
LogLevel INFO
TCPKeepAlive yes
LoginGraceTime 120
Protocol 2
MaxAuthTries 6
MaxSessions 10
Subsystem sftp internal-sftp -l ERROR
Match User copuser
PasswordAuthentication yes
PubkeyAuthentication no
AllowTcpForwarding no
MaxSessions 10
# Catch All
Match User *
MaxSessions 0
PasswordAuthentication no
2. Change both MaxSessions values (lines 8 and 13) to 100.

3. Add the line MaxStartups 10:30:100 after line 8 to control the number of open
unauthenticated sessions. This avoids an overload of the SSH daemon.
4. Below is the sample above after the changes:
36 A50023-K2035-X040-05-76D1
Port 22
Compression delayed
LogLevel INFO
TCPKeepAlive yes
LoginGraceTime 120
Protocol 2
MaxAuthTries 6
MaxSessions 100
MaxStartups 10:30:100
Subsystem sftp internal-sftp -l ERROR
Match User copuser
PasswordAuthentication yes
MaxSessions 100
# Catch All
Match User *
MaxSessions 0
PasswordAuthentication no
5. Save the sshd_config file and restart the CopSSH service using Windows Control
Panel.
5.7.3 CopSSH Troubleshooting

Go to Start > Programs > CopSSH > CopSSH Control Panel and in the Status
tab, check that the CopSSH service is running (green color). If not:
1. Go to (Windows) Control panel > Administrative tools > Services.
2. Opposite-click the service "Openssh SSHD" and select Properties.
3. In the Log On tab, select Local System account.
4. Click OK.
5. Start the Openssh service.
Check if the SFTP user is added to the password file:
1. Edit the file C:\Program Files (x86)\ICW\etc\passwd.
It must contain the details of the SFTP user that was created and activated. For
example, if the user name is “FTPUser”, the file will be:
A50023-K2035-X040-05-76D1 37
Administrator:unused:10500:10513:U-AUMELRD-TD-03\Administrator,S-1-5-
21-3507081192-3007060136-515313314-
500:/home/Administrator:/bin/bashFTPUser:unused:11021:10513:FTPUser,U-
AUMELRD-TD-03\FTPUser,S-1-5-21-3507081192-3007060136-515313314-
1021:/home/FTPUser:/bin/bashGuest:unused:10501:10513:U-AUMELRD-TD-03\
Guest,S-1-5-21-3507081192-3007060136-515313314-
501:/home/Guest:/bin/bashsshd:unused:11025:10513:U-AUMELRD-TD-03\
sshd,S-1-5-21-3507081192-3007060136-515313314-
1025:/var/empty:/bin/bashSvcCOPSSH:unused:11026:10513:U-AUMELRD-TD-03\
SvcCOPSSH,S-1-5-21-3507081192-3007060136-515313314-
1026:/var/:/bin/bash
2. If the password file does not contain the details of the SFTP user, grant write
access to the ICW folder to the Windows user that is used to install COPSSH.
5.7.4 CopSSH Hardening

If you wish to further restrict the CopSSH's user privileges by making connections via
interactive shell impossible, do as follows:
w Note that, if you run the CopSSH's Control Panel after the procedure below, all the
changes to the passwd file will be reset.
1. Go to <CopSSH installation path>\etc\ and edit the passwd file.

2. Edit the line (example) from
reguser:unused:11010:10513:reguser,U-TSVM41\TestPL,S-1-5-21-
2769772405-123357289-3683661142-1010:/home/reguser:/bin/bash
to
(...):/bin/false
3. Save the file.
5.8 Antivirus
To protect TNMS against viruses, you should install F-Secure Client on all machines.
Refer to the software release notes to see the released versions.
5.9 NTI third-party software installation

The “NTI DS” is a third-party software part of the TNMS prerequisites. You find the
installer in the installation folder TNMS_Prerequisites > NTI_DS and it launches and
controls the setup of this third-party software. The main setup also configures the
software after the installation to work with TNMS.
This procedure is mandatory only if you want to have NTI operational. Otherwise, skip
this procedure.
38 A50023-K2035-X040-05-76D1
Installing the NTI third-party software:

1 Run the NTI_DS_Installer.exe file. Check the file in the folder TNMS_Prerequisites.
2 Proceed as described in the setup windows. In the “Welcome” window, click Next.
3 In the “License Agreement” window, choose “I accept the terms of License Agree-
ment” and click Next.
4 In the “Choose Install Set” window, click Next.
Choose “Full Installation” as the installation type.
5 In the “Directory Name” (Default: C:/NTI_DS) window, enter the installation directory
or select it from the Choose dialog and click Next.
6 In the “Notification Service Configuration” window, select one of the following
options:
• “Contact with IMR on every server start-up”: off (default option).
• “Choose level of verbosity”: fatal errors only (default option).
• “Choose details for compact Typecodes”: off (default option).
• “Disable indirection encoding”: on (default option).
• “Please enter port number for Notification Service”: 17289 (default option).
• “Please choose maximum Java heap size for Notification Service”: choose one
of the three available values. The default value is 256 MB.
Click Next.
7 In the “Pre-Installation Summary” window check if the installation options are correct
and confirm by clicking Install.
8 In the “Install Complete” window, you see the message “Your computer must be
restarted to complete the installation”. Click Finish.
9 After rebooting, proceed as follows:
• Go to <Installation Folder>\NoSe\bin and run the “Object Viewer” by double
clicking the manager.bat file.
• Locate the “localhost” of the OpenFusion object, right-click and then click Start
in the context menu. If already started, skip this step.
• This changes the state to “Started”.
Ensure the services are started through Start > Control Panel > Administrative Tools
> Services.
The following services must exist and be in state “Started”.

• JacORB IMR
• OpenFusion.NotificationService 4.2.3
A50023-K2035-X040-05-76D1 39
40 A50023-K2035-X040-05-76D1
Installation Manual (IMN, Windows) TNMS installation
6 TNMS installation
This chapter describes the TNMS installation. If you have a previous TNMS version
installed in your system, jump to 9 Upgrade to TNMS 14.1 10.
Before you install TNMS be sure to read and follow the directions below. Failing to
comply will result in a failed installation.
6.1 Full installation

To install TNMS Server, NetServer and Client in the same machine (full installation):
1. Copy all relevant priority updates into ...\TNMS Installer\PUs.
2. Login on the operating system with a user that has administrative rights.
3. Opposite-click the installation file in the TNMS SW CD and select “Run as adminis-
trator” (Figure 2).
Figure 2 How to set the TNMS installer to run with administrator rights in
Windows 7 and Windows Server 2008.
The Introduction window opens and the complete list of installation steps is dis-
played on the left pane.
Click Next to continue.
4. Read the License Agreement and then select I accept the terms of the License
Agreement.
5. In the Choose Install Set step, click Full to install all components in the machine.
The available buttons describe the installation variants offered.
6. Select your type of hardware configuration: Medium, Large (see 2.2 Hardware
requirements) or Legacy Hardware.
Select Legacy Hardware to install TNMS Server in machines that meet the
hardware requirements for TNMS 13.2 1x but not for TNMS 14.x xx.
g Optical Management is not supported in the Legacy Hardware configuration.
7. A usage warning pops up to let you know that the database should not be in use by
any application.
8. Select Build and click Next to continue.
w The “Build” option, if there is a previous TNMS version installed, will delete all the
data in the database. To upgrade your installation, refer instead to the Upgrade
Manual.
9. The Oracle database connection step asks you to enter a set of database connec-
tion parameters:
• Database IP Address: the Oracle host IP address.
A50023-K2035-X040-05-76D1 41
TNMS installation Installation Manual (IMN, Windows)
• Database port: the Oracle server port number. The default value is 1521.
• Database username: the user scheme of the database to be created (example:
TNMS).
g Using the same user / password in all installations is recommended since it

ensures that the database is restorable in any machine. However another user
/ password can be used for security reasons, as long as you keep these data for
future reference and you use the same user / password in the system where you
perform the backup and the system where you restore it.
• User password: the password for the DB user (example: fk12!igp).
g The password must meet the following requirements:

• Is at least four characters long.
• Differs from the user name.
• Has at least one alphabetic, one numeric and one punctuation characters.
• Is not simple or obvious, such as welcome, account, database, or user.
• Re-enter user password: re-enter the password.

• Database name (SID): the name of the Oracle database (DB instance), which,
by default, is “TNMS”.
• User ‘sys’ password: fill in with the password defined in 5.5 Oracle.
Click Next to continue
10. In the Choose Components step:
10.1 Select the Managers to be installed.
w On Legacy hardware installations the Optical Manager will not be installed. To

install and use the Optical Manager you must select the Medium or the Large
configuration.
Mind that all managers can be installed but each requires a specific license to
be used.
10.2 Select the North Bound Interface to install, if any.
g If you select TMF/Corba, you must have previously installed the NTI as
described in 5.9 NTI third-party software installation.
Click Next.
10.3 Select the LCTs to be installed.
10.4 Select the NEs to be installed and all their versions, for example:
[X] hiT 7300 5.10.0x
[X] hiT 7300 5.10.10
[X] hiT 7300 5.10.2x
[X] hiT 7300 5.30.50
[X] hiT 7300 5.30.60
11. In the Choose Install Folder step:
11.1 Enter the path for the TNMS installation folder, the TNMS Data folder (see
note), the LCT installation folder and the EML Mediation installation folder.
42 A50023-K2035-X040-05-76D1
Default paths are provided.

g Make sure that the TNMS Data folder is empty. If not, backup and remove the
data or select a different folder.
12. If CopSSH is not installed in the machine, a warning pops up to let you know that the
NetServer requires you to install it (see 5.7.1 Installing CopSSH)
If CopSSH is already installed, you must provide a valid SFTP User, that is, a
Windows user that was added to CopSSH (see 5.7.2).
g The user is not created again. The user mentioned in this step serves as a cross
check with the user added in the CopSSH configuration (see 5.7.2 Configuring
CopSSH).
13. In case you have more than one Network Interface Card (NIC) installed, the Choose
host IP address panel is displayed providing a list of the IPs associated with each
NIC.
Click the pulldown menu and choose the IP that corresponds to the host name of the
machine.
In case you only have one NIC, this panel is not displayed and you must proceed to
the next step.
14. Select the TNMS server’s IP address (blank by default).
Enter the TNMS server’s IP address if you are installing the netserver on a machine
other than the server (blank by default).
g This step is skipped in some cases, such as if the server has only one IP address.
15. In the OpenDS Directory Server Configuration step set the following OpenDS
database server information:
g All fields except the Admin password, are automatically filled in. If not, cancel the
installation wizard, complete the 4.6 System Hosts configuration and start the instal-
lation once more.
• Computer name: <Computer Name>.<Domain>

• Install directory: folder wherein the OpenDS server will be installed.
• Server port, Admin port: ports used respectively to communicate with OpenDS
Server and for administrative actions.
The server and admin port numbers shown are default, not mandatory. You can
use any port number from 1024 to 49151
• Admin ID: default is admin.
• Admin password: select password (minimum 8 character).
• Re-enter Admin password: re-enter the selected password.
Click Next to continue
16. In the Choose Shortcut Folder step configure the options of the icons and shortcuts
to be created during installation.
17. Decide whether to have Coriant’s as your default desktop wallpaper.
A50023-K2035-X040-05-76D1 43
18. If one or more of the priority updates you copied into ..\TNMS Installer\PUs does not
comply with a set of preconditions a warning message is displayed (for additional
information check 6.3 About the automatic priority updates installation).
w The PUs that generate warnings will not be installed.
Click Next to continue or click Cancel to go back to the previous step.

19. A summary of the installation settings is given in the Pre-Installation Summary step.
If the settings are correct, click Install to start the installation.
20. If an error, such as a corrupted PU file, is detected during the installation an error
message is displayed (for additional information check 6.3 About the automatic
priority updates installation).
21. The results of the installation are presented in the Installation Results step.
Click Done to close the installation wizard.
22. Reboot the machine to complete the installation.
After the TNMS Server has been installed and started, the system can be immediately
operated by selecting the server name and using the default user name and password
(see 7.3 Logging in and 7.4 Default username and password).
g A warning message may be displayed during the installation configuration stating that
the firewall is enabled. However, if you use the Windows Firewall, in some cases, the
firewall window displays the disabled status. Such contradiction arises due to the TNMS
Installer use of the netsh adv commands to check the firewall status which can return
a different status from that presented in the GUI.
To configure the firewall refer to 12.3 Networking and firewall configuration.
g The TNMS installation creates the following services on the target machine after the full
installation is completed:
• TNMS (automatically started). In the server machine.
• RCTSrv (automatically triggered off by TNMS and thus listed as Manual). In the
server machine.
• Open DS (automatically started). In the server machine.
• TNMS EmlMediator (automatically started). In the netserver machine.
• TNMS Generic Mediator (automatically started). In the netserver machine.
• TNMS TrapHandler (automatically started). In the netserver machine.
• TNMS Multivendor Mediator (automatically started). In the netserver machine.
• TNMS platform (automatically started). In the server machine.
6.2 Installation of separate components

To install only one of the components or a specific combination of components you must
follow the procedure described in the previous section until step 5. In this step choose
Client, Server, NetServer, Server and NetServer or Server and Client. The subsequent
steps are a subset of those described in 6.1 Full installation. However, note that:
• If you install the TNMS Client and/or the Netserver on Windows 7, go to Start >
Control Panel > System > Advanced System Settings > Advanced tab > Perfor-
mance pane > Settings button > Visual Effects tab and select the option “adjust
for best performance”.
44 A50023-K2035-X040-05-76D1
• If you install the TNMS Netserver in a machine other than the Server, the TNMS
Server’s IP address is requested during the installation.
If you install the TNMS Netserver in the same machine as the Server, the TNMS
Server’s IP address is requested only if the server has more than one IP address.
6.3 About the automatic priority updates installation

You can install priority updates (PU) either manually, anytime after installing TNMS, or
automatically, while installing TNMS. The automatic procedure includes several verifi-
cations that are useful and timesaving.
During the configuration of the installation the TNMS installer checks if:
• The PUs are valid.
A PU is considered valid if its file has the characteristics of a PU and if the PU is
being installed on the supported TNMS version.
• All dependencies between PUs are met.
• There are no duplicated PUs.
If one or more PUs fail to meet one or more of these conditions, warnings are displayed
to let you know which PUs fail to comply with which condition. Also, in the Pre-installa-
tion summary you can find the following two sections:
• Installation Check Warnings
In this section are listed all warnings displayed during the configuration steps. If any
warnings regarding PUs were displayed, you can find their content here. The PUs
listed in this section will not be installed.
• Priority Updates to Install
In this section are listed all PUs that comply with the conditions above and that will
be installed.
t Refer to the preinstall_warnings.log, if you need this information later on.
The correct installation of the PUs is also verified during the TNMS installation. If any
PU was not correctly installed, an error message is displayed.
Any error or warning messages during the installation are also referred in the final instal-
lation step. For details on these errors and warnings refer to the
PU_InstallLog.log, where ou can find the logs of the execution of all installed PUs.
A50023-K2035-X040-05-76D1 45
46 A50023-K2035-X040-05-76D1
Installation Manual (IMN, Windows) Post-installation procedures
7 Post-installation procedures
w If you decide to harden the system, you must do it before starting TNMS in a production
environment. See 12 Security hardening for instructions.
7.1 Starting services

Services, such as TNMS Server, TNMS EmlMediator and TNMS Generic Mediator start
automatically with the machine.
7.2 Starting a Client session

A Client session is started by clicking either the shortcut icon on the desktop (if one was
created during installation) or the client icon in the installation folder.
Functions authorized by the current user’s access rights can now be accessed. The user
defined below has full access rights:
• Default available user - Administrator
• Default user group - Administrators
• Default policy - Global
• Default domain - Global
7.3 Logging in
Once started, TNMS can be logged in to. Press the spacebar or click the icon to get the
login window. You must fill in the fields:
• Server name.
You can select a previously used value set from the menu. Alternatively, input server
data either in the <server IP address>:<port number> or <server name>:<port
number> formats. The default values are localhost:1100.
• User name.
Input a valid user name.
• Password.
Input the user’s password.
If the Server is unavailable the following error message is displayed:
”Server not reachable. Please check your network connectivity or if server is
running”
In this situation check for one of the following scenarios:
• The server is not reachable.
• Network connectivity.
• The server may not be running.
• You are trying to connect to a standby server instead of the active server.
g If you are logging in after an update rather than an installation from scratch, the users
and passwords remain unchanged from the previous version.
A50023-K2035-X040-05-76D1 47
Post-installation procedures Installation Manual (IMN, Windows)
7.4 Default username and password

After the TNMS Server has been installed and started, the system can be immediately
operated using the default user and password. Both fields are case-sensitive.
• User name: administrator
• Password: e2e!Net4u#
For security reasons, the administrator is requested to change the password.
7.5 Changing the password

The first password change is performed in a popup window after the first login. Subse-
quent changes are performed in the Administration > User Management > User Modifi-
cation window. You are asked to enter the new password twice for confirmation, check
whether that user can’t change the password or otherwise whether the user has to
change the password at next logon and/or define the password expiration deadline
between 3 and 90 days.
TNMS stores the history of passwords registry in the OpenDS database.
g If Single Sign-on is enabled later on, this menu item will no longer be displayed as no
password within TNMS will be required.
Password complexity rules

New passwords are validated by the system according to the rules below.
The new password must:
• Be at least 8 characters long
• Contain at least 2 alphabetic characters
• Contain at least 1 numeric character
• Contain at least 1 special character other than #, $, *, / and @
• Contain at most 3 consecutive digits or letters from the alphabet
• Differ from the old one by at least 3 characters. This is enforced only if the password
is changed through the Change Password window.
The new password must not:
• Be the same as the user id
• Contain the user id
• Contain a rotated version of the user id
• Match any of the previous.
7.6 Terminating a Client session

A Client session terminates when you log off. All windows are closed and only the login
function is accessible.
48 A50023-K2035-X040-05-76D1
Installation Manual (IMN, Windows) Post-installation procedures
7.7 Single Sign-on

By enabling Single Sign-on (SSO) the users can log in to TNMS using the operating
system credentials, without having to enter another username and password.
This configuration can be done at any point in time and is therefore described in the
TNMS User Manual.
7.8 Standby server

This configuration can be done at any point in time and is therefore described in TNMS
User Manual.
7.9 License keys

Logging in allows you to access elementary TNMS features such as viewing the network
map or activating NEs. However, full access to the whole TNMS, including the Managers
ASON, Ethernet and Optical, is granted through the acquisition and installation of proper
license keys.
g Optical Manager licenses require a TNMS service restart after importing.
Refer to the User Manual for more information on how to manage licenses.
7.10 Internet Explorer configuration

To ensure the correct behavior of the context sensitive online help, configure Internet
Explorer as follows:
1. Within Internet Explorer go to Tools > Internet Options > Security.
2. Select the desired security level and then click Custom:.
2.1 in the Scripting section, enable Active Scripting.
2.2 in the ActiveX controls and plug-ins, enable Initialize and script ActiveX
controls not marked as safe for scripting.
7.11 Connection timeout configuration

In order to avoid possible timeouts in communications between the TNMS Client and
Server, such as in case of APS uploads, proceed as follows:
1. Edit the file
<TNMS installation folder>\jboss\server\bicnet\deploy\jboss-web.deployer\
server.xml
2. Search for the section that configures the connector of port 8080 and adjust the
timeout to a value adequate to your network conditions. For example, to set the
timeout to 60 seconds you must enter the value 60000 as in bold below:
<Connector port="8080" address="${jboss.bind.address}"
maxThreads="250" maxHttpHeaderSize="8192"
emptySessionPath="true" protocol="HTTP/1.1"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="60000" disableUploadTimeout="true" />
3. Restart the TNMS Server.
A50023-K2035-X040-05-76D1 49
Post-installation procedures Installation Manual (IMN, Windows)
7.12 Importing a public certificate from IOC Online Planning

(IOC OP)
The communication between IOC OP and TNMS is SSL-encrypted. Such encryption is
in turn based on certificates.
If on IOC OP a keystore or certificate changes for any reason, a new key must be gen-
erated and then imported to avoid disabling communication.
The certificates shipped with Coriant products and solutions exist to perform a correct
installation and leave them ready to work.
Comply with all your organization’s security rules and established practices before final
deployment.
To import a public certificate, proceed as follows:

1 Log in to IOC OP.
2 Get the IOC OP Server public certificate file tcserver.cer and copy it to the TNMS
Server.
For information on how to generate this file refer to the IOC OP Installation Manual
for Solaris, section on generating IOC OP server keystore and public key pair.
3 Open a Windows Command Prompt window (through cmd.exe).
4 Change to the directory with the keytool command:
cd<TNMS_InstallationDirectory>\jre\bin
5 Import tcserver.cer into the TNMS truststore.
Issue:
keytool -import -file tcserver.cer -alias tcserver -keystore
“<Coriant_TNMS_InstallationDirectory>/jboss/server/bicnet/co
nf/sslmq.keystore” -storepass changeit
6 TNMS Server returns the certificate details and asks you to allow the import:
Owner: CN=tcserver tcserver, OU=Optical Networks, O=Coriant,
L=Lisboa, ST=Alfragide, C=PT
Issuer: CN=tcserver tcserver, OU=Optical Networks, O=Coriant,
L=Lisboa, ST=Alfragide, C=PT
Serial number: 4ffd7431
...
Trust this certificate? [no]: yes
7 A successful import returns:
Certificate was added to keystore
50 A50023-K2035-X040-05-76D1
Installation Manual (IMN, Windows) Backup and restore
8 Backup and restore

This chapter guides an TNMS administrator through the backup and restore procedures.
Backup and restore is a safeguard mechanism to backup the system and recover it, in
case a problem occur.
8.1 General description

You must back up information contained in the following two data repositories:
• Oracle server - DCN management and services information. This server includes
the TNMS database.
• OpenDS server - User and security information.
The required information is backed up into three sets:
• Oracle database backups are used to recover the database from corruption events
or unexpected integrity issues and recovered it to its last most consistent state.
These backups contain TNMS specific data plus other Oracle files required for
database recovery.
The Oracle database backups are stored in Oracle’s Fast Recovery Area under the
BACKUPSET directory.
w You must not use the BACKUPSET directory for any operations other than Oracle
database backups.
Full backups of the Oracle database are stored with a retention policy that allows for
a redundancy of 2 backups. Therefore the BACKUPSET directory contains the last
3 backups and older ones are automatically removed.
• TNMS database backup files are used to restore TNMS to a previous state in order
to, for example, undo undesired user configurations or restore TNMS state to a
clean installation.
g TNMS database backup files cannot be used to directly recover from an Oracle
database corruption event.
TNMS database backup files are stored under a target directory (local or remote) of
your creation or choice. Inside this directory, each backup operation creates a sub-
directory named after the backup timestamp <yyyy_MM_dd_HH_mm_ss>, where
the backup files are saved.
w When performing a database backup, ensure there are writing permissions to the
target directory.
• OpenDS database backup files are also stored under a target directory (local or
remote) of your creation or choice. Inside this directory, each backup operation
creates a subdirectory named after the backup timestamp
<yyyy_MM_dd_HH_mm_ss>, where the backup files are saved.
You may choose to back up simultaneously the TNMS and OpenDS databases. In such
case, the timestamped subdirectory will contain both databases backup files.
A50023-K2035-X040-05-76D1 51
Backup and restore Installation Manual (IMN, Windows)
8.2 Overview of the Backup and Restore interfaces

The TNMS DB backup can be performed via console, interactive (CLI) and non-interac-
tive mode (friendly script), or via TNMS Client (GUI). TNMS DB restore can only be per-
formed via console (interactive or non-interactive modes).
8.2.1 Interactive mode

To access the interactive mode console, run backuprestore.bat with no arguments
from
C:\Program Files (x86)\Coriant\TNMS\backuprestore (default location), to open the
interactive menu as displayed in Figure 3.
Figure 3 Backup & Restore console
8.2.2 Non-interactive mode

The non-interactive mode allows you to embed the B&R feature into a scriptable
language in order to automate common and repetitive tasks.
To use the non-interactive mode, run the backuprestore.bat application from
C:\Program Files (x86)\Coriant\TNMS\backuprestore (default location) using arguments
to specify the operation you intend to perform (Table 8).
You can enter backuprestore-h in the command line to see this list.
Options Description
-b --backup Performs a TNMS and/or an OpenDS database backup.
-r --restore Performs a TNMS and/or an OpenDS database restore.
-s --schema Performs the operation on the TNMS database.
-l --ldap Performs the operation on the LDAP (OpenDS) database.
-d --directory When saving or loading a backup, this option must be followed
by the path to the directory where the backup files will be stored
in or loaded from.
-u --username This option must be followed by the TNMS username.
-p --password This option must be followed by the password matching the
TNMS username.
-R --recovery Use this option to recover the Oracle database. Note that it does
not refer to the TNMS database.
Table 8 List of the available arguments in non-interactive mode
52 A50023-K2035-X040-05-76D1
Options Description
-h --help This option displays the list of the available arguments.
Table 8 List of the available arguments in non-interactive mode (Cont.)
8.3 Backup procedures through the command line

This chapter describes how to back up the system data using the command line. Before
proceeding, some general considerations and advice apply:
• Oracle and OpenDS servers must be running.
• You are advised to back up the files onto a safe repository.
• You are responsible for guaranteeing that the TNMS server backup data files are not
corrupted or changed in any way, including the file name. Otherwise restoring the
backup will not be possible.
8.3.1 Backing up the Oracle database

The backup of the Oracle database runs automatically and is scheduled inside Oracle
Scheduler to run daily at a predefined hour, which, by default, is 03:00 AM.
These operations’ logs are stored in the B&R application folder, C:\Program Files (x86)\
Coriant\TNMS\backuprestore\RMAN_TNMS.log.
You can change the scheduled time using the B&R console schedule settings option.
No other parameter is changeable.
g In case you reschedule the daily backup, set it to run off high load periods, so that the
application performance is not affected.
This operation will perform the full backup of the entire Oracle database, including the
TNMS database backup files.
You should also consider to schedule an independent backup of the TNMS database
backup files since Oracle backup files are kept for 3 days maximum. Refer to the chapter
8.3.5 Automating the Backup procedures for more information.
To change the scheduled backup time:

1. Open a command line window using the option "Run as Administrator".
2. Go to the B&R application folder (the default is
C:\Program Files (x86)\Coriant\TNMS\backuprestore).
3. Run backuprestore.
4. Select option “4> Schedule settings” on the console.
5. Provide the TNMS credentials (Figure 4).
A50023-K2035-X040-05-76D1 53
Figure 4 Changing the Oracle database backup schedule settings

6. Provide the new time for the scheduled backup to run, in a 24-hour format (Figure 4).
7. Press Enter.
8.3.2 Backing up the TNMS database

To back up the TNMS database:
C:\Program Files (x86)\Coriant\TNMS\backuprestore)
3. Back up the TNMS database using either the interactive mode console (go to step
4.) or the non-interactive mode (go to step 5.).
4. Either
back up the TNMS database using the interactive mode console:
4.1 Run backuprestore.
4.2 Select option “1> Perform backup”.
4.3 Provide the TNMS credentials upon request (Figure 5).
Figure 5 Backup submenu

4.4 Select option “1> TNMS database” from the submenu in Figure 5.
4.5 Enter the directory of your choice (local or remote) where the backup files will be
stored and press Enter.
5. Or run
backuprestore -b -s -d <directory> -u <username> -p <password>
As a result, a subdirectory named after the backup timestamp
<yyyy_MM_dd_HH_mm_ss> is created under the directory you provided and the backup
file of the TNMS database is saved within. The backup file is saved as <name of the
TNMS database>.DMP.
54 A50023-K2035-X040-05-76D1
8.3.3 Backing up the LDAP (OpenDS)

To back up the LDAP (OpenDS):
2. Go to the B&R installation folder (the default is
3. Back up the LDAP using either the interactive mode console (go to step 4.) or the
non-interactive mode (step 5.)
4. Either
back up the LDAP using the interactive mode console:

4.4 Select option “2> LDAP database” from the submenu in Figure 6.
4.5 Enter the directory where the backup files will be stored and press Enter.
5. Or run
backuprestore -b -l -d <directory> -u <username> -p <password>.
file of the LDAP database is saved within. The backup file is saved as userRoot.ldif.
8.3.4 Backing up the TNMS database and the LDAP (OpenDS) simultane-
ously
To back up the TNMS database and the LDAP (OpenDS) simultaneously:
3. Back up the TNMS and the LDAP databases using either the interactive mode
console (go to step 4.) or the non-interactive mode (step 5.).
4. Either
back up the TNMS database and the LDAP using the interactive mode console:
A50023-K2035-X040-05-76D1 55

4.4 Select option “3> Both TNMS and LDAP databases” from the submenu in Figure
7.
4.5 Enter the directory where the backup files will be stored and press Enter.
5. Or run
backuprestore -b -a -d <directory> -u <username> -p <password>.
files of the TNMS and LDAP databases are saved within. The backup files are saved
respectively as <name of the TNMS database>.DMP and userRoot.ldif.
8.3.5 Automating the Backup procedures

It is recommended to back up the TNMS database at least weekly. You can create
command scripts for the backup and restore procedures and configure the operating
system scheduler to run them at scheduled times.
w It is recommended to automate the backup using TNMS instead of a command script

(see 8.4 Backup procedures through the TNMS client). The script contains sensitive
data, such as usernames or passwords, that require access control. By using TNMS you
overcome such security issues.
Ensure the correct access rights, according to your security policy, to any command
script containing sensitive data, such as usernames or passwords.
For example, you can create a weekly schedule with the following command:
SCHTASKS.EXE /CREATE /SC WEEKLY /TN "<SCHEDULE_NAME>" /ST
<SCHEDULE_TIME> /TR "<COMMAND>" /RU "SYSTEM"
Where:
• <SCHEDULE_NAME> is the name of the schedule.
• <SCHEDULE_TIME> is the time at which the command will be run (for example,
02:50:00).
• <COMMAND> is the command to be run.
You can also use SCHTASKS.EXE to inspect the schedule details or delete schedules.
To list schedule details run:
SCHTASKS.EXE /TN "<SCHEDULE_NAME>"
And to delete a schedule run:
SCHTASKS.EXE /DELETE /TN "<SCHEDULE_NAME>"
w You must create a user in TNMS dedicated to scheduled backups and do not allow it to
expire. Create the user via “User Administration” and select the option “User cannot
56 A50023-K2035-X040-05-76D1
change password”. When setting the backup commands to be run by the schedules, use
this user.
8.4 Backup procedures through the TNMS client

The Backup feature is also embedded in the TNMS client. It allows you to run a manual
backup of the TNMS database (TNMS data) and/or LDAP (TNMS users), or to schedule
a backup.
The Backup window (Figure 8) allows you to see information about the backup status,
and choose to run a manual backup or schedule a backup. This window is for informa-
tion purposes only.
Figure 8 Backup window
To run a manual backup of the TNMS database:

1 In the TNMS main window, click the Administration > System > Backup menu
item.
The Backup window opens.
2 Click the Manual button.
This opens the Manual Backup window.
3 Select the Path to save the backup file.
g About the upload folder:

• The backup path must already exist beforehand in the server side, otherwise the
task fails and you receive the following error message in a notification popup, in
the bottom right corner: Backup operation failed.
• TNMS server machine must have read and write permissions on the shared
folder, for everyone within the domain, so that no credentials are requested to
A50023-K2035-X040-05-76D1 57
read it. However, for accesses from outside the domain, the credentials will still
be requested.
• If you use a remote drive, you have to specify the full network drive path, since
TNMS is not able to reach the mapped drive through the letter assigned by
Windows.
Example:
• Local drive - C:\<BackupFolder>
• Remote drive - \\<IP address>\<BackupFolder>
4 Select whether to export the TNMS Data, the TNMS Users, or both.
5 Click Start to run the backup.
The backup task starts.
g When there is a backup running through the command line, it is not possible to run a
manual backup through the TNMS Client. The opposite is also not possible.
To schedule a backup of the TNMS database:

1 In the TNMS main window, click the Administration > System > Backup... menu
item.
The Backup window opens.
2 Click the Schedule button.
This opens the Schedule Backup window.
3 Check the Activate checkbox.
4 Under Backup Options, select the Start date.
5 Under Recurrence pattern, select the recurrence of the scheduling.

Periodic: allows you to define the recurring time and the backup period in days and
hours. It also allows you to define the end date.
Weekly: allows you to define the recurring time and the week days.
Monthly: allows you to define the recurring time and the days of the month.
At least one of these fields needs to be selected.
6 Select the Path where to save the backup file.
TNMS server machine must have read and write permissions on the shared folder.
If you use a remote drive, you have to specify the full network drive path, since
TNMS is not able to reach the mapped drive through the letter assigned by Windows
only.
Example:
• Local drive - C:\backup
• Remote drive - \\<IP address>\backup
7 Click OK.
This schedules the backup.
58 A50023-K2035-X040-05-76D1
g When a scheduled backup is run, both the TNMS database and LDAP are backed up.
8.5 Recovery & Restore procedures

This chapter describes how to recover/restore the previously backed up system data.
This application is run only through the command line.
8.5.1 Recovering the Oracle database
g A database recovery is not the same as a TNMS database restore and should only
be performed in case of Oracle database corruption. Recovering the Oracle
database will restore the TNMS database. However, recovering the TNMS database
alone will not restore the Oracle database.
The database recovery automatically stops and restarts the "TNMS Server" service.
To restore the Oracle database:
C:\Program Files (x86)\Coriant\TNMS\backuprestore).
3. Use either the non-interactive mode or the interactive console:
• Run backuprestore -R
or
backuprestore --recovery
• Run backuprestore.
Select option “3> Perform database recovery”.
An Oracle database recovery is made using the last consistent backup found in the Fast
Recovery Area of Oracle.
g After the Oracle database recovery, a TNMS database restore is not necessary since
the Oracle database backups also contain the TNMS specific data.
8.5.2 Restoring the TNMS database

During this procedure the "TNMS Server" service is automatically stopped and
restarted.
To restore the TNMS database:
3. Restore the TNMS database using either the interactive mode console (go to step
4.) or the non-interactive mode (step 5.)
4. Either
restore the TNMS database using the interactive mode console:
4.2 Select option “2> Perform restore”.
4.3 Provide the TNMS credentials upon request.
4.4 Select option “1> TNMS database” from the submenu (Figure 9).
A50023-K2035-X040-05-76D1 59
Figure 9 Restore submenu

4.5 Enter the directory where to load the backup file <name of the TNMS data-
base>.DMP from and press Enter.
5. Or run
backuprestore -r -s -d <directory>
The "TNMS Server" service is automatically restarted when the restore procedure is
complete.
8.5.3 Restoring the LDAP (OpenDS)

To restore the LDAP:
1. Make sure the "OpenDS" service is running.
4. Restore the LDAP database using either the interactive mode console (go to step
5.) or the non-interactive mode (step 6.)
5. Either
restore the LDAP database using the interactive mode console:
5.4 Select option “2> LDAP database” from the submenu (Figure 10).

5.5 Enter the directory where to load the backup file (userRoot.ldif) from and press
Enter.
6. Or run
backuprestore -r -l -d <directory>
Both the "TNMS Server" and the “OpenDS” services are automatically restarted after the
restore procedure is complete.
60 A50023-K2035-X040-05-76D1
8.5.4 Restoring the TNMS database and the LDAP (OpenDS) simultane-
ously
To restore the TNMS database and the LDAP:
1. Make sure the "TNMS Server" service is running.
4. Restore the TNMS and the LDAP databases using either the interactive mode
console (go to step 5.) or the non-interactive mode (step 6.)
5. Restore the TNMS and the LDAP databases using the interactive mode console:
5.4 Select option “3> Both TNMS and LDAP databases” from the submenu (Figure
11).

5.5 Enter the directory where to load the backup files (<name of the TNMS data-
base>.DMP and userRoot.ldif) from and press Enter.
6. Or Run
backuprestore -r -a -d <directory>
The TNMS Server service will be stopped before the restore procedure and both the
TNMS Server and the OpenDS services will be restarted after the restore procedure.
A50023-K2035-X040-05-76D1 61
62 A50023-K2035-X040-05-76D1
Installation Manual (IMN, Windows) Upgrade to TNMS 14.1 10
9 Upgrade to TNMS 14.1 10

To transfer your data to TNMS 14.1 10 refer to the TNMS Upgrade Manual (Windows),
where you can find the full description of the upgrade procedure.
A50023-K2035-X040-05-76D1 63
Upgrade to TNMS 14.1 10 Installation Manual (IMN, Windows)
64 A50023-K2035-X040-05-76D1
Installation Manual (IMN, Windows) TNMS and TNMS Core working together
10 TNMS and TNMS Core working together

TNMS and TNMS Core can be used in the same environment, with a common set of
hardware resources.
10.1 Configuring common hardware

TNMS and TNMS Core can be used in the same environment while sharing a common
set of hardware resources. However, there are constraints on how to set up such an
environment:
• It is possible to install TNMS Client and TNMS Core Client / System Administration
either in a same machine or in separate machines. However, they must share a
machine if you want both client applications integrated with a GUI cut-through.
• It is possible to install TNMS Netserver and TNMS Core Netserver in a same
machine, but, if you use the UDP protocol to connect the DCN to any NE, you must
follow the procedure described under 10.1.1 Configuring a Common Netserver.
• It is possible to install TNMS Standby Server and TNMS Core Standby Server in a
same machine. In this scenario, you must follow the procedure described under
10.1.3 Configuring a Common standby server.
Below are examples of possible setups:
Example 1: Large system
The applications are mostly distributed on different machines.
Figure 12 Distributed TNMS applications (large system)
A50023-K2035-X040-05-76D1 65
TNMS and TNMS Core working together Installation Manual (IMN, Windows)
Example 2: Medium system

To reduce the amount of machines in medium networks, components can run in parallel
on the same machine. The example in Figure 13 shows that the netservers run on the
same machines as the appropriate servers.
Figure 13 Distributed TNMS applications (medium system)
66 A50023-K2035-X040-05-76D1
Example 3: Common Netserver

TNMS and TNMS Core share a common Netserver machine.
Figure 14 Common Netserver
A50023-K2035-X040-05-76D1 67
Example 4: Common Standby server

TNMS and TNMS Core share a common Standby server machine.
Figure 15 Common Standby Server
10.1.1 Configuring a Common Netserver

A common Netserver is a machine where both the TNMS Core Netserver and the TNMS
Netserver are installed.
The hardware requirements for a Common Netserver are described in
Table 3 Hardware recommendations for installations of TNMS 14.1 10 on reused legacy
hardware.
There is no specific configuration in a common Netserver, except if you use the
UDP protocol to connect the DCN to a (supported) NE. In such hybrid scenarios a
special configuration of the Netserver machine is required in order to allow multiple con-
nections without traffic interference. You should also consider a specific configuration of
the DCN while using TNMS and TNMS Core clients. So, in this particular case, you must
perform configurations in:
• The operating system
• TNMS
68 A50023-K2035-X040-05-76D1
• TNMS Core
You must complete all of the following three sets of instructions for the configuration to
be complete.
w This configuration can be done any time after installation. However the configuration
must be done prior to connecting TNMS Core and TNMS to same network element via
UDP, otherwise you will get an inconsistent network state representation.
w Using both UDP and TCP protocols to connect to the same NE is not allowed and will
result in an inconsistent network state representation.
To configure the operating system in the Netserver machine, proceed as follows:

1. Go to Start > Control Panel.
2. Select Network and Sharing Center.
3. Change Adapter Settings.
4. In Network Connection select the Use connection.
5. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.
Make sure the IP is statically defined and not by DHCP server. Note down the
defined Primary IP, as it will be necessary at later stage.
6. Choose Advanced tab.
7. In IP Setting tab add the Secondary IP in order to be used in the common server.
Note down the Secondary IP address, as it will be necessary later on.
8. Restart the Netserver.
TNMS Core and TNMS must use different IPs to communicate with each NE via
UDP protocol. If you configure the Primary IP in TNMS you must configure the Second-
ary IP in TNMS Core and vice versa. Those IPs are configured in the Bind IP Address
field.
In TNMS proceed as follows:

1. Go to the DCN Management window.
2. Create a new SNMP channel.
3. In the General tab:
3.1 If you want to use the Primary IP leave the Automatic IP Address checked. In
the field IP Address enter the Primary IP.
3.2 If you wish to use the Secondary IP:
• Uncheck the Automatic IP Address.
• In the field IP Address enter the Primary IP.
• In the field Bind IP Address enter the Secondary IP.
The connection to the NetServer is performed using the Primary IP and the con-
nection to the NEs will be established using the Secondary IP.
w Remember you must use different IPs in TNMS and in TNMS Core. If you use the
Primary IP in TNMS you must use the Secondary IP in TNMS Core and vice versa.
4. Click OK and activate the channel.
In TNMS Core proceed as follows:
A50023-K2035-X040-05-76D1 69
1. In System Administration go to DCN.

2. In DCN Connections add a Netserver.
3. Choose the Netserver you created and add a new SNMP channel.
4. In the Channel Properties tab, in UDP Connection Settings group:
4.1 If you want to use the Primary IP leave the Automatic IP Address checked. In
the field IP Address enter the Primary IP.
4.2 If you wish to use the Secondary IP:
• Uncheck the Automatic IP Address.
• In the field IP Address enter the Primary IP.
• In the field Bind IP Address enter the Secondary IP.
The connection to the NetServer is performed using the Primary IP and the con-
nection to the NEs will be established using the Secondary IP.
w Remember you must use different IPs in TNMS and in TNMS Core. If you used the
Primary IP in TNMS you must use the Secondary IP in TNMS Core and vice versa.
5. Click OK and activate the channel.
10.1.2 Configuring a Common Client

A common Client is a machine where both the TNMS Core Client / System Administra-
tion and the TNMS Client are installed.
The supported configurations for this scenario are all configurations of TNMS Core and
all the Legacy configurations of TNMS.
The hardware requirements for a Common Client are similar to those of a regular Client
(Table 3).
10.1.3 Configuring a Common standby server

The Common standby server allows you to have both TNMS and TNMS Core Standby
Servers running in the same machine.
In case of failure of one TNMS or TNMS Core active servers (connection loss due to
network failure or hardware failure of the server), it is possible to activate and use one
of the TNMS or TNMS Core standby servers until the problem is fixed.
No special installation procedures are necessary for the Common Standby servers. The
setup of this machine is done by installing first the TNMS Core, followed by TNMS
according to the corresponding Installation Manuals.
Later, a special configuration of the Netserver machine may be performed in order to
allow multiple connections. This configuration is similar to the Common Netserver.
For the standby server configuration procedures, refer to the TNMS Core Installation
manual (IMN) or the TNMS User Manual.
10.2 Importing data from TNMS Core

It is possible to import several types of data from TNMS Core. This feature can, for
example, speed up the setup of your TNMS. You can import DCN configurations,
physical trails, paths, subscribers and services involving hiT 7300 and FSP3000 R7
NEs.
70 A50023-K2035-X040-05-76D1
You can also synchronize the DCN between TNMS Core and TNMS, in shared network
management scenarios. You can schedule a periodical import from TNMS Core that
updates the DCN configuration in TNMS, avoiding the repetition of manual changes.
Check TNMS User Manual for detailed instructions on how to configure and use the
import from TNMS Core feature.
10.3 Important note

When an NE is simultaneously managed by TNMS and TNMS Core, the configuration
of the respective properties in the DCN Management window must be the same.
A50023-K2035-X040-05-76D1 71
72 A50023-K2035-X040-05-76D1
Installation Manual (IMN, Windows) TNMS uninstallation
11 TNMS uninstallation
Before uninstalling TNMS and in case you have a standby server assigned, you must
first unassign it by doing as follows in the active server:
1. Select Administration > System > Standby Server Configuration and fill in the
available fields. The address of the current standby server is filled in automatically.
2. Verify your input and click Unassign to start the procedure.
The progress and result can be followed in the configuration steps, along with the
elapsed time.
3. When the unassignment finishes, a notification pops up in the lower right corner with
the status of the operation, either success or error.
Alternatively, it is possible to check in System Event Log that the procedure has
ended successfully.
If any error occurs, the logs can be checked in
/tmp_home/[timestamp]/result.log.
In the standby server, perform the following steps:
1. Go to the installation folder and, in \bin\scripts, run as Administrator
standby-server.bat.
2. In the interactive menu select 3. Unconfigure StandBy.
To uninstall TNMS, do as follows:

1. Go to Start > Control Panel > Programs and Features.
2. In the list, opposite-click TNMS and select Uninstall.
3. Restart the machine once the uninstallation finishes.
g When the application is uninstalled, the users and groups are kept on the system and
they are not deleted.
A50023-K2035-X040-05-76D1 73
TNMS uninstallation Installation Manual (IMN, Windows)
74 A50023-K2035-X040-05-76D1
Installation Manual (IMN, Windows) Security hardening
12 Security hardening
This chapter describes the existing TNMS security hardenings.
Note that TNMS already applies security hardening during installation. This means that,
for example, security settings are defined so that no unnecessary permissions are
granted. The remaining items are, in a default installation, hardened to an acceptable
level. However it is possible to improve from that level as is described in the following
sections.
12.1 Physical and hardware hardening

Any effort in securing a system is useless if possible attackers can have physical access
to a TNMS machine. It is very easy to disable security mechanisms or compromise the
system if there is easy physical access to a machine. For this reasons the following
measures should be taken:
• The TNMS server machine should be located in a room where only the system
administrators have access.
• A physical access control should be put in place, including, for example, electronic
door locks.
• Any non-required I/O interfaces, such as USB interfaces or DVD drives, should be
removed or, at least, disabled.
• Any type of communication interfaces not required for the operation of TNMS should
be removed or, at least, disabled. This is especially important for wireless interfaces
such as Bluetooth or WLAN adapters.
• All hardware should be securely installed so that it cannot easily be moved.
• The facilities where the hardware is located should have sufficient heat dissipation
and, if needed, the server room should be air-conditioned.
• Additional security measures like video surveillance of server rooms is recom-
mended.
• The BIOS of the machines used for TNMS should be protected by password, to
prevent unauthorized modification of the machines BIOS configuration.
12.2 Operating System hardening
12.2.1 Microsoft Windows security patches

Coriant recommends that you install the Microsoft Windows security patches listed in
the Customer Release Notes in all the machines running TNMS.
12.2.2 Disable and delete unnecessary accounts

Unnecessary accounts should not exist as the machine should be exclusively used by
TNMS server. Anyhow, it should be verified before TNMS is installed that no additional
unnecessary users exist.
TNMS only requires the existence of the following users:
• Administrator
• sshd
• SvcCOPSSH
A50023-K2035-X040-05-76D1 75
Security hardening Installation Manual (IMN, Windows)
All other users should be disabled. For example, during the Windows Server 2008 instal-
lation, the Administrator, Guest and Help Assistant accounts are created by default.
Both Guest and Help Assistant accounts should be disabled at all times.
To disable an account, do as follows:
1. Go to Start > All Programs > Administrative Tools > Server Manager > Config-
uration > Local Users and Groups > Users.
2. Right-click on the user name (for example Guest or Help Assistant) and select Prop-
erties.
3. Click on Disable Account.
12.2.3 Uninstall unnecessary applications and roles

TNMS only requires the following roles:
• Web Server (IIS)
• Security
• FTP Server (optional - only if legacy NEs, which only support FTP, are to be
managed by TNMS)
• Application development
• .NET Extensibility
All other roles should be uninstalled.
To uninstall an unnecessary role:
• Go to Start > All Programs > Administrative tools > Server manager > Roles
and click to remove roles.
To uninstall an unnecessary application:
• Go to Start > Control Panel > Programs and Features, select the application and
click to remove.
12.2.4 Configure Auditing

To automatically configure the audit policies, run the following command, located in the
TNMS software:
TNMS_Prerequisites\Audit Policies\AuditPolicies.bat
t You can check the configured audit policies by running in the command line:
auditpol /get /category:*
12.2.5 Disable unnecessary shares

System and security administrators should disable all unnecessary shares, configure
the necessary ones and harden all NTFS and Share permissions.
To disable shares, do as follows:
1. Get a list of all the shares on the server by running the following command:
#> net share
2. Disable all shares that are not in use. See Table 9 Windows default shares for
guidance on which default shares you should disable.
76 A50023-K2035-X040-05-76D1
• Via command line:

#> net share <sharename> /delete
• Via the graphical user interface:
1. Go to Start > Control panel > Administrative tools > Computer Manage-
ment-> System Tools > Shared Folders > Shares
2. Select the share and chose "Stop sharing".
Share Description Recommended Harden-

ing measure
DriveLetter$ - Disable
ADMIN$ Only needed in case of remote -
administration of the machine.
Should not be disabled.
IPC$ Needed by Windows and can/must -
thus not be disabled.
NETLOGON Used by domain controller and -
should not be disabled.
SYSVOL Used by domain controller and -
should not be disabled.
Print$ Only needed in case of remote Disable manually, if exists.
administration of printers.
FAX$ Only needed in case of remote Disable manually, if exists.
administration of fax clients.
Table 9 Windows default shares
12.2.6 Disable Remote Registry

The Remote Registry service allows registry access to authenticated remote users.
Even though this service is blocked by the firewall and ACLs, if you have no reason to
allow remote registry access, Remote Registry should be disabled.
To disable the remote registry:
1. Go to Start > All Programs > Accessories > Run, enter regedit and press
Enter.
2. Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecureP
ipeServers\
3. Select winreg and right-click and select Permissions.
4. Select the appropriate users/groups and appropriate permissions.
5. Click OK and close the window.
12.2.7 Windows Error Reporting

Windows Error Reporting (WER) is a set of Windows technologies that capture software
crash data and support end-user reporting of crash information. WER should be
enabled.
A50023-K2035-X040-05-76D1 77
In Windows 7 the Windows Error Reporting is enabled by default. However, in Windows

Server 2008 you should enable WER.
To enable WER:
1. Go to Start > All Programs > Administrative tools > Server Manager and expand
Resources and Support.
2. Click on Configure Windows Error Reporting.
3. On the Windows Error Reporting Configuration dialog box, select one of the fol-
lowing options:
• Yes, automatically send detailed reports - personal data may be sent to Micro-
soft.
• Yes, automatically send summary reports - only non-personal data is sent to
Microsoft
4. Click OK.
12.2.8 Additional Software

The TNMS server machine should be dedicated to run the TNMS Server only. No addi-
tional software should be installed beyond the TNMS application and its prerequisites
listed below:
• Acrobat Reader
• CopSSH
• ICW Base
• ICW COPSSHCP
• ICW OpenSSHServer
• J2SE Runtime Environment
• Java (TM)
• MicroSoft Visual C++ Redestributable (several packages)
• OSI Stack
• TNMS
• Virus Scanner (for example, TrendMicro OfficeScan Client)
12.2.9 Digitally signed communications (Local Security Policy)

It is possible to digitally sign all Microsoft network server communications. By default this
security feature is not switched on. To enable this feature, do as follows:
1. Go to Start > Control Panel > Administrative Tools and double-click Local
Security Policy.
2. Click to expand Local Policies and select Security Options.
3. From the list, right-click Microsoft network server: Digitally sign communica-
tions (always) and select Properties.
4. Select Enable and click OK to apply the changes.
5. Repeat step 3. and step 4. for the policy Microsoft network server: Digitally sign
communications (if client agrees).
12.2.10 Minimize system services

TNMS enables all services it requires for its proper operation. So, any active default
service should be disabled. If required, the Remote Access can be kept open for remote
78 A50023-K2035-X040-05-76D1
configuration of the system, such as in case of headless server (see 12.2.11 Remote
Access/Remote Desktop).
The following services must be disabled as they are not needed by TNMS. Some of
them must be considered inherently insecure:
g ftp shall only explicitly enabled whenever legacy NEs are used, which only support ftp
and not SFTP/SCP or FTPS.
• ActiveX Installer (AxInstSV) • Any type of bluetooth adapter • Smart card

• Application Layer Gateway • Interactive Services Detection • SNMP Trap
• Application Management • Internet Connection Sharing • Software Protection
• ASP.NET State • KtmRm for Distributed Transac- • SPP Notification Service
• Bitlocker Drive Encryption tion Coordinator • SSDP Discovery
Service • Link-Layer Topology Discovery • Storage Service
• Block Level Backup Engine Manager • Tablet PC Input Service
Service • Microsoft Office Diagnostics • Telephony
• DHCP Server/Client • Microsoft FTP Service (*) • Thread Ordering Server
• Bluetooth • Microsoft Software Shadow • TPM Base Services
• Bluetooth Support Service Copy Provider • UPnP Device Host
• BranchCache • Net.Msmq Listener Adapter • Virtual Disk
• Certificate Propagation • Net.Pipe Listener Adapter • Volume Shadow Copy
• Credential Manager • Net.TCP Listener Adapter • WebClient
• Disk Defragmenter • Network Location awareness • Windows Backup
• Distributed Link Tracking Client • Office Source Engine • Windows Biometric Service
• Encrypting File System • Parental Controls • Windows CardSpace
• Enterprise Connect WebDAV • Peer Name Resolution Protocol • Windows Connect Now - Config
• Fax • Peer Networking Grouping/Iden- Registrar
• Function Discovery Provider tity Manager • Windows Media Player Network
Host • Performance Counter DLL Host / Sharing Service
• Function Discovery Resource Logs / Alerts • Windows Remote Management
Publication • Problem Report and Solution (**)
• Health Key and Certificate Man- Support • Windows Search
agement • Program compatibility Assistant • WinHTTP Web Proxy Auto-Dis-
• HomeGroup Listener • Remote Access (**) covery Service
• HomeGroup Provider • Remote Desktop (**) • Wired AutoConfig
• IKE and AuthIP IPSec Keying • Routing and Remote Access • WLAN AutoConfig
Modules • Secondary Logon • WWAN AutoConfig
• Any type of wireless LAN • Secure Socket Tunneling
adapters Protocol Service
* FTP is only needed if TNMS manages legacy NEs, which support FTP but do not
support any secure protocol.
** Disable only if no remote server administration shall be permitted
Windows services can be disabled via Start > Administrative Tools > Services.
If a service is changed to "disabled" via context menu it is no longer running and will no
longer be automatically started during OS startup.
TNMS Server uses the following services:
A50023-K2035-X040-05-76D1 79
• Application Host Helper Service

• Certificate Propagation
• COM+ Event System
• COM+ System Application
• Cryptographic Services
• DCOM Server Process Launcher
• Desktop Window Manager Session Manager
• Diagnostic Policy Service
• Distributed Transaction Coordinator
• DNS Client
• IIS Admin Service
• IP Helper
• IPsec Policy Agent
• Microsoft FTP Service
• Net.Pipe Listener Adapter
• Net.Tcp Listener Adapter
• Net.Tcp Port Sharing Service
• Netlogon
• Network Connections
• Network List Service
• Network Location Awareness
• Network Store Interface Service
• Optional: Virus Scanner - e.g. OfficeScan NT RealTime Scan
• OpenDS
• Openssh SSHD
• OracleOraDb11g_home1TNSListener
• OracleServiceTNMS
• Plug and Play
• Portable Device Enumerator Service
• Power
• Print Spooler
• RCTSrv
• Remote Desktop Configuration*
• Remote Desktop Services*
• Remote Desktop Services UserMode Port Redirector*
• Remote Procedure Call (RPC)
• RPC Endpoint Mapper
• Security Accounts Manager
• Server
• Shell Hardware Detection
12.2.11 Remote Access/Remote Desktop

TNMS does not rely on the remote access/remote desktop feature provided by the
Windows operation system. However, it is possible to remotely administer TNMS
machines. It is therefore recommended that you configure the Network Level Authenti-
cation for the allowed connections as described below.
80 A50023-K2035-X040-05-76D1
To configure the Network Level Authentication for a connection:

1. On the Remote Desktop Session Host server, go to Start > Administrative Tools
> Remote Desktop Services > Remote Desktop Session Host Configuration.
2. Under Connections, right-click the name of the connection and then click Proper-
ties.
3. On the General tab, select Allow connections only from computers running
Remote Desktop with Network Level Authentication.
g If the Allow connections only from computers running Remote Desktop with
Network Level Authentication check box is selected and not enabled, the Require
user authentication for remote connections by using Network Level Authenti-
cation Group Policy setting has been enabled and applied to the Remote Desktop
Session Host server.
4. Click OK.
12.2.12 Reduce passive FTP port range

By default FTP uses any port of the dynamic port range 49152-65535, which is quite
wide. To limit this range do as follows:
w The range should contain 50 or more ports.
1. Go to the IIS 7 Manager. In the Connections pane, click the server-level node in
the tree.
2. Double-click the FTP Firewall Support icon in the list of features.
3. Enter a range of values for the Data Channel Port Range.
4. Click Apply in the Actions pane to save your settings.
12.3 Networking and firewall configuration

You should configure the network in a way that makes the TNMS machines only acces-
sible from machines with which TNMS needs to communicate. This can be done by
network segmentation and by firewall deployment. The hardening description below is
general, as the measures highly depend on the network infrastructure and topology.
You should consider disabling any default gateways and using static routes between the
TNMS machines and other machines with which TNMS needs to communicate. Access
to the general internet should also be disabled.
It is recommended that you install a network firewall. However, you can also use local
firewalls, such as Windows Firewall (see 12.3.2 How to configure the Windows firewall).
w Coriant does not recommend the deployment of a firewall between the NetServer and
the NE network. This scenario is not tested and therefore is not officially supported. In
case the costumer needs to deploy one due to topology/security reasons, the ports listed
for NetServer <> NE communication in this manual can be used as a starting point to
configure the firewall for the Coriant hiT7300 and hiT7100 NEs. Other supported NEs
may need different/additional ports/protocols. Please refer to the specific NE's manual
to gather the required information to configure your firewall.
A50023-K2035-X040-05-76D1 81
12.3.1 List of ports to open in the firewall

Below is the list of ports to be open in the firewall, as well as their description.
g Coriant does not recommend the use of a proxy to access the Citrix Server through the
web interface, but if you decide to use one you must open a port in the firewall for the
proxy.
Host address Service Optional / Man-

datory
Source Destina- Destina- Protocol Applica- Encrypte Description
tion tion Port tion d
Firewall between a Planning Tool (PT) and TNMS Server
PT TNMS 8093 TCP MTOSI / Yes (TLS) TMF-854 interface Optional
Server JMS between TNMS and Only for IOC.
PT. Used in the IOC
deployment.
TNMS PT 4189 TCP PCEP Yes (TLS) PCEP interfaces Optional
Server used by TNMS to Only for IOC.
request routes from
PT. Used in IOC
deployment
Firewall between an NBI and TNMS Server
CORBA TNMS 17289 TCP MTMN No TMF-814 interface Optional
North- Server (Default) CORBA for integration into Only if CORBA
bound (CORBA umbrella NMS. NBI is used
Interface NS)
3528
(CORBA
IIOP)
TNMS CORBA configu- TCP CORBA External CORBA
Server North- rable Naming Service.
bound configu- TCP CORBA External CORBA
Interface rable Notification Service.
Firewall between a remote Administrator machine and TNMS Server or TNMS NetServer (northbound)
machines
TNMS TNMS 3389 TCP RDP Yes (if Windows Remote Optional
remote Server (Windows TNMS Desktop for remote Only required if
Adminis- machine / Remote security administration. TNMS
trator TNMS Access) harden- machines need
machine NetServer ing is fol- to be adminis-
(north- lowed) tered remotely.
bound)
machine
Table 10 Firewall rules
82 A50023-K2035-X040-05-76D1

datory
Firewall between CITRIX Client and CITRIX Server
Citrix server and client are only deployed if a central user interfaces’ server is used (for example a central
Windows server for TNMS clients). If not used, packets arriving at those ports can be rejected or dropped.
TNMS TNMS 1494 TCP ICA No For Citrix. Optional
user Client 2598 TCP ICA Yes For Citrix Secure- Only required
worksta- (CITRIX when Citrix is
ICA.
tion server) used.
80 TCP http No Only if you use the
(CITRIX
Citrix web client. If
client) 443 TCP https Yes
you have a Citrix
client installed
locally you do not
need to open these
ports
Firewall between TNMS clients and TNMS Server
TNMS TNMS 1098 TCP RMI Yes (TLS) Naming service port Mandatory
Client Server for RMI requests
from client proxies
1100 TCP JBoss NS JBoss Naming
Service
3873 TCP EJB3 EJB3 Remoting
Connector
4444 TCP RMI Port for the
RMI/JRMP invoker
4445 TCP RMI Port for the Pooled
invoker
5445 TCP RMI RMI (JMX HornetQ)
8080 TCP WEBDAV WEBDAV service
8083 TCP RMI RMI Web Service -
Port for dynamic
class and resource
loading
8093 TCP JMS JMS Service
Table 10 Firewall rules (Cont.)
A50023-K2035-X040-05-76D1 83

datory
Firewall between TNMS clients and TNMS Netserver(s)

Embedde Netserver 22 TNMS client can Optional
d EM open the craft Only used for
terminal as it is NEs that use
embedded in the SFTP, for
TNMS client. To be example: hiT
able to communi- 7300 and hiT
cate with the central 7100.
SFTP server
running on the
TNMS Netserver
machine, a tunnel is
created.
Firewall between TNMS Server and TNMS Netserver
TNMS TNMS 22 TCP SSH/SCP No (local Secure Copy Optional
Server NetServer only) (secure copy over Only if TNMS
(north- ssh) manages hiT
bound) 7100 or hiT
1198 TCP RMI Naming service port
for RMI requests 7300 NEs
from client proxies
1199 TCP JBossNS JBoss Naming
Service
3973 TCP EJB3Con JBoss default
n EJB3connector
4445 TCP RMI Port for the Pooled
invoker
Port for dynamic
class and resource
loading
8093 TCP RMI RMI
19980 TCP CORBA CORBAOMNIORB
listening port
84 A50023-K2035-X040-05-76D1

datory
TNMS TNMS 22 TCP SFTP No (local Secure FTP Optional
Server NetServer only) Only if TNMS
1298 TCP RMI Naming service port
(north- for RMI requests
manages
bound) from client proxies
Juniper MX /
PTX NEs.
1299 TCP JBossNS JBoss Naming
Service
4073 TCP EJB3Con JBoss default
n EJB3connector
Port for dynamic
class and resource
loading
8093 TCP RMI RMI
TNMS TNMS 21 TCP FTP No (local File Transfer Optional
Server NetServer only) Protocol Only if TNMS
(north- 49152 - TCP FTP File Transfer manages
bound) hiT70xx, ADVA
65535 Protocol
or hiT7500
Limit the dynamic NEs.
range used by the
FTP server:
1. Go to IIS con-
nection
manager >
Connections
Column
(Server) > FTP
Firewall
Support > Set
Data Channel
Port Range and
insert desired
range.
2. Restart IIS.
3. Insert the same
range in the fire-
wall.
A50023-K2035-X040-05-76D1 85

datory
TNMS TNMS 1098 TCP RMI No (local Naming service port Mandatory
Netserver Server only) for RMI requests
(north- from client proxies
bound) 1100 TCP JBoss JBoss Naming
Service
3528 TCP CORBA / CORBA Object
IIOP Adapter (used by
TNMS NBI/SBI)
4444 TCP RMI Port for the
RMI/JRMP invoker
Port for dynamic
class and resource
loading
8093 TCP JMS JMS Service
Firewall between TNMS active server and TNMS standby server
TNMS TNMS 1521 TCP Oracle No Oracle database Optional
active standby stream replication only required if
server server TNMS standby
server is used
TNMS TNMS 1521 TCP Oracle No Oracle database Optional Only if
standby active replication there is a
server server standby TNMS
Server
installed.
Firewall between TNMS Server and Customer Network
TNMS DNS 53 TCP DNS No DNS Optional
Server server Only if a DNS
service is used.
NTP 123 TCP / NTP No NTP Mandatory
server UDP Use TCP or UDP
depending on the
configuration of the
NTP server.
86 A50023-K2035-X040-05-76D1

datory
TNMS Server 21 TCP FTP No External server to Optional
Server where store logs Only needed if
22 TCP SFTP Yes
TNMS logs are to be
logs are transferred to
trans- an external log
ferred to file server.
Domain 88 UDP Kerberos No Communication with Optional
controller domain controller for Only required if
135 TCP / DCE /
UDP RPC single sign on SSO is used.
(SSO).
389 TCP / LDAP
UDP
445 TCP / AD / SMB
UDP
464 TCP / Kerberos
UDP
Traffic between TNMS and NE Network (firewall not recommended)
Example for hiT7300 / hiT7100
TNMS NE/GNE 10000 TCP SNMPv3 Yes SNMP multiplexing Mandatory
Netserver manage- - over TCP (SNMPv3 ports (NAPT) for
(south- ment 13999 (RFC342 ) embedded CT;
bound) interface 0) target NE
161 TCP SNMP managers
NE/GNE TNMS 22 TCP SSH / Yes Secure Copy Mandatory
manage- Netserver SCP (secure copy over
ment (south- SSH)
interface bound)
A50023-K2035-X040-05-76D1 87

datory
NE/GNE TNMS 990-993 TCP FTPS Yes (SSL) FTP over SSL Optional
manage- Client For LCT communi- For hiT 7300 /
ment (LCT) cation. hiT 7100 if
interface
g The number of required for
FTPS file oper-
ports within this
ations between
range that are in
LCT and NE.
use at a given
and not recom-
time is the same
mended. To
as LCTs com-
avoid direct
municating with
connectivity you
the NE up until a
should config-
maximum of 4
ure the TNMS
ports.
SFTP settings
Additional ports for tunneling
may be opened communica-
if more simulta- tions between
neous LCTs are LCT and NEs.
required.
49152 - TCP FTPS Yes (SSL) FTP over SSL
65535 For LCT communi-
cation.
(Example for Juniper NEs)
TNMS NE/GNE 22 TCP NetConf Yes NETCONF manage- Optional
Netserver manage- (SSH) ment interface for (only if there are
(south- ment Juniper. Juniper NEs in
bound) interface your network)
NE/GNE TNMS 32666 UDP SNMPv3 Yes Trap notifications Optional

manage- Netserver (SNMPv3 from Juniper (only if there are
ment (south- ) Juniper NEs in
interface bound) your network)

(Example for hiT 7020, 7025, 7030, 7035, 7060, 7060HC, 7065, 7080 NEs)
NE/GNE TNMS 8002 TCP SNMPv3 Yes Traphandler Optional
manage- Netserver (SNMPv3 (only if there are
ment (south- ) any of these
interface bound) NEs in your
network)
88 A50023-K2035-X040-05-76D1
12.3.2 How to configure the Windows firewall

To configure the Windows 7 / Windows Server 2008 firewall proceed as follows:
1. Go to Start > Control Panel > Windows Firewall.
2. Click on Advanced settings.
3. In the left pane click on Inbound Rules or Outbound Rules, depending on the
direction of the connection you are configuring.
4. In the right pane, click on New Rule to open a port for the traffic of a service.
The New In/Outbound Rule Wizard starts.
5. In the Rule Type step select port.
Click Next.
6. In the Protocols and Ports step:
• select TCP.
• select Specific local ports and enter the port number to which the rule applies
(see Table 10).
Click Next.
7. In the Action step check Allow the connection.
Click Next.
8. In the Profile step check Domain (uncheck all others).
Click Next.
9. In the Name step type a name for the rule.
Click Finish to create the rule and close the wizard.
10. Repeat the procedure for each of the remaining ports.
12.4 OEM Hardening

In this section you can find instructions on how OEM and 3rd party software that works
with TNMS can be hardened to decrease the attack surface for attacks against TNMS.
12.4.1 JBoss
JMX should be disabled.
To disable the JMX console remove the folder:
…\TNMS\jboss\server\bicnet\deploy\jmx-console.war
12.4.2 CopSSH (SFTP)

You should limit user access to CopSSH home folder. To do so you must manually con-
figure the NTFS file system properties as described below:
1. Create a local group by running the following command in the command line:
#> net localgroup CopsshUsers /ADD
2. Deny access to this group for each available local drive, by running:
#> cacls <drive letter>:\ /c /e /t /d CopsshUsers
3. Open access to the home directory, by running:
#> cacls copssh-inst-<path>\home /c /e /t /r \ CopsshUsers
4. Add the Copssh user to the user group above and make sure that the user is not
member of any other groups. Run
#> net localgroup CopsshUsers <user> /add
A50023-K2035-X040-05-76D1 89
5. Go to the CopSSH control panel and activate user for 'Linux shell and Sftp' or 'Sftp
only'.
Shell access will not work due to limitations on system directories.
6. Repeat steps 4. and 5. for each user.
12.4.3 Oracle
File name Location Explanation/Goal Hardening

config.dat <USER_INSTALL_DIR> Binary file which Restrict the file per-
\jboss\server\bicnet\conf allows to connect missions according
USM to LDAP server. to 12.6.1.
db-ds.xml <USER_INSTALL_DIR> Text file which Restrict the file per-
\jboss\server\bicnet\ connects JBoss com- missions according
deploy ponents to database. to 12.6.1.
Identified in the file by:
username/password.
Table 11 Database-related configurations and security hardenings.
12.4.4 Internet Explorer

The Internet Explorer should not be used for browsing the public internet, as this raises
the threat to compromise the system. You should disable the access to public internet.
12.5 TNMS Maintenance Packages and Workaround Updates

Coriant recommends that you install, when available, the TNMS Maintenance Packages
and Workaround Updates, since they may contain relevant security improvements.
12.6 User Management
Components Username/Password Location Explana- Hardening

tion/Goal
TNMS Server User: admin <Product Install Access manage- N/A: the password is
(JMX The password is auto- Dir>/jboss/server/bic- ment console with automatically gener-
Console) matically generated net/conf/props/jmx- Administrator role ated.
and there is no need to console-users.properties for JBoss
change it. instance.
Only required for
JBoss administra-
tion / configura-
tion.
Table 12 Default TNMS user accounts and security hardenings.
90 A50023-K2035-X040-05-76D1

tion/Goal
Generic User: admin <Product Install Access manage- N/A: the password is
Mediator The password is auto- Dir>/jboss/server/gm/co ment console with automatically gener-
(JMX matically generated nf/props/jmx-console- Administrator role ated.
Console) and there is no need to users.properties for JBoss
change it. instance.
Only required for
JBoss administra-
tion / configura-
tion.
Multi Vendor User: admin <Product Install Access manage- N/A: the password is
Mediator The password is auto- Dir>/jboss/server/mvm/c ment console with automatically gener-
(JMX matically generated onf/props/jmx-console- Administrator role ated.
Console) and there is no need to users.properties for JBoss
change it instance.
Only required for
JBoss administra-
tion / configura-
tion.
Generic User: Hardcoded. Authentica- The Generic N/A because this user
Mediator RemoteLoginFunction tion from TNMS (GM) to Mediator uses the is only needed to fulfill
the NE is possible when following user RADIUS protocol
Password:
checking the option in only in the first requirements.
<no password> NE Properties window: message of the This user cannot be
"Use RADIUS server for authentication used for login pur-
authentication". Then the process between poses.
option "Use TNMS the Generic
username for LCT login Mediator and the
(Radius required at NE)" RADIUS server.
in GCT User tab is
checked automatically.
LCT User: Hardcoded. Authentica- The EM/NE uses N/A because it is not
<Username_RU> tion sent from GM to this authentication possible to change this
(concatenation of the EM/NE to open LCT to allow the password (solution
username from tab window is possible when opening of the underway).
SNMP Settings in NE the option "Use TNMS LCT window cor-
Properties window username for LCT login responding to that
and the string (Radius required at NE)" NE.
"_RU")Password: in GCT User tab is
<Password from tab checked.
SNMP Settings in NE
Properties window>
Table 12 Default TNMS user accounts and security hardenings. (Cont.)
A50023-K2035-X040-05-76D1 91

tion/Goal
Connection User: jleal Hardcoded in those Security context N/A because it is not
Manager, Password (hard- components so that their for communica- possible to change this
BCB Mediator coded): jleal authentication match tion from server to password (solution
each one with the other. netserver compo- underway).
nents.
Multiple NE User: tomcat <data path>\TNMS\ Security context Restrict the file permis-
functions Password: tomcat nedata\webdav\web- for communica- sions according to
dav.war\WEB-INF\ tion from client to 12.6.1.
classes\ users.proper- server compo-
ties nents.
User and User: Administrator C:\Program Files (x86)\ Password for user N/A because the user
Security Man- Password (default): OpenDS\install\ cf-usm- Administrator has has to be changed at
agement e2e!Net4u# install-data_opends.ldif to be changed at the first login.
first login.
User and User: ptc C:\Program Files (x86)\ ptc user is an Remove file after
Security Man- Password (hard- OpenDS\install\ cf-usm- internal account. installing and/or
agement coded): e2e!Net4u# install-data_opends.ldif protect the installation
directory against
unauthorized users.
Table 12 Default TNMS user accounts and security hardenings. (Cont.)
12.6.1 Restricting the specified files’ permissions

To restrict the specified files’ permissions:
1. Navigate to the file using Windows Explorer.
2. Opposite-click the file and select Properties.
3. In the Security tab click on Advanced.
4. In the Advanced Security Settings window, Permissions tab, click on Change
Permissions.
5. Select all users except SYSTEM and the Administrators group and click on
Remove.
Only the user SYSTEM and the Administrators group should remain and both having
full access.
6. Click OK to accept the changes and close the window.
92 A50023-K2035-X040-05-76D1
Index H
Hardware 15
client 15
A large configuration 15
Adobe Reader 29 medium configuration 15
Antivirus 38 netserver 15
Audit policies 76 requirements 15
Audit policy 24 security hardening 75
server 15
B HP service pack 20
Backup 51
automating 56 I
client 57 Installation
command line 53 CopSSH 34
console 52 full 41
interactive mode 52 Hardware 15
LDAP 55 OSI stack 33
non-interactive mode 52 separate components 44
OpenDS 55 TNMS 41
Oracle database 53 XML parser 29
TNMS database 54 Integrated Lights-Out 19
BIOS 18 Interactive mode 52
Internet Explorer 49
C Internet Information Services 26
Interworking 65
Client
TNMS 65
terminating session 48
Common
standby server 70 J
Common Netserver 68 Java
Common Standby Server 70 JRE 17
Common standby server 70 JBoss 89
Component delivery 15 JRE 17
Component Services 25
Console 52 L
CopSSH
Large configuration 20
configure 35
LDAP 55
hardening 38
License 49
install 35
Local security policy 78
security hardening 89
Login 47
troubleshooting 37
M
D
Medium configuration 20
Disk configuration 19
Microsoft Windows
Disk partitioning 21
security hardening 75
Documentation
security patches 75
online help 13
MS.NET 29
Domain Verification 27
MSXML 29
Dynamic Port range 28
N
F
Netserver 68
Firewall
Non-interactive mode 52
configuration 81
NTI 38
Windows firewall 89
A50023-K2035-X040-05-76D1 93
O Security hardening 75
OpenDS 55 audit policies 76
Operating system CopSSH 89
security hardening 75 digitally signed communications 78
shares 76 firewall 81
Operating Systems 17 Internet Explorer 90
Oracle 30 jboss 89
security hardening 90 local security policy 78
template files 30 Microsoft Windows security patches 75
Uninstalling 32 networking 81
Oracle backup files 53 OEM 89
OSI Stack 33 operating system 75
configure 33 Oracle 90
install 33 physical and hardware 75
OSI stack remote access 80
Installation 33 remote registry 77
uninstalling 34 SFTP 89
system services 78
unnecessary accounts 75
P unnecessary applications and roles 76
Password 48 user management 90
change 48 Windows Error Reporting 77
complexity rules 48 Server 19
Policies 76 standby 49
Prerequisites 17, 29 Services 47
SFTP
Q security hardening 89
Quick format 22 Single Sign-on 49
Standby server 49, 70
Structure
R online help 13
Recovering System Hosts configuration 27
Oracle 59 System services 78
Recovery 59
Remote
T
access 80
desktop 80 Template files 30
Remote registry 77 Third-party software
Restore 51, 59 OSI stack 33
LDAP 60 XML parser 29
OpenDS 60 TNMS 65
simultaneous 61 uninstallation 73
TNMS database 59 TNMS Core 65
Roles 76
U
S Uninstallation 73
Security 75 Upgrade 63
User Account Control 29
User interface
username and password 48
Username 48
V
Virtual memory 23
94 A50023-K2035-X040-05-76D1
Virtualization 16
W
Web Server 25
Windows 19
Windows 7 26, 27
FTP 27
Windows Error Reporting 77
Windows Server 2008 25, 26, 29
FTP 26
X
XML parser
Installation 29
A50023-K2035-X040-05-76D1 95
96 A50023-K2035-X040-05-76D1
Abbreviations
Abbreviations
ACS Actual Creation State
ALS Automatic Laser Shutdown
ASON Automatically-Switched Optical Network
BCB Broadcast Band
CAM Common Array Manager
CBS Committed Burst Size
CC Cross Connection
CDM Cross-domain Manager
CIR Committed Information Rate
CFM Connectivity Fault Management
CLI Console Interactive
CORBA Common Object Request Broker Architecture
CSPF Constrained Shortest Path First
CST Central Standard Time
CSV Comma-Separated Values
DA (Oracle’s Sun Storage) Disk Array
DCN Data Communications Network
DHCP Dynamic Host Configuration Protocol
DNS Domain Naming Service
DSR Dynamic Source Routing
DWDM Dense Wavelength Division Multiplexing
ELP Ethernet Linear Protection
EM Element Manager
EM/NE Element Manager/Network Element object management
FA-LSP Forwarding Adjacency LSP
FEC Forward Error Correction
FTP File Transfer Protocol
GBE Gigabit Ethernet
GCT GUI Cut-Through
GFPG Generic Framing Procedure Group
Issue date: July 2014

Abbreviations
GM Generic Mediator
GMPLS Generalized Multi-Protocol Label Switching
GMT Greenwich Mean Time
GNE Gateway Network Element
GPS Global Positioning System
GUI Graphical User Interface
IMN Installation Manual
IOC Intelligent Optical Control
IOC OP Intelligent Optical Control Online Planning
IP Internet Protocol
LACP Link Aggregation Control Protocol
LAG Link Aggregation
LAN Local Area Network
LCT Local Craft Terminal
LDAP Lightweight Directory Access Protocol
LSP Label Switched Path
LSR Label Switch Router
MDI Multiple Document Interface
MIB Management Information Base
MSDE Microsoft SQL Server Desktop Engine
MTOSI Multi Technology Operations System Interface
MVM Multi-Vendor Mediator
NE Network Element
NEC NE Controller
NIC Network Interface Card
NNI Network to Network Interface
NTFS (Microsoft’s) New Technology File System
NTP Network Time Protocol
NW Network
OAM Operation, Administration and Maintenance
OCH Optical Channel
ODU Optical Data Unit - transport technology

Abbreviations
OM Optical Manager or Optical Management
OMS Optical Multiplex Section
OPU Optical Payload Unit - transport technology
OTS Optical Transport Section - transport technology
OTU Optical Transport Unit - transport technology
PBS Peak Burst Size
PC Personal Computer
PCEP Path Computation Engine Protocol
PDF Portable Document Format
PIR Peak Information Rate
PT Physical Trail
PTC Planning Tool Connector
PTP Physical Termination Point
RAID Redundant Array of Independent Disks
RNE Remote Network Element
SCP Secure Copy
SCSI Small Computer System Interface
SDH Synchronous Digital Hierarchy
SFTP Secure File Transfer Protocol, or Secure Shell File Transfer Protocol
SLA Service-Level Agreement
SNC SubNetwork Connection
SNCP SubNetwork Connection Protection
SNMP Simple Network Management Protocol
SONET Synchronous Optical Networking
SPC Soft Permanent Connection
SQL Structured Query Language
SRLG Shared Risk Link Group
SSH Secure Shell
STP Spanning Tree Protocol
SVID Service Virtual Local Area Network Identifier
TC Topological Container or TransConnect
TCP/IP Transport Control Protocol/Internet Protocol

Abbreviations
TL1 Transaction Language 1
TE-Link Traffic Engineering-Link
TMN Telecommunications Management Network
TN TransNet
TNMS Telecommunications Network Management System
TP Terminal Point
USB Universal Serial Bus
UMN User Manual
UNI User-to-Network Interface
UNI-S User-to-Network Interface-Service
UPS Uninterruptible Power Supply
VC Virtual Container
VLAN Virtual LAN
WAN Wide Area Network
WLAN Wireless LAN
XC Cross Connection
X-NE Cross-NE
XML eXtended Markup Language

Glossary
Glossary
@CT @CT is a web-based craft terminal (that is, element manager) software which provides
web access to hiT 7300 network elements (NEs) in the customer network without the
use of a management system. It communicates via SNMP with the NEs and uses the
FTPS for upload/download of software or other data configuration (for example, log
files).
3DES Triple DES is the common name for the Triple Data Encryption Algorithm (TDEA or
Triple DEA) symmetric-key block cipher, which applies the Data Encryption Standard
(DES) cipher algorithm three times to each data block.
Actual Creation Is the current state of the path which results from the accumulation of the actual creation
State (ACS) states of the path’s route elements.
Advanced Encryp- Is a specification for the encryption of electronic data. AES is based on a design principle
tion Standard (AES) known as a substitution-permutation network, and is fast in both software and hardware.
Alarm An alarm is a management mechanism intended to inform the user that there is a
standing fault condition in the system.
Alarm log An alarm log provides a list of the alarms associated with a managed object, and
provides the following information about each of the alarms:
• the identification of the affected object
• the identification of the failed NE or the NE in which the failed unit resides
• the alarm severity
• the time the event occurred
• the indication whether the alarmed event is service affecting or not
• the location and the affected traffic
Alarm severity Each failure is assigned a severity. The following values are used:
• indeterminate
• critical
• major
• minor
• warning
• cleared alarms
• not Existent
• not Alarmed
Element Manager (EM) can configure the severity which is assigned to each fault cause
by an alarm severity assignment profile. In addition, EM can specify that a fault cause
shall not be alarmed. These fault causes will be blocked, hence do not lead to any LED
alarm indications, log entries or alarm reporting.
Alien wavelength A wavelength that does not originate from a transponder or muxponder card, but is still
allowed to be multiplexed into the aggregate line signal for transport as an optical
channel by the system.
Automatic Laser Is a technique used to automatically shut down the output power of the transmitter in
Shutdown (ALS) case of fiber break. This is a safety feature that prevents dangerous levers of laser light
from leaking out of a broken fiber, provided ALS is provisioned on both ends of the fiber
pair.
Issue date: July 2014 101

Glossary
Automatically- ASON domains are built on the VC4 layer of hiT 7065, 7070 or 7080, and on OCh layer
Switched Optical of hiT 7300 and on ODU2 layer of hiT 7100, which have a Control Plane. The Control
Networks (ASON) Plane uses network-generated signaling and routing protocols to set up or release a
connection, and can restore one when it fails. ASON domains can be built up as part of
the transport network. They provide the benefit of easy end-to-end provisioning, and
fault and protection management. Soft permanent connections (SPCs) connect both
endpoints (NE1 and NE2) within an ASON domain. If a path fails, an alternative path is
automatically used.
Bidirectional Self- Is a telecommunications term for loop network topology, a common configuration in tele-
healing Ring (BSHR) communications transmission systems, this loop or ring is used to provide redundancy.
The system consists of a ring of bidirectional links between a set of stations. In normal
use, traffic is dispatched in the direction of the shortest path towards its destination. In
the event of the loss of a link, or of an entire station, the two nearest surviving stations
"loop back" their ends of the ring. In this way, traffic can still travel to all surviving parts
of the ring, even if it has to travel "the long way round".
Card A card is a plug-in unit that occupies one (or multiple) shelf slots. Cards perform specific
electrical and/or optical functions within an NE.
Each card has a faceplate with information LEDs and, in most cases, several ports for
interconnection of optical fibers and/or optical interfaces.
Card slot A card slot is the insertion facility for a card in a shelf. Each card slot is designed for one
or several particular card types.
Mechanical coding elements make sure that each card can be fully inserted only into a
card slot that is suitable for the given card type. Therefore, fundamental shelf equipping
errors (which might cause hardware damage or fatal malfunctions) are impossible.
Ethernet Connectiv- Is an end-to-end perservice Ethernet layer OA&M protocol. IEEE 802.1ag CFM is a
ity Fault Manage- service level OA&M protocol that provides tools for detecting and isolating connectivity
ment (CFM) failures in the network. This includes proactive connectivity monitoring, fault verification
and fault isolation for large Ethernet Metropolitan Area Networks (MANs) and WANs.
Committed Informa- Is the guaranteed average rate (in Mbit/s) at which the information units are transferred
tion Rate (CIR) through the port over a measurement interval.
Commissioning Commissioning an network element (NE) is the process of taking an installed NE and
bringing it in to an operational state. The NE commissioning phase is performed after
the NE is installed and powered-up.
Controller card NE controller cards provide the central monitoring and controlling functions of the
system, as well as the MCF to operate the Q and QF Ethernet interfaces.
The controller card performs the following main functions: Fault Management, Perfor-
mance Management, Configuration Management, Security Management, Equipment
Management, Communication Management, Software Management (performing all
software downloads, uploads, and software integrity functions) and controlling the NE
alarm LEDs.
Data Communica- Data Communications Network is a management network for telecommunication trans-
tion Network (DCN) port systems.
A DCN domain interconnects several NEs for the purpose of network management. The
communication is established via the Optical Supervisory Channel (OSC) of the optical
links and an Ethernet/L2 switching network implemented by the NEs.
102 Issue date: July 2014

Glossary
Dense Wavelength In fiber-optic communications, wavelength-division multiplexing (WDM) is a technology

Division Multiplex- which multiplexes a number of optical carrier signals onto a single optical fiber by using
ing (DWDM) different wavelengths (colors) of laser light, that is, simultaneously places a large
number of optical signals (in the 1550 nm band) on a single optical fiber. This technique
enables bidirectional communications over one strand of fiber, as well as multiplication
of capacity.
Data Encryption Is a widely-used method of data encryption using a private key. DES applies a 56-bit key
Standard (DES) to each 64-bit block of data. The process can run in several modes and involves 16
rounds or operations.
Dynamic Host Con- Is a standardized networking protocol used on IP networks that dynamically configures
figuration Protocol IP addresses and other information that is needed for Internet communication. DHCP
(DHCP) allows computers and other devices to receive an IP address automatically from a
central DHCP server, reducing the need for a network administrator or a user from
having to configure these settings manually.
Domain TNMS allows you to restrict user groups to operate only a set of NEs or DCN subnets
instead of the entire network. This partitioning is called a “Domain” and limits the oper-
ation on nodes outside of their partitions by assigning user groups to domains. Further,
you can also assign policies to domains for further control and security, limiting the user
groups to specific menu entries and actions. This arrangement is required, for example,
in network centers that are responsible for maintaining only a subset of the nodes. The
main purpose is security: it avoids that a login to the system grants access to the entire
network. TNMS now supports the creation, modification or deletion of multiple domains,
granting or restricting their accesses. By default, all NEs belong to the GLOBAL domain
which cannot be modified or deleted.
Ethernet Linear Pro- Is a protection scheme defined in the ITU-T G.8031 standard designed to protect point-
tection (ELP) to-point Ethernet paths such as VLAN based Ethernet networks. To achieve protection
ELP uses two disjointed paths, a working path and a protection path, traffic is carried
firstly on the active path (working path) and in case of failure, traffic is switched to the
protection path. Both paths can be monitored using OAM protocols like CFM.ELP
provides 1:1 bi-directional protection switching with revertive mode capabilities.ELP
must first be configured at the NE side via the LCT, only then they are visible in TNMS
so that you can use it in the E-LAN and E-Line service creation via the New Ethernet
Service wizard.ELP is supported in specific network elements and cards only. Refer to
the NE dedicated documentation for more information.
Element Manager Network elements enable the user to perform operation, administration and mainte-
(EM) nance tasks with the NE system in a GUI environment.
Ethernet Ethernet is a family of frame-based computer networking technologies for LANs. It

defines a number of wiring and signaling standards for the physical layer, through
means of network access at the MAC/Data Link Layer, and a common addressing
format.
Fault management Fault management reports all hardware and software malfunctions within an NE, and
monitors the integrity of all incoming and outgoing digital signals.
File Transfer FTP is a network protocol used to transfer files from one computer to an NE and vice-
Protocol (FTP) versa through the network.

Glossary
Frequency Frequency is a physical attribute of a wave (for example, an optical wave), defined as
the number of wave cycles per time unit. The frequency is directly related to the wave-
length.
Generalized Multi- Is a protocol suite extending MPLS to manage further classes of interfaces and switch-
Protocol Label ing technologies other than packet interfaces and switching, such as time division mul-
Switching (GMPLS) tiplex, layer-2 switch, wavelength switch and fiber-switch.
Intelligent Optical Is the Coriant software platform integrating the software defined networking (SDN)
Control (IOC) framework with intelligent control for multi-layer optical transport networks. IOC
addresses the complete operational workflow and network lifecycle from service
planning to optimization up to maintenance, by combining the capabilities of the Coriant
TransNet optical planning tool, the IOC OP provisioning system and the TNMS network
management system.
Internet Protocol (IP) Is the principal communications protocol in the Internet protocol suite for relaying data-
grams across network boundaries. Its routing function enables internetworking, and
essentially establishes the Internet.
Internet Protocol Is a connectionless protocol for use on packet-switched networks. It operates on a best
version 4 (IPV4) effort delivery model, in that it does not guarantee delivery, nor does it assure proper
sequencing or avoidance of duplicate delivery. These aspects, including data integrity,
are addressed by an upper layer transport protocol, such as the Transmission Control
Protocol (TCP).
Link Aggregation Within the IEEE specification the Link Aggregation Control Protocol (LACP) provides a
Control Protocol method to control the bundling of several physical ports together to form a single logical
(LACP) channel. LACP allows a network device to negotiate an automatic bundling of links by
sending LACP packets to the peer (directly connected device that also implements
LACP).
Link Aggregation Allows a bridge to treat multiple physical links between two end-points as a single logical
(LAG) link, referred to also as a port-channel. The feature can be used to directly connect two
switches when the traffic between them requires high bandwidth and/or reliability, or to
provide a higher bandwidth connection to a public network. For this purpose, all the
physical links in a given port-channel must operate in full-duplex mode and at the same
speed.If a physical port or the related link of a LAG fails, the traffic previously carried
over the failed link automatically is switched to the remaining link(s) of the LAG (rapid
reconfiguration). Bandwidth degradation is an obvious impact if the sum ofthroughput of
the two/multiple aggregated links are higher than the throughput of the remaining link(s).
Be aware that certain link failures are not always visibleto both ends of a link. Link
Aggregation Control Protocol (LACP) and Automatic Laser Shutdown (ALS) enabled,
guarantees that both ends of a link properly detect all failures and perform the correct
response.LAG groups must first be created at the NE side via the LCT, only then, they
are visible in TNMS so that you can use it in the E-LAN and E-Line service creation via
the New Ethernet Service wizard. LAG is supported in specific network elements and
cards only. Refer to the NE dedicated documentation for more information.
Laser A laser is a device that generates an intense narrow beam of light by stimulating the
emission of photons from excited atoms or molecules.
Laser safety Laser safety rules are a group of mechanisms and actions necessary to protect all users
from harmful laser light emissions.

Glossary
Local Craft network LCT is a client-based craft terminal (that is, element manager) software which provides
(LCT) access to network elements (NEs) in the customer network without the use of a man-
agement system.
Lightweight Direc- Is an application protocol for accessing and maintaining distributed directory information
tory Access Protocol services over an Internet Protocol network.
(LDAP)
Line interface A line interface is a transponder interface that faces the line side of the link. Contrast
with “client interface” which faces the client equipment side of the link.
Long Haul (LH) hiT 7300 LH segment is a DWDM application characterized by a reach of more than 500
km and up to 1200 km.
Label Switched Path Is a path through an MPLS network, set up by a signaling protocol such as LDP, RSVP-
(LSP) TE, BGP or CR-LDP. The path is set up based on criteria in the forwarding equivalence
class (FEC).
Label switch router Sometimes called transit router, is a type of a router located in the middle of a Multipro-
(LSR) tocol Label Switching (MPLS) network. It is responsible for switching the labels used to
route packets. When an LSR receives a packet, it uses the label included in the packet
header as an index to determine the next hop on the Label Switched Path (LSP) and a
corresponding label for the packet from a look-up table. The old label is then removed
from the header and replaced with the new label before the packet is routed forward.
MD5 Message-digest algorithm is a widely used cryptographic hash function producing a

128-bit (16-byte) hash value, typically expressed as a 32 digit hexadecimal number
Maintenance Associ- Are points at the edge of the domain that define the boundaries and sends and receives
ation End Points CFM frames through the wire side (physical port) or relay function side.
(MEP)
Management Infor- Is used for backup purposes where you can plan automatic upload jobs.
mation Base (MIB)
MX Juniper MX Series Universal Edge Routers are Ethernet-centric services routers that
are purpose-built for demanding carrier and enterprise applications (font: Juniper web-
site).
NetConf Network Configuration Protocol (NETCONF), is an IETF network management protocol.

NETCONF provides mechanisms to install, manipulate, and delete the configuration of
network devices. Its operations are realized on top of a simple Remote Procedure Call
(RPC) layer. The NETCONF protocol uses an Extensible Markup Language (XML)
based data encoding for the configuration data as well as the protocol messages. This
in turn is realized on top of the transport protocol.
Network Craft NCT is a network management craft terminal (that is, element manager) software which
Terminal (NCT) is used for either local or remote network management.
Network Element A network element (NE) is a self-contained logical unit within the network. The NE can
(NE) be uniquely addressed and individually managed via software.
Each NE consists of hardware and software components to perform given electrical and
optical functions within the network.

Glossary
Network Manage- The network management layer includes all the required functions to manage the optical
ment network in an effective and user-friendly way, such as the visualization of the network
topology, creation of services, and correlation of alarms to network resources.
Network topologies A topology of a network is defined by the list of NEs included in the network and the list
of links that connect those NEs (for example, point-to-point, chain, ring, and so on).
Network to Network Is an interface which specifies signaling and management functions between two net-
Interface (NNI) works. NNI circuit can be used for interconnection of IP (e.g. MPLS) networks.
Coriant TransNet Planning of a hiT 7300 network is done by the Coriant TransNet tool. Coriant TransNet
is a sophisticated software simulation tool developed specifically for designing and/or
upgrading optical DWDM networks with hiT 7300. It runs on PCs using Microsoft
Windows operating systems.
Optical Channel A predefined wavelength that can be used to transmit a bit stream by means of a mod-
ulated light signal.
Optical Network An ONN is an NE where the incoming channels are either dropped or routed to a line in
Node (ONN) a different direction, outgoing channels can also be added locally. Apart from multiplex-
ing and demultiplexing an ONN NE implements optical or 3R signal regeneration and
dispersion compensation.
Optical path The path followed by an optical channel from the first multiplexer to the last demulti-
plexer.
Path Computation Implements, sets up and manages PCEP, while also notifying OM when PCEP is avail-
Engine Protocol able or unavailable to send/receive PCEP Route messages.
(PCEP)
Performance man- Performance monitoring and signal quality analysis provide information for detecting
agement and alerting, a cause that could lead to a degraded performance before a failure is
declared.
Peak Information Is a burstable rate set on routers and/or switches that allows throughput overhead.
Rate (PIR) Related to Committed Information Rate which is a committed rate speed guaran-
teed/capped. For example, a CIR of 10 Mbit/s PIR of 12 Mbit/s allows you access to 10
Mbit/s minimum speed with burst/spike control that allows a throttle of an additional 2
Mbit/s.
Pseudo-Random Is a known sequence of bits that can be used as a test signal to measure transmission
Binary Sequence delay and bit error rate of a channel. In this test, one port inserts the PRBS signal in the
(PRBS) channel (source port) and another detects if the sequence was received correctly (sink
port). This kind of test is traffic affecting since the test sequence is inserted into the
OPUk until the test is stopped.
Physical Trails (PT) Trails are represented as Physical Trails (PTs). They connect two Physical Termination
Points (PTP) on a physical layer rate, but can also contain non-physical layers.
Planning Tool Con- Interfaces Coriant TransNet/Intelligent Optical Control DWDM network planning tool.
nector (PTC)
PTX Juniper Packet Transport Routers are Converged Supercore platforms that deliver
powerful capabilities based on the Junos Express chipset and forwarding architectures
optimized for MPLS and Ethernet, with integrated, coherent 100GbE technology (font:
Juniper website).

Glossary
Required Creation Is the desired state of the path, which is set by the user upon creation.
State (RCS)
Optical Signal to OSNR is the ratio of an optical signal power to the noise power in the signal.
Noise Ratio (OSNR)
Ring network A ring network is a network topology in which each NE connects to exactly two other
NEs, forming a circular optical path for signals (that is, a ring).
Synchronous Digital Is a standardized protocol that transfer multiple digital bit streams over optical fiber using
Hierarchy (SDH) lasers or highly coherent light from light-emitting diodes. At low transmission rates data
can also be transferred via an electrical interface. The method was developed to replace
the Plesiochronous Digital Hierarchy system for transporting large amounts of telephone
calls and data traffic over the same fiber without synchronization problems.
Security manage- Security Management controls the individual access to particular NE functions via the
ment network management system and/or via a craft terminal, using a hierarchical security
management user ID, and password concept.
State Event Machine In computation, a finite-state machine is event driven if the transition from one state to
(SEM) another is triggered by an event or a message.
Service Provisioning Provisioning mode in hiT 7300.

via NMS The core equipment is provisioned by downloading and swapping NCFs, while
services are manually provisioned via the NMS.
When adding new services or expanding an existing network, the relevant line cards,
cross connections and internal port connections between line cards and multiplex-
ers/demultiplexers are provisioned via the NMS.
Secure Hash Algo- Is a family of cryptographic hash functions that takes an arbitrary block of data and
rithm (SHA) returns a fixed-size bit string, the cryptographic hash value, such that any (accidental or
intentional) change to the data will (with very high probability) change the hash value.
The data to be encoded are often called the message, and the hash value is sometimes
called the message digest or simply digest.
Simple Network SNMP is used in network management systems to monitor network-attached devices for
Management conditions that warrant administrative control. It consists of a set of standards for
Protocol (SNMP) network management, including an application layer protocol, a database schema, and
a set of data objects.
Software manage- Software management performs all software downloads, uploads, and software integrity
ment functions.
Secure Shell (SSH) Is a cryptographic network protocol for secure data communication, remote command-
line login, remote command execution, and other secure network services between two
networked computers that connects, via a secure channel over an insecure network, a
server and a client (running SSH server and SSH client programs, respectively).
Subsystem A subsystem is a set of shelves and cards in multicontroller NE that is controlled by a

subagent. All subagents within a multicontroller NE are controlled by the master agent.
Topological Con- Defines a containment relationship between other topological container and/or NEs.
tainer (TC) This means they can contain NE symbols and other TCs. The network map is always
associated with one TC, which corresponds to a network view.

Glossary
Tandem Connection TCMs are configurable parameters (via Element Manager) of the transponders. They
Monitoring (TCM) provide a Performance Management of all the Optical Transport Network (that is, end-
to-end connection) or specific sections only and implement an Optical channel Data Unit
(ODU) termination provisioned to support up to six TCM levels.
Transmission Is one of the core protocols of the Internet protocol suite (IP), and is so common that the
Control Protocol entire suite is often called TCP/IP. TCP provides reliable, ordered, error-checked
(TCP) delivery of a stream of octets between programs running on computers connected to a
local area network, intranet or the public Internet. It resides at the transport layer.
TL1 Transaction Language 1 (TL1) is a widely used management protocol in telecommuni-

cations. It is a cross-vendor, cross-technology man-machine language, and is widely
used to manage optical (SONET) and broadband access infrastructure in North
America. TL1 is used in the input and output messages that pass between Operations
Systems (OSs) and Network Elements (NEs). Operations domains such as surveillance,
memory administration, and access and testing define and use TL1 messages to
accomplish specific functions between the OS and the NE.
TNMS Telecommunications Network Management System - is a standalone application that

provides a full range of network-management functions, from the transport network’s
physical structure and its NEs to those required for Automatically-Switched Optical
Networks (ASON), SW management (also referred to as X-NE or Cross-NE), Optical
Management and Ethernet Management.
TNMS Core TNMS Core is an integrated solution designed for large, medium and small size net-
works. It supports NEs with DWDM, OTH, SDH, PDH, Ethernet in line, star, ring and
mesh network configurations. TNMS Core can be used to manage networks in the
access, edge, metro, core and backbone levels.
TNMS CT TNMS CT is a transparent software platform for SDH and DWDM NEs using QD2, QST,
QST V2, Q3 or SNMP telegram protocols. It supports line, star, ring and mesh networks
and provides access to NEs via Ethernet interface or via a serial line interface (RS232).
TNMS DX TNMS DX is a telecommunications network management system to operate, administer

and maintain hiT 7300 NEs. It allows remote operation and control of these network ele-
ments.
Trail Trace Identifier TTI is a transponder card parameter (configurable via Element Manager) of which is
(TTI) used to verify correct cabling or correct Tandem Connection Monitoring (TCM) configu-
ration. The basic principle is that specific overhead bytes are reserved for Trace
Messages of the user's choosing. By specifying the Actually Sent (transmitted) and the
Expected (received) trace messages, the system can automatically verify that fiber con-
nections have been made as intended. This is accomplished by comparing the expected
Trace Message to that actually received. If they differ, an alarm is raised, alerting per-
sonnel of the incorrect connections.
Transponder card A transponder card receives an optical input signal and converts it to an optical output
signal suitable for DWDM multiplexing and transmission.
Transponder Loopbacks are diagnostic tests that can be activated via Element Manager. Loopbacks
loopback return the transmitted signal back to the sending device after the signal has passed
across a particular link. The returned signal can then be compared to the transmitted
one. Any discrepancy between the transmitted and the returned signal helps to trace
faults.

Glossary
User Datagram Is one of the core members of the Internet protocol suite (the set of network protocols
Protocol (UDP) used for the Internet). With UDP, computer applications can send messages, in this
case referred to as datagrams, to other hosts on an Internet Protocol (IP) network
without prior communications to set up special transmission channels or data paths.
UDP uses a simple transmission model with a minimum of protocol mechanism. It has
no handshaking dialogues, and thus exposes any unreliability of the underlying network
protocol to the user's program. As this is normally IP over unreliable media, there is no
guarantee of delivery, ordering or duplicate protection. UDP provides checksums for
data integrity, and port numbers for addressing different functions at the source and des-
tination of the datagram.
Ultra Long Haul hiT 7300 ULH segment is a DWDM application characterized by long path lengths of up
(ULH) to 1600 km.
User-to-Network Is a demarcation point between the responsibility of the service provider and the respon-
Interface (UNI) sibility of the subscriber. This is distinct from a Network to Network Interface (NNI) that
defines a similar interface between provider networks.
Virtual Local Area In computer networking, a single layer-2 network may be partitioned to create multiple
Networks (VLAN) distinct broadcast domains, which are mutually isolated so that packets can only pass
between them via one or more routers; such a domain is referred to as a Virtual Local
Area Network, Virtual LAN or VLAN.
Wavelength Wavelength is a physical attribute of a wave (for example, an optical wave), defined as
the distance between corresponding points of two consecutive wave cycles.
The wavelength is directly related to the frequency of the wave.
Wait to restore time The time in minutes that TNMS waits until it tries to switch to the working path again,
(WTR) assuming the Revertive option is selected.
eXtensible Markup Is a markup language that defines a set of rules for encoding documents in a format that
Language (XML) is both human-readable and machine-readable. The design goals of XML emphasize
simplicity, generality, and usability over the Internet. It is a textual data format with strong
support via Unicode for the languages of the world. Although the design of XML focuses
on documents, it is widely used for the representation of arbitrary data structures, for
example in web services.

Glossary

Tnms 14.1 10: Coriant TNMS Installation Manual (IMN, Windows)

Uploaded by

Copyright:

Available Formats

Tnms 14.1 10: Coriant TNMS Installation Manual (IMN, Windows)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tnms 14.1 10: Coriant TNMS Installation Manual (IMN, Windows)

Uploaded by

Copyright:

Available Formats

TNMS

Issue: 5 Issue date: July 2014

Coriant is continually striving to reduce the adverse environmental

f Important Notice on Product Safety

The same text in German:

f Wichtiger Hinweis zur Produktsicherheit

3 Server operating system configuration . . . . . . . . . . . . . . . . . . . . . . . . . 19

4 Initial system configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

5 Software prerequisites installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

5.1 Adobe Reader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

8 Backup and restore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

8.4 Backup procedures through the TNMS client . . . . . . . . . . . . . . . . . . . . 57

9 Upgrade to TNMS 14.1 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

10 TNMS and TNMS Core working together . . . . . . . . . . . . . . . . . . . . . . . 65

1.1 Intended audience

1.2 Structure of this document

Chapter Title Subject

Table 1 Structure of the manual

1.3 Symbols and conventions

f Important Notice on Product Safety:

w Do not reboot while mirroring.

g Read the Customer Release Notes before installing.

t Before mirroring, limit the size of the root filesystem.

1.4 Available documentation

1.4.1 Online Help system

1.4.2 User Manual (UMN)

1.4.3 Installation Manual (IMN)

1.4.4 Upgrade Manual (UPMN)

1.4.5 Other documents

2.1 Component delivery

2.2 Hardware requirements

g New TNMS installations are not recommended in a distributed environment.

Configuration Characteristics Medium Large

Table 2 Hardware requirements for new installations of TNMS 14.1 10

Configuration Characteristics Legacy hardware

2.3 Supported Operating Systems

Full Installation Server, Netserver Client Citrix Server

2.4 Prerequisites by component

Software Full Server + Server Netserver Client

Table 5 TNMS software prerequisites and their installation sequence

2.5 BIOS configuration

3 Server operating system configuration

3.1 Integrated Lights-Out (iLO) management console

3.2 Disk configuration

3.3 Windows installation

3.4 HP service pack installation

Login in Windows and run the CD-ROM setup located via

3.5 Medium configuration

3.6 Large configuration

6. Click Create Logical Drive to create a new logical drive.

3.7 Disk partitioning

• File system = NTFS

4 Initial system configuration

4.1 Before you begin

4.2 Virtual memory configuration

TNMS Component Legacy Medium Legacy Large Medium Large

Table 6 Paging file size. Note that automatic management is recommended.

4.3 Audit policy

To enable auditing locally in the installed OS: