installing the billing adaptor (boa) user’s · pdf fileinstalling the billing adaptor...

Installing the Billing Adaptor (BOA) User’s Guide Revision: 1.12 Date: March 7, 2017

AmericasHeadquartersCisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387) Fax: 408 527-0883

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED "AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http:// www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

AdobeSystems, Inc.

AdobeLiveCycleDataServicesES2.5,Copyright©2010,AdobeSystems,Inc.AllRightsReserved

Oracle

Copyright ©2012, Oracle and/or its affiliates. All rights reserved.

OracleisaregisteredtrademarkofOracleCorporationand/oritsaffiliates.Othernamesmaybetrademarksoftheirrespectiveowners.

Red Hat, Inc.

Red Hat and Red Hat Enterprise Linux are trademarks of Red Hat, Inc., registered in the United States and other countries.

Other product names, symbols, and phrases used throughout this document (if any) are property of their respective owners.

© 2017 Cisco Systems, Inc. All rights reserved.

CONTENTS

Installing the Billing Adaptor (BOA) ................................................................................1

User’s Guide ..............................................................................................................................1

RevisionHistory.......................................................................................................................6Overview......................................................................................................................................7

Purpose.......................................................................................................................................7Hardware....................................................................................................................................7

Prerequisites.............................................................................................................................7AdditionalSoftwareneededforECS–CentralizedBilling:................................................8AdditionalSoftwareneededforECS-BST:..............................................................................8AdditionalSoftwareneededforInfiniteHome:.....................................................................8AdditionalSoftwareneededforVBO:........................................................................................8AdditionalSoftwareneededforVGSControlPlane:............................................................8

Installing the Billing Adaptor RPM File..............................................................................9

InterfaceTypes.........................................................................................................................9Interfacetype:SynchronousWebService–HouseholdWSDL........................................9Interfacetype:SynchronousWebService–PurchaseWSDL...........................................9Interfacetype:REST.......................................................................................................................9Interfacetype:RPC..........................................................................................................................9

InstallingBOA........................................................................................................................10InstallPrerequisiteSoftwareasneeded.......................................................................10InstallJDK(requiredinalldeployments)..............................................................................10Install/ConfigureJBoss(requiredinalldeployments).....................................................10InstallCertificates(requiredintheECSdeployments).....................................................11InstallJBoss-configurationRPMforsecurecommunications(requiredintheECSdeployments)...................................................................................................................................11ConfigureJbossforSecureCommunications(usingSelf-Signedor(CA)Certificates)..............................................................................................................................................................11InstallConsulclient(requiredintheECSdeployments)..................................................12Installvsftpd(requiredintheECSdeployments)...............................................................13Installrpcbind(requiredintheECS-BSTdeployment).....................................................13

RPMSigning/Verification..................................................................................................14

InstallBillingAdaptorUI....................................................................................................15

4

VBOInstallation....................................................................................................................16Prerequisites....................................................................................................................................16InstallationProcedures................................................................................................................17ConfigurationParameters(addadditionalparametersasneeded):...........................17

ECS-BillingSystemTerminator(BST)Installation..................................................18InstallationProcedures................................................................................................................18ConfigurationParameters(addadditionalparametersasneeded):...........................18

ECS–CentralizedBillingInstallation.............................................................................20InstallationProcedures....................................................................................................................20ConfigurationParameters(addadditionalparametersasneeded):...........................20

VGSControlPlaneInstallation.........................................................................................21InstallationProcedures....................................................................................................................21ConfigurationParameters(addadditionalparametersasneeded):...........................21

InfiniteHomeInstallation.................................................................................................23InstallationProcedures....................................................................................................................23HeatTemplate................................................................................................................................................23ManualInstallation......................................................................................................................................26

ConfigurationParameters(addadditionalparametersasneeded):...........................26Configure the BOA Service..................................................................................................29

VCSConsoleLogin.................................................................................................................29

ManagingtheBillingAdaptorConfigurationSettings..............................................30DefiningtheBillingAdaptorRoutingTable..........................................................................32DefiningOfferCreation.................................................................................................................33DefiningtheBOAUserandBOA-MgrUserGroup..........................................................................35

ModifytheBOAApplicationLogLevelSetting......................................................................37BillingAdaptorLogging.................................................................................................................37

Upgrade Billing Adaptor/BillingAdaptor UI..............................................................38BSTUpgrade(BOA)........................................................................................................................38RPMUpgrade(BOA)......................................................................................................................38BSTUpgrade(BOAUI)..................................................................................................................38RPMUpgrade(BOAUI).................................................................................................................39

AppendixA..............................................................................................................................40BOAOpenStackHeatTemplate–Parameters......................................................................40Parameters:......................................................................................................................................40BOAOpenStackHeatTemplate–Default...............................................................................46

BOA_instances_stdout:........................................................................................................52

BOA_pool_stdout:..................................................................................................................52AppendixB..............................................................................................................................53AvailableConfigurationParameters:......................................................................................53Explanationoftheparameters:..............................................................................................................53

AppendixC..............................................................................................................................57JbossCertificateManagement...................................................Error!Bookmarknotdefined.

5

CreateaSelf-SignedCertificate.................................................Error!Bookmarknotdefined.RecommendedCryptographicPrimitives.............................Error!Bookmarknotdefined.

AppendixD..............................................................................................................................67AlertManager–HAProxyConfiguration..................................................................................67HAProxyConfigurationwithCertificates...........................................................................................67HAProxywithoutSSLCertificates.........................................................................................................70

Commands...............................................................................................................................73

6

RevisionHistoryVersion Date Description

1.0 May16,2015 InitialdocumentforBOA4.0installation.LEA

1.1 May28,2015 Updatedocumenttomoveallconfigurationstotheconfig.propertiesfile.

1.2 July2,2015 Updatedocumenttomaketheconfigurationvariablenamesmatchtheconfig.propertiesfile

1.3 Aug7,2015 Updatedtoaddinstallsforalldeployments.

1.4 December10,2015 UpdatedtoincludenewconfigurationparametersformanagingadefaultauthorizationandautomaticallytriggeraTVODpurchasereport

1.5 December16,2015 ChangingECS/VGS/UHEPowerKeyconfigurationtosupportanrpminstallation.Addinghardwarerequirements.

1.6 January5,2016 UpdatedconfigurationparametersforVectorinstallation.

1.7 March4,2016 IncorporateUser/Configurationinformation.LEA

1.8 June1,2016 AddedinstructionsfortheBOAOpenStackHEATtemplate–LEA.

1.9 June17,2016

AddednewparameterdescriptionsforBEFconnection,Consulconnection,andlocationassignment

1.10 Nov7,2016 Rearrangeddocument.AddedsupportforSSLwithnecessaryinstructions.Addedinstall/configurationforConsulclient.AddedBillingAdaptorUIinstallationinstructions.AddedsupportforBST.RemovedcDVRinstructions.Addedupgradeinstructions.

1.11 March2,2017 Addedstepstoinstallrpcbind.AddedadeploymentenvironmentforgenericECSwithcentralizedbilling.

1.12 March7,2017AddedRPMSigningandVerificationAddedCertificateManagement–AppendixCAddedHAProxyconfiguration–AppendixDAddedHeatTemplateexamplewithexplanation-LEA

7

Overview

Cisco's Business Support System/Operations Support System (BSS/OSS) Adaptor provides a unified interface to the back-end subscriber and billing systems typical of subscription-based service provider deployments. The BSS/OSS Adaptor (BOA) can be co-located with other back-end systems. This eliminates the need for a separate billing system interface for each control system.

PurposeThis document describes how to configure the BOA service for Cisco's Videoscape Control Suite (VCS) Version 4.0.

HardwareMinimumhardwareconfiguration:2-vCPU/4GBRAM/4-GBHDD

PrerequisitesThe following is a list of software that may be needed for BOA operations. Only install the software needed for the installation.

¾ Operating System:

o CentOS 6.8 or better

o CSCOlxplat-3.0.5 or better

¾ VCS Version 4.0 or greater must be installed which include:

o Required

§ Jboss EAP 6.4.9-x

§ Java 1.8.x

8

Additional Software needed for ECS – Centralized Billing: VCSConsole4.x.xBOAUI4.x.xComponentVCS-service-config1.x.xConsul-0.7.xorbetterVsftpd3.x.xorbetterRpcbind0.2.x

Additional Software needed for ECS - BST: VCSConsole4.x.xBOAUI4.x.xComponentVCS-service-config1.x.xConsul-0.7.xorbetterVsftpd3.x.xorbetterRpcbind0.2.x

Additional Software needed for Infinite Home: HornetQ2.2.14-7UPM5.78.0-114orbetter(Mongo2.6.xorbetter)ReportServerBEF

Additional Software needed for VBO: HornetQ2.2.14-7MongosUPM(Mongo)PPS(Mongo)HEPVVLASplunkForwarderOracle:Seebelowforothers

Additional Software needed for VGS Control Plane : HornetQ2.2.14-7UPM(Oracle)CCMNMCIBSMOASMRabbitMQTUF

Installing the Billing Adaptor RPM File

InterfaceTypesTherecanbemultipleBOAinterfaces(describedbelow)activesimultaneously,butifagiveninterfaceisnotgoingtobeexercised,theassociatedfeaturesandconfigurationsettingscanandshouldbedisabledorleftempty.

Interface type: Synchronous Web Service – Household WSDL IndeploymentenvironmentswherethesynchronouswebserviceinterfaceisutilizedwiththehouseholdWSDL,BOAisresponsibleformanaginghouseholds,devices,andauthorizationsusinganinterfacewithUPM.Thisinterfaceishousehold-centric.

Interface type: Synchronous Web Service – Purchase WSDL IndeploymentenvironmentswherethesynchronouswebserviceinterfaceisutilizedwiththepurchaseWSDL,BOAisresponsibleforcreatinganddeletingpurchasesandprocessingviewstart/stopevents.Thisinterfaceishousehold-centric.InordertoexercisethefullsetofpurchaseWSDLcommands,thefollowingconfigurationvaluesarerequired.MakesuretheUnifiedHeadEnd(UHE)componentsareinstalledpriortoinstallingBOA:UPM,HEP,CMDC,PPS,andthepurchaseconnections.IfareducedsetofpurchaseWSDLcommandsaretargetedforuse,theconfigurationvaluesmaybeasubsetofthatlist.

Interface type: REST IndeploymentenvironmentswheretheBOARESTinterfaceisutilized,BOAisresponsibleformanaginghouseholds,devices,andauthorizationsusinganinterfacewithUPM.Thisinterfaceishousehold-centric..Purchasereportingcommandsareavailableinthisinterface,andiftheyaretargetedforuse,theReportServerconfigurationvaluesneedtobepopulated.

Interface type: RPC IndeploymentenvironmentswheretheRPCinterfaceisutilized,BOAisresponsibleforforwardingBOSScommandsreceivedoverRPCtoeitheranECortheECS,dependingonthecommandtype.Thisinterfaceisdevice-centric.Servicediscoveryisrequiredinthisenvironmentandtheroutingtablemustbepopulated.

10

InstallingBOAChoose your Installation Environment from the options below and perform the installation procedures within the appropriate sections that follow.

Installation Environment Instructions Video Back Office (VBO) Go to the VBO Installation section. Page 15 ECS Billing System Termination (BST) Installation

Go to the ECS Billing System Termination (BST) Installation. Page 18

VGS(Unified HeadEnd (UHE))/PowerKey Go to the VGS(UHE)/PowerKey Installation section. Page 20

Infinite Home Go to Infinite Home Installation section, Page 22

InstallPrerequisiteSoftwareasneededNOTE:IfinstallinginanOpenStackenvironment,seeAppendixAfortheOpenStacktemplatesforthatinstallation.

Install JDK (required in all deployments) 1. Install jdk.

Example: yum install jdk8u102 (yum repository install)

-or- rpm –ivh jdk8u102-xxxxx (manual installation)

Install/Configure JBoss (required in all deployments) 1. Install jboss-eap.

Example: yum install jboss-eap-6.4.9-1 (yum repository install) -or- rpm –ivh jboss-eap-6.x.x.x (manual installation)

2. Create a file in /etc/jboss-as/conf.d: Type:

vi boa.conf Insert the following:

JBOSS_CONFIG=standalone.xmlJAVA_OPTS="-Xms2g-Xmx4g-XX:MaxPermSize=2g"JAVA_OPTS="$JAVA_OPTS-d64"JAVA_OPTS="$JAVA_OPTS-Djava.net.preferIPv4Stack=true"JAVA_OPTS="$JAVA_OPTS-Djava.awt.headless=true"JAVA_OPTS=“$JAVA_OPTS-Djboss.bind.address=0.0.0.0”exportJAVA_OPTS

11

Note: Depending on the VM configuration, some systems may require the use of the actual IP of the node, rather than listen on all interfaces.

3. Do not insert the NOTE. 4. Save the file:

:wq! 5. Change ownership to jboss:jboss. Type:

chown jboss:jboss boa.conf 6. Restart the jboss process. Type:

service jboss-as start

Install Certificates (required in the ECS deployments) 1. Install the certificates. 2. Edit the security.properties file and make sure all of the parameters below

are listed. a. vi /opt/cisco/vcs/security.properties b. paste in the following:

SSLType=TwoWayAuthenticationTrustStoreFile=/opt/cisco/vcs/certs/genericTruststore.jks(ChangetothelocationoftheTrustStoreCertificate)TrustStorePasswd=lab@dminKeyStoreFile=/opt/cisco/vcs/certs/genericKeystore.jks(ChangetothelocationoftheKeyStorefile)KeyStorePasswd=lab@dmin(ChangetotheKeyStorepassword)BasicAuthentication=trueBasicUsername=restfulBasicPasswd=conductorVerifyHostname=falseIgnoreHttpsHost=trueProtocolVersion=TLSv1.1

c. Type: wq! To save the file.

Install JBoss-configuration RPM for secure communications (required in the ECS deployments)

1. Install vcs-services-config. Example: yum install vcs-services-config

2. Enable two-way secure communications via JBoss: Type: cd /opt/cisco/jboss-config ./setup.sh -–auth two-way -–restart-jboss true

Configure Jboss for Secure Communications (using Self-Signed or (CA) Certificates)

SeeAppendixDforinstructionsoncreatingaself-signedCertificateandinstallingaCACertificate.

12

Install Consul client (required in the ECS deployments)

1. Install consul. Example: yum install cisco-vcs-consul

2. Copy the consul client template file in place. a. Change directory to /etc/consul

cd /etc/consul b. Copy the template file

cp consul.json.template consul.json c. Edit the consul client file, change the parameter as follows:

vi client.json { "server": false, "bind_addr": "<client ip>", "datacenter": "dc1", "pid_file": "/var/run/consul/consul.pid",

"data_dir":"/opt/consul/data", "encrypt": "<output from consul keygen>", "log_level": "INFO", "enable_syslog": true, "disable_update_check": true, "retry_join": [ "<server_ip1>", "<server_ip2>", "<server_ip3>" ] } bind_addr: The VCS Console current IP encrypt: The key generated when the first consul server was installed retry_join: The list of consul servers separated by commas Donotchangeanyotherparameter

3. Save the changed file, :wq!. 4. Start the consul service:

service consul start

13

Install vsftpd (required in the ECS deployments) In order to enable the transfer of PPV report files, an FTP user must be created and vsftpd must be installed.

1. Create the user: useradd -m dncsftp

2. Install vsftpd: yum install vsftpd

3. Add two settings to the vsftpd configuration in /etc/vsftpd/vsftpd.conf. a. Enter:

vi /etc/vsftpd/vsftpd.conf b. Add these two lines:

userlist_deny=NO chroot_local_user=YES

c. To save the changes, type “:wq!”.

Install rpcbind (required in the ECS-BST deployment) In order to accept RPC requests, rpcbind must be installed and running.

1. Install the rpcbind rpm: yum install rpcbind

2. Start the rpcbind service: service rpcbind start

3. Confirm the service is running: service rpcbind status

14

RPMSigning/Verification

1. DownloadtheRPMforAlertManagerandAlertManagerUIalongwiththe

publickey.

2. VerifythefingerprintoftheGPGkey.

gpg –quiet –with-fingerprint RPM-GPG-KEY-VCSServices gpg: new configuration file `/root/.gnupg/gpg.conf' created gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run pub 2048R/DE2852BF 2017-03-06 Cisco VCS Services (VCSServices.rel) <[email protected]> Key fingerprint = EE7C F71A 5674 E978 2574 F83B 69EB 7905 DE28 52BF KEYforcomparison: pub 2048R/DE2852BF 2017-03-06 Cisco VCS Services (VCSServices.rel) <[email protected]> Key fingerprint = EE7C F71A 5674 E978 2574 F83B 69EB 7905 DE28 52BF

3. Ifthefingerprintmatches,importtheGPGkeywiththerpmcommand,then

continuewiththeinstallation.

rpm –import RPM-GPG-KEY-VCSServices NOTE:IftheRPMisinstalledviaYUMthentheimportofthekeyshouldhappenautomaticallyiftheyumconfigurationreferencesthelocationofthekeytotheinstallingsystem.

15

InstallBillingAdaptorUI

1. DownloadtheBillingAdaptorUIrpm.2. Installtherpm.

Example:rpm–ivhBillingAdaptorUI.noarch-4.0.x-1.rpm

3. ConfiguretheBillingAdaptorUItosupportconsul.a. Editthe/opt/cisco/BillingAdaptorUI-

4.0.x/BillingAdaptorUI/WEB-INF/classes/sdconfig.propertiesExample:com.cisco.oss.foundation.directory.client.type=consul com.cisco.oss.foundation.directory.mydatacenter.name=dc1 com.cisco.oss.foundation.directory.server.fqdn=localhost com.cisco.oss.foundation.directory.server.port=8500 com.cisco.oss.foundation.directory.consul.local.agent=true com.cisco.oss.foundation.directory.consul.local.agent.port=8500 Clienttypemustbe“consul”Mydatacenterwillbethedatacentername,defaultis“dc1”.ServerFullQualifiedDomainName(FQDN),willbelocalhost.(theclientshouldbeinstalledonthelocalhost)Leavetheremainderastheyareabove.

b. Savethefile,type:wq!

4. IfusingBillingAdaptorinasecureenvironment,editthisfile:vi/opt/cisco/installed/BillingAdaptorUI-4.0.11/BillingAdaptorUI/WEB-INF/classes/consoleasservice.properties

##UI Plug In Configurations Console as Service. CAS_SERVICE_NAME=BillingAdaptorUI VCS_PORT=8080 VCS_PROTOCOL=http REGISTER_SERVICE_SLEEP=60000 VCS_PORT = Change the port from 8080 to 8443. VCS_PROTOCOL = Change the protocol from “http” to “https”.

5. TorestarttheBillingAdaptorUI,typethefollowing:touch/opt/jboss-as/standalone/deployments/BillingAdaptorUI.war.deployed

6. BillingAdaptorUIshouldregisterwithConsulanddisplayinVCSConsole.7. LogoutofVCSConsoleandlogbackinandtheBillingAdaptorUIshouldbeavailable.

16

VBOInstallationInordertostorepurchaserecords,BOAusestheMongodatabase.TheBOAdatabaseandusermustbecreatedpriortotheBOAinstall.DonotcompletetheDataStoreparametersunlessusingtheMongoDatabase.

Prerequisites 1. Install/StarttheMongodatabaseServer.2. Performthefollowingsteps:

a. LogontotheMongoDBserver.b. Executemongotoenterthemongocommandline:

Type:mongoTypethefollowingtocreatetheBOAdatabaseandaddtheuser/password,theuserandpasswordareexamplesonly:

use boa db.addUser( { user: "boauser", pwd: "Moon1234", roles: [ "readWrite", "dbAdmin" ] } )

3. InstallalloftheUnifiedHeadEnd(UHE)componentsiftheyaregoingtobeusedpriortoinstallingBOA.IMPORTANT:

4. Ifthedatabasealreadyexists,theBOACollectionsmustbedroppedbeforeproceeding.ToviewtheBOAcollections,enterthefollowing:useboa<cr>

>showcollections;<cr>BoaServiceConfigurationBoaServiceInstanceInfosystem.indexessystem.users

5.Dropthecollectionsbyusingthefollowingcommands: > db.BoaServiceConfiguration.drop() <cr> true(expected result) > db.BoaServiceInstanceInfo.drop() <cr> true(expected result)

17

Installation Procedures IMPORTANT:Seeeachsectionbelowforspecificprerequistesandconfigurationparameters.

1. Obtain the BOA rpm. 2. Install the RPM:

a. Install: rpm –ivh <BOA RPM>

b. Upgrade: rpm –Uvh <BOA RPM>

3. Edit the config.properties file as needed. 4. Change directory to /opt/cisco/billingadaptor/conf 5. Copy sample-config.properties to config.properties, type:

cp sample-config.properties config.properties 6. Enter:

vi config.properties

Configuration Parameters (add additional parameters as needed): #Fri Apr 04 10:45:55 EDT 2014 db.password=password db.database=BOA db.primaryDbServerIP=127.0.0.1 db.primaryDbServerPort=27017 db.user=boauser connections.upm.host=10.1.1.1 connections.upm.port=6040 connections.rs.host=10.1.1.3 connections.rs.port=6530 connections.vvla.host=10.1.1.4 connections.vvla.port=8010 connections.hep.host=10.1.1.5 connections.hep.port=6030 connections.cmdc.host=10.1.1.6 connections.cmdc.port=5600 connections.pps.host=10.1.1.7 connections.pps.port=8010 purchase.client.sdmp.host=10.1.1.8 purchase.client.sdmp.port=8900 purchase.client.sdmp.path=sdmp/service purchase.client.flex.host=10.1.1.9 purchase.client.flex.port=8900 purchase.client.flex.path=flex/service purchase.retry.rateinseconds=30 purchase.retry.maxcount=3 svod.free.packageName=freePkg serviceDirectory.requiredFlag=false

18

1. To save the changes, type “:wq!”. 2. Change the ownership of the file to jboss:jboss:

chown jboss:jboss config.properties 3. Start the BOA application: 4. Change directory to /opt/cisco/billingadaptor/bin 5. Enter:

./billingadaptor.sh deploy

NOTE: In order for changes to the configuration file (config.properties) to take effect, BOA must be redeployed using the redeploy option on the billingAdaptor.sh script (alternatively, one can execute the script with the undeploy option and then execute with the deploy option).

ECS-BillingSystemTerminator(BST)Installation

Installation Procedures 1. ObtaintheBOArpm.2. Install the RPM:

a. Install: yum install billingAdaptor

3. Edit the config.properties file as needed. 4. Change directory to /opt/cisco/billingadaptor/conf. 5. Copy sample-config.properties to config.properties by entering the

following: cp sample-config.properties config.properties

6. Enter: vi config.properties

Configuration Parameters (add additional parameters as needed): #Mon Nov 07 09:11:24 EST 2016 connections.consul.ip=localhost connections.consul.port=8500 connections.ecs.cpems.ip=10.90.185.43 connections.ecs.cpems.port=8443 connections.sync.soap.longtimeoutinseconds=30 sec.keystore.keystorePath=/opt/cisco/vcs/certs/keystore.jks sec.keystore.password=lab@dmin sec.keystore.truststorePath=/opt/cisco/vcs/certs/client-truststore.jks sec.twoWayAuthEnabled=true serviceDirectory.datacenter=dc1 serviceDirectory.ip=localhost serviceDirectory.port=8500 serviceDirectory.requiredFlag=true serviceDirectory.type=consul

19



./billingadaptor.sh deploy NOTE: In order for changes to the configuration file (config.properties) to take effect, BOA must be redeployed using the redeploy option on the billingAdaptor.sh script (alternatively, one can execute the script with the undeploy option and then execute with the deploy option).

12. Install the VCS Console, refer to VCS Console Install/Upgrade Guide. 13. Install the BOA UI using the instruction on Page 14 of this document. 14. Populate the routing table in the VCS Console as described in the

Defining the Billing Adaptor Routing Table section on Page 27 of this document.

15. Ensure that rpcbind is installed before RPC requests are submitted to BOA.

20

ECS–CentralizedBillingInstallation

InstallationProcedures 1. Obtain the BOA rpm. 2. Install the RPM:



3. Edit the config.properties file as needed. 4. Change directory to /opt/cisco/billingadaptor/conf. 5. Copy sample-config.properties to config.properties by entering the



Configuration Parameters (add additional parameters as needed): #Mon Feb 27 09:11:24 EST 2017 connections.consul.ip=localhost connections.consul.port=8500 connections.ecs.cpems.ip=10.90.185.43 connections.ecs.cpems.port=8443 connections.sync.soap.longtimeoutinseconds=30 sec.keystore.keystorePath=/opt/cisco/vcs/certs/keystore.jks sec.keystore.password=lab@dmin sec.keystore.truststorePath=/opt/cisco/vcs/certs/client-truststore.jks sec.twoWayAuthEnabled=true serviceDirectory.datacenter=dc1 serviceDirectory.ip=localhost serviceDirectory.port=8500 serviceDirectory.requiredFlag=true serviceDirectory.type=consul



./billingadaptor.sh deployNOTE: In order for changes to the configuration file (config.properties) to take effect, BOA must be redeployed using the redeploy option on the billingAdaptor.sh script (alternatively, one can execute the script with the undeploy option and then execute with the deploy option).

21

VGSControlPlaneInstallation

InstallationProcedures 1. Obtain the BOA rpm. 2. Install the RPM:



3. Edit the config.properties file as needed 4. Change directory to /opt/cisco/billingadaptor/conf 5. Copy sample-config.properties to config.properties by entering the



Configuration Parameters (add additional parameters as needed): #Fri Apr 04 10:45:55 EDT 2016 serviceDirectory.requiredFlag=false connections.upm.host=10.1.1.1 connections.upm.port=6040 connections.ci.host=10.1.1.2 connections.ci.port=5155 region.validationFlag=true region.ppv.value=ppvRegionParamName region.subscription.value=subRegionParamName caproduct.ppv.value=caProductIdPpv caproduct.subscription.value=caProductIdSub business.rule.ppv.id=ppvBusinessRuleId business.rule.subscription.id=subBusinessRuleId connections.rabbitmq.host=rabbitmq.service.consul connections.rabbitmq.port=5672 connections.rabbitmq.userName=admin connections.rabbitmq.password=admin connections.rabbitmq.timeoutinseconds=10 connections.rabbitmq.exchangeName=TUF-Transaction service.feature.trackflowFlag=true service.feature.generateRequestIdentifierFlag=true


chown jboss:jboss config.properties

22

3. Start the BOA application: 4. Change directory to /opt/cisco/billingadaptor/bin 5. Enter:

./billingadaptor.sh deploy NOTE: In order for changes to the configuration file (config.properties) to take effect, BOA must be redeployed using the redeploy option on the billingAdaptor.sh script (alternatively, one can execute the script with the undeploy option and then execute with the deploy option).

23

InfiniteHomeInstallationInstallationProceduresTheInfiniteHomesoftwareinstallationcanbeaccomplishedusingthefollowingmethods:

• HeatTemplate• ManualInstallation

HeatTemplateToinstalltheInfiniteHomesoftwareusingtheHeattemplate,refertothe

24

Upgrade Billing Adaptor/BillingAdaptor UI

BST Upgrade (BOA)

1. Type the following command: yum upgrade billingAdaptor (This will stop and undeploy the service and install the new service)

2. Deploy the new service: a. Type:

/opt/cisco/billingadaptor/bin/billingadaptor.sh deploy 3. Monitor the BillingAdaptor log file.

a. Type: tail –f /opt/jboss-as/standalong/log/BillingAdaptor.log

RPM Upgrade (BOA)

1. Download the new rpm. 2. Stop the BillingAdaptor application.

a. Type: /opt/cisco/billingadaptor/bin/billingadaptor.sh undeploy

3. Install the new rpm: a. Type:

rpm –Uvh billingAdaptor-x.x.x.rpm 4. Start the BillingAdaptor application.

a. Type: /opt/cisco/billingadaptor/bin/billingadaptor.sh deploy

5. Monitor the BillingAdaptor log file. a. Type:

tail –f /opt/jboss-as/standalong/log/BillingAdaptor.log

BST Upgrade (BOA UI)

1. Type the following command: yum upgrade BillingAdaptorUI


touch /opt/jboss-as/standalone/deployments/BillingAdaptorUI.war.deployed

3. Monitor the BillingAdaptorUI log file. b. Type:

tail –f /opt/jboss-as/standalong/log/billingAdaptor/billingAdaptorUI.log

25

RPM Upgrade (BOA UI)

1. Download the new rpm. 2. Install the new rpm:

a. Type rpm –Uvh billingAdaptorUI-x.x.x.rpm

3. Deploy the new service. a. Type:


4. Monitor the BillingAdaptorUI log file. c. Type:


26

AppendixABOAOpenStackHeatTemplate–Parameterssectionofthisguide.

ManualInstallationToinstalltheInfiniteHomesoftwareusingtheHeattemplate,completethefollowing:

1. Obtain the BOA rpm. 2. Install the RPM:



3. Edit the config.properties file as needed. 4. Change directory to /opt/cisco/billingadaptor/conf 5. Copy sample-config.properties to config.properties, type:

cp sample-config.properties config.properties 6. Enter:

vi config.properties

Configuration Parameters (add additional parameters as needed): #Fri Apr 04 10:45:55 EDT 2016 kd.sn.processingFlag=true tvodReport.enableAutoTrigger.billingId=sms1, 1 enabledServices=PURCHASE-TVOD, LOCAL-PVR-ENABLED, IPTV connections.upm.host=212.200.187.3 connections.upm.port=6040 connections.rs.host=212.200.187.2 connections.rs.port=6530 connections.pps.host=212.200.187.7 connections.pps.port=6060 connections.bef.host=212.200.187.4 connections.bef.port=4321 connections.consul.host=212.200.187.5 connections.consul.port=123 serviceDirectory.requiredFlag=false

27

#Enabling location assignment: service.feature.fipsLookup=true/false service.name.get_eas_location=com.cisco.vcs.lcs.standalone.service.directory.endpoint.get_eas_location


chown jboss:jboss config.properties 3. Start the BOA application. 4. Change directory to /opt/cisco/billingadaptor/bin 5. Enter:

./billingadaptor.sh deploy NOTE: If the VCS Console is being installed for this deployment, the configuration parameters for service directory will need to be included. Also, in order for changes to the configuration file (config.properties) to take effect, BOA must be redeployed using the redeploy option on the billingAdaptor.sh script (alternatively, one can execute the script with the undeploy option and then execute with the deploy option).

Configure the BOA Service

VCSConsoleLogin1 Open a supported browser.

Notes: • Internet Explorer, Firefox, and Chrome browsers are supported. • The CP login page, displayed in the following step, cites the specific

versions that are supported. 2 Enter the following command in the address bar:

https://[VCS UI IP address]/ Example:https://192.0.2.1/Result: The management login page opens.

3 Enter the root or BOA user Username and Password and click Login to log in

to the console.

30

ManagingtheBillingAdaptorConfigurationSettingsBOA uses the information defined on the Billing Adaptor Configuration UI page to connect to the various systems listed on this page. This information is defined initially during the BOA installation procedure. To manage these connections, perform the following steps: 1 Log in to the CP Management interface with a username that provides access to

the Billing Adaptor Configuration page. 2 Select the Navigation bar to the left of the Cisco Logo with the arrow.

3 This will open up to the menus:

4 Then from the Control Plane menu, under Billing Adaptor:

5 Select Configuration. The Billing Adaptor Configuration page appears. The

values shown in the Billing Adaptor Configuration page that follows are just examples. The System or Network Administrator should be able to provide the correct values if changes to the configuration are necessary. The settings in config.properties can alternatively be used to set the values in this screen.

31

6 Update as needed the values on this page and click Save. A message appears indicating that the updated values saved successfully. The new values will take effect immediately.

32

Defining the Billing Adaptor Routing Table

BOA uses the routing configuration data to determine the appropriate EC IP address (and DTACS IP address if DTACS is utilized) to send BOSS transactions. The routes are based upon the billing system that sends the transaction to the BOA. The Videoscape Control Suite Console interface provides a page that supports this BOA routing configuration. To define the BOA Routing Table configuration, complete the following steps:

Note: The System or Network Administrator should be able to provide the IP address of the billing system's interface that communicates with the BOA. They should also be able to provide the IP address for the interface to the appropriate EC/DNCS/DTACS system, if not already known. 1 Log in to the Videoscape Control Suite Console interface with a username that

provides access to the Billing Adaptor. 2 Choose the Right directional arrow, in the upper left corner of the Videoscape

Control Suite Console this will display the Videoscape Control Suite Console menu from this menu under Billing Adaptor, select Routing Table and the Routing Table window will be displayed. Unlike the settings on the Configuration UI page, these settings cannot be made via the config.properties file so this screen is the only method.

3 Complete entries as required, then select Save.

33

4 View the Billing Adaptor Routings list in the Billing Adaptor Routing Table page. If you need to create a new billing adaptor route, click Create to define this new route.

5 Enter the IP address for the billing system, as well as for the EC/DNCS system

and/or the DTACS system. 6 Click Save. The newly defined route configuration appears in the list,

indicating that the new route is now in effect.

Defining Offer Creation BOAusestheOfferCreationscreentosetRegionValidation,RegionParamaterNames,CAProductParameterNames,andBusinessRuleIDs.

1. LogintotheVideoscapeControlSuiteConsoleinterfacewithausernamethathasaccesstotheBillingAdaptorOfferCreationscreen.

2. ChoosetheRightdirectionalarrow,intheupperleftcorneroftheVideoscapeControlSuiteConsolethiswilldisplaytheVideoscapeControlSuiteConsolemenufromthismenuunderBillingAdaptor,selectOfferCreationandtheOfferCreationwindowwillbedisplayed.Thesettingsinthisscreencanalternativelybesetbyeditingtheconfig.propertiesfile.

3. Completeentriesasrequired,thenselectSave.

34

4. Select the Home symbol to return to the main screen.

35

DefiningtheBOAUserandBOA-MgrUserGroup

The Videoscape Control Suite Console interface supports role-based user login functionality for the various applications installed, including BOA.

The Videoscape Control Suite Console interface provides pages that support the creation of a BOA-specific username and password, membership in various user groups, and customized service configuration access permissions for specific tasks.

To define a BOA user with customized access permissions, complete the following steps: 1 Log into the Videoscape Control Suite Console interface as the root user. 2 Choose User Administration > Users, Roles & AAA. 3 Choose Users and Accounts from the list of options on the left side of the page.

The Users page appears.

4 From the Users menu select the plus (+) symbol, the following menu will be

displayed:

36

5 Enter a new BOA username and password. 6 Check the BOA-Mgr check box to assign this new BOA user to the BOA-Mgr

group. 7 Click Save. The Add User successfully message should appear. 8 Choose User Groups from the list of options on the left side of the page. The

User Groups page appears.

9 Confirm that the new BOA user that you just created in the previous few steps

is listed as a Member of the BOA-MGR group. 10 Choose BOA-Mgr from the list of Group Names on the left. The Group Detail:

BOA-Mgr page appears.

11 Assign Task Permissions, as needed, to the new BOA user by checking the

appropriate check box. Then, click Submit. The User Group saved successfully message should appear.

12 Verify the new BOA user, user group, and access permissions by logging out of the CP Management system, and then logging back in as the new user. Check that the new user can access those pages for which permission was assigned.

37

Modify the BOA Application Log Level Setting

The BOA application log level setting in the CP Management window provides the operator with the ability to change the BOA log message output to different levels of detail. To adjust the BOA application log levels, complete the following steps: 1 Log in to the CP Management interface with a username that provides access to

the Billing Adaptor Dashboard page. 2 Under Billing Adaptor, choose Dashboard. The Billing Adaptor Dashboard

page appears.

3 In the Billing Adaptor Log Setting area, click the drop-down arrow to view the

different log levels. 4 Select the new, desired log level that is different from the current level. 5 Click Save. A confirmation message appears. The new log level becomes active.

BillingAdaptor Logging Loggingpath:/opt/jboss-as/standalone/log/BillingAdaptor.log

38

Upgrade Billing Adaptor/BillingAdaptor UI

BST Upgrade (BOA)

4. Type the following command: yum upgrade billingAdaptor (This will stop and undeploy the service and install the new service)


/opt/cisco/billingadaptor/bin/billingadaptor.sh deploy 6. Monitor the BillingAdaptor log file.

a. Type: tail –f /opt/jboss-as/standalong/log/BillingAdaptor.log

RPM Upgrade (BOA)

6. Download the new rpm. 7. Stop the BillingAdaptor application.

a. Type: /opt/cisco/billingadaptor/bin/billingadaptor.sh undeploy

8. Install the new rpm: a. Type:

rpm –Uvh billingAdaptor-x.x.x.rpm 9. Start the BillingAdaptor application.

a. Type: /opt/cisco/billingadaptor/bin/billingadaptor.sh deploy

10. Monitor the BillingAdaptor log file. a. Type:

tail –f /opt/jboss-as/standalong/log/BillingAdaptor.log

BST Upgrade (BOA UI)

5. Type the following command: yum upgrade BillingAdaptorUI



7. Monitor the BillingAdaptorUI log file. b. Type:


39

RPM Upgrade (BOA UI)

4. Download the new rpm. 5. Install the new rpm:

a. Type rpm –Uvh billingAdaptorUI-x.x.x.rpm

6. Deploy the new service. a. Type:


8. Monitor the BillingAdaptorUI log file. c. Type:


40

AppendixA

BOA OpenStack Heat Template – Parameters TousetheBOAOpenStacktemplate,enterthefollowingparametersintothetemplate:

Parameters: EntertheSubnetNameassociatedwiththeSubnetIDintheaboveOpenStackInternalNetwork.Forexample:

"urn:com:cisco:vci:heat:stack:subnetid":type:stringdefault:289b2301-bf70-4909-93de-0bae8dfb0ad2description:SubnetIdfortheInternalOpenStackNetwork

EntertheSubnetNameassociatedwiththeSubnetIDintheaboveOpenStackInternalNetwork.Forexample:

"urn:com:cisco:vci:heat:stack:subnetname":type:stringdefault:"lwr-lwrdevops9-private-subnet"description:SubnetName(requiredparameter;notusedinthistemplate)

EntertheRepositoryURLthatwillbeusedtoinstalltheBOAapplication.Forexample:

"urn:com:cisco:vci:repo:url":type:stringdefault:"http://engci-maven-master.cisco.com/artifactory/spvss-vci-service-repo/"description:RepositoryURL(requiredparameter;notusedinthistemplate)

EntertheNetworkIDfortheOpenStackInternalNetwork.Forexample:"urn:com:cisco:vci:heat:stack:networkid":type:stringdescription:NetworkIDdefault:3e528ade-1058-49ba-97c7-9b039c29bc5f

EnterthekeypairthatisconfiguredfortheOpenStackenvironmentconfiguredtosupporttheinstallation.Forexample:

"urn:com:cisco:vci:heat:stack:keypairid":type:stringlabel:keypairdefault:ciscodescription:NameofakeypairtoenableSSHaccesstoinstances.

EntertheSecurityGroupcreatedintheOpenStackenvironmentconfiguredtosupporttheinstallation.Forexample:

"urn:com:cisco:vci:service:parameter:securitygroup":type:stringlabel:securitygroupdescription:Nameofthesecuritygrouptousedefault:default

41

EnterthenameofthesizeoftheBOAvirtualmachinethatwillbedeployedintheOpenStackenvironment.Availablesizesareasfollows:

Sizesavailableare:1.m1.tiny–512MBRAM/1-GBHDD2.m1.small–2-GBRAM/20GBHDD3.m1.medium–4GBRAM/40GBHDD4.m1.large–8GBRAM/80GBHDD5.m1.xlarge--16GBRAM/160GBHDD

Forexample:

"boa.flavorname":type:stringdescription:Flavortousefortheserversconstraints:-custom_constraint:nova.flavordefault:m1.small"boa.flavorid":type:stringdefault:2description:FlavorIdusedininstancecreation

EnterthenameoftheimagetoinstallontothevirtualmachineintheOpenStackenvironment.Forexample:

"boa.imagename":type:stringdescription:>NameorIDoftheimagetousefortheservers.default:CentOS6.6

EntertheIDoftheimageidtoinstallontothevirtualmachine.Forexample:"boa.imageid":type:stringdefault:1description:ImageIdusedininstancecreation

EntertheminimumnumberofBOAvirtualmachinestocreateduringthedeployment.Forexample:

"boa.quantity:min":type:stringdefault:1description:Minimumquantityusedininstancecreationandscaling

42

EnterthemaximumnumberofBOAvirtualmachinestocreateduringthedeployment.Forexample:

"boa.quantity:max":type:stringdefault:3description:Maximumquantityusedininstancecreationandscaling

Enterthelocationinwhichthevirtualmachinewillbootfromtobecomeavailable.Forexample:

"boa:zone.azname":type:stringdefault:novadescription:AvailabilityzonenameforthemainboaAZ

EnterthedefaultnumberofBOAvirtualmachinestocreateduringthedeploymentintotheOpenStackenvironment.Forexample:

"boa.numinstances":type:stringdefault:2description:Thenumberofinstancestostartinitiallyinthescalinggroup

EntertheBOAversiontobeinstalledduringtheOpenStackenvironment,thiswillbethebaserpmname.Forexample:

"urn:com:cisco:vci:service:parameter:boaversion":type:stringlabel:"VersionofBOAtoinstall"description:TheversionofBOAtobeinstalleddefault:billingAdaptor

EntertheIPAddressoftheUPMvirtualmachine/hostthattheBOAvirtualmachinewilluseduringtheOpenStackdeployment.Forexample:

"urn:com:cisco:vci:service:parameter:upmip":type:stringlabel:"UPMIPAddress"description:TheIPaddressoftheUPMservicedefault:192.168.1.1

EntertheportforcommunicationswiththeUPMvirtualmachine(thedefaultportis6040).Forexample:

"urn:com:cisco:vci:service:parameter:upmport":type:stringlabel:"UPMPortNumber"description:TheportnumberoftheUPMservicedefault:6040

43

EntertheIPAddressoftheBEFvirtualmachine/hostthattheBOAvirtualmachinewilluseduringtheOpenStackdeployment.

“urn:com:cisco:vci:service:parameter:connections:bef:host":type:stringlabel:"BEFIPAddress"description:TheIPaddressoftheBEFservicedefault:192.168.1.1

EntertheportforcommunicatingwiththeBEFvirtualmachine.Forexample:"urn:com:cisco:vci:service:parameter:connections:bef:port":type:stringlabel:"BEFportnumber"description:TheportnumberoftheBEFservicedefault:4321

EntertheDirectoryServicevirtualmachine/hostIPAddressthattheBOAvirtualmachinewilluseduringtheOpenStackdeployment.Forexample:

"urn:com:cisco:vci:service:parameter:sdip":type:stringlabel:"ServiceDirectoryIPAddress"description:TheIPaddressoftheServiceDirectorydefault:192.168.1.1

EntertheportthatBOAwillusetocommunicatewiththeDirectoryServiceapplication.Forexample:

"urn:com:cisco:vci:service:parameter:sdport":type:stringlabel:"ServiceDirectoryPortNumber"description:TheportnumberoftheServiceDirectoryservicedefault:2013

EntertheflagtoindicatewhetherBOAshouldregisterwiththeDirectoryServiceapplication,intheInfiniteEnvironment,thedefaultis“false”.Forexample:

"urn:com:cisco:vci:service:parameter:sdusedflag":type:stringlabel:"ServiceDirectoryUsedFlag"description:FlagindicatingwhethertheServiceDirectoryshouldbeuseddefault:"false"

Entereither“true”or“false”toenable/disabletheKDSerialNumberMappingFlag.Forexample:

"boa.kdsnflag":type:stringlabel:"KDSerialNumberMappingFlag"description:FlagindicatingwhethertouseKDfriendlydeviceidvs.chipid.True=friendlydeviceID.default:"true"

44

EntertheIPAddressfortheReportServerhostfortheBOAapplicationtousefortheOpenStackdeployment.Forexample:

"urn:com:cisco:vci:service:parameter:connections:rs:host":type:stringlabel:"ReportServerHostAddress"description:TheReportServerhostaddressdefault:""

EntertheportfortheReportServerthattheBOAapplicationwilluseintheOpenStackdeployment.Forexample:

"urn:com:cisco:vci:service:parameter:connections:rs:port":type:numberlabel:"ReportServerPort"description:TheReportServerportdefault:6530

EntertheIPAddressfortheConsulhostfortheBOAapplicationtousefortheOpenStackdeployment.Forexample:

"urn:com:cisco:vci:service:parameter:connections:consul:ip":type:stringlabel:"ConsulIPAddress(leaderelection)"description:TheIPaddressofConsuldefault:localhost

EntertheportfortheConsulthattheBOAapplicationwilluseintheOpenStackdeployment.Forexample:

"urn:com:cisco:vci:service:parameter:connections:consul:port":type:numberlabel:"ConsulPortNumber"description:TheportnumberoftheConsulservice

default:8500EntertheBillingIDsneededtoTriggerTVODreportgeneration.Forexample:

"urn:com:cisco:vci:service:parameter:tvodreport:enableautotrigger:billingids":type:stringlabel:"TVODReportTriggerBillingIds"description:ThelistofbillingIdstotriggerTVODreportgenerationdefault:""

EntertheservicesthatneedtobeEnabledforBOA.Forexample:"urn:com:cisco:vci:service:parameter:enabledservices":type:stringlabel:"EnabledServices"description:Optionalsetofallowableenabledservicesdefault:""

45

Entereither“true”or“false”toindicatewhetherthedeploymentshouldclearallexistingrepositories.Forexample:

"urn:com:cisco:vci:service:parameter:clearreposflag":type:stringlabel:"ClearExistingReposFlag"description:FlagindicatingwhetherthedeploymentshouldclearallexistingrepoconfigurationsontheVMbeforeconfiguringdefault:"false"

Enterthetimeout,inseconds,towaitfortheBOAdeploymenttocomplete.Forexample:

"urn:com:cisco:vci:service:parameter:waittimeout":type:numberlabel:"DeploymentCycleTimeout"description:Themaximumtime,inseconds,between10and60minutestowaitforthedeploymenttocompletedefault:600constraints:-range:{min:600,max:3600}description:Timeoutmustbebetween600and3600seconds

46

BOA OpenStack Heat Template – Default ThefollowingisanexampleofthedefaultBOAOpenStackHeattemplate.heat_template_version:2013-05-23

description:>

ThistemplateinstallstheBSS/OSSAdaptoronOpenstack.

parameters:

"urn:com:cisco:vci:heat:stack:subnetid":type:stringdefault:""description:SubnetId

"urn:com:cisco:vci:heat:stack:subnetname":type:stringdefault:"geoSubnet"description:SubnetName(requiredparameter;notusedinthistemplate).

"urn:com:cisco:vci:repo:url":type:stringdefault:""description:RepositoryURL(requiredparameter;notusedinthistemplate).

"urn:com:cisco:vci:heat:stack:networkid":type:stringdescription:NetworkIDdefault:""

"urn:com:cisco:vci:heat:stack:keypairid":type:stringlabel:keypairdefault:""description:NameofakeypairtoenableSSHaccesstoinstances.

"urn:com:cisco:vci:service:parameter:securitygroup":type:stringlabel:securitygroupdescription:Nameofthesecuritygrouptousedefault:default

#Musthavetheseparameternames:.flavorid,.flavorname,.imageid,.imagename,.quantity:max/min,.azname,.fqdn,.floatingipid

"boa.flavorname":type:stringdescription:Flavortousefortheservers.constraints:-custom_constraint:nova.flavordefault:m1.small"boa.flavorid":type:numberdefault:2

47

description:FlavorIdusedininstancecreation."boa.imagename":type:stringdescription:>NameorIDoftheimagetousefortheservers.default:""

"boa.imageid":type:stringdefault:""description:ImageIdusedininstancecreation.

"boa.quantity:min":type:numberdefault:1description:Minimumquantityusedininstancecreationandscaling.

"boa.quantity:max":type:numberdefault:3description:Maximumquantityusedininstancecreationandscaling.

"boa:zone.azname":type:stringdefault:novadescription:AvailabilityzonenameforthemainboaAZ.

"boa.numinstances":type:numberdefault:2description:Thenumberofinstancestostartinitiallyinthescalinggroup.

"urn:com:cisco:vci:service:parameter:boaversion":type:stringlabel:"VersionofBOAtoinstall"description:TheversionofBOAtobeinstalled.default:billingAdaptor

"urn:com:cisco:vci:service:parameter:upmip":type:stringlabel:"UPMIPAddress"description:TheIPaddressoftheUPMservice.default:192.168.1.1

"urn:com:cisco:vci:service:parameter:upmport":type:numberlabel:"UPMPortNumber"description:TheportnumberoftheUPMservice.default:6040

"urn:com:cisco:vci:service:parameter:sdip":type:stringlabel:"ServiceDirectoryIPAddress"description:TheIPaddressoftheServiceDirectory.default:192.168.1.1

48

"urn:com:cisco:vci:service:parameter:sdport":type:numberlabel:"ServiceDirectoryPortNumber"description:TheportnumberoftheServiceDirectoryservice.default:2013

"urn:com:cisco:vci:service:parameter:sdusedflag":type:stringlabel:"ServiceDirectoryUsedFlag"description:FlagindicatingwhethertheServiceDirectoryshouldbeused.default:"false"

"boa.kdsnflag":type:stringlabel:"KDSerialNumberMappingFlag"description:FlagindicatingwhethertouseKDfriendlydeviceidvs.chipid.True=friendlydeviceID.

default:"true"

"urn:com:cisco:vci:service:parameter:connections:rs:host":type:stringlabel:"ReportServerHostAddress"description:TheReportServerhostaddress.default:""

"urn:com:cisco:vci:service:parameter:connections:rs:port":type:numberlabel:"ReportServerPort"description:TheReportServerport.default:6530

"urn:com:cisco:vci:service:parameter:tvodreport:enableautotrigger:billingids":type:stringlabel:"TVODReportTriggerBillingIds"description:ThelistofbillingIdstotriggerTVODreportgeneration.default:""

"urn:com:cisco:vci:service:parameter:enabledservices":type:stringlabel:"EnabledServices"description:Optionalsetofallowableenabledservices.default:""

"urn:com:cisco:vci:service:parameter:clearreposflag":type:stringlabel:"ClearExistingReposFlag"description:FlagindicatingwhetherthedeploymentshouldclearallexistingrepoconfigurationsontheVMbeforeconfiguring.

default:"false"

49

"urn:com:cisco:vci:service:parameter:waittimeout":type:numberlabel:"DeploymentCycleTimeout"description:Themaximumtime,inseconds,between10and60minutestowaitforthedeploymenttocomplete.

default:600constraints:-range:{min:600,max:3600}description:Timeoutmustbebetween600and3600seconds.

resources:

BOA-security:type:OS::Neutron::SecurityGroupproperties:description:ThisspecificallyopenstheneededportforBOA'sRESTfulinterface.name:BOA-securityrules:[{remote_ip_prefix:0.0.0.0/0,protocol:tcp,port_range_min:8080,port_range_max:8080,direction:egress,ethertype:IPv4},{remote_ip_prefix:0.0.0.0/0,protocol:tcp,port_range_min:8080,port_range_max:8080,direction:ingress,ethertype:IPv4},{remote_ip_prefix:0.0.0.0/0,protocol:tcp,port_range_min:80,port_range_max:80,direction:egress,ethertype:IPv4},{remote_ip_prefix:0.0.0.0/0,protocol:tcp,port_range_min:80,port_range_max:80,direction:ingress,ethertype:IPv4},{remote_ip_prefix:0.0.0.0/0,protocol:tcp,port_range_min:6040,port_range_max:6040,direction:egress,ethertype:IPv4},{remote_ip_prefix:0.0.0.0/0,protocol:tcp,port_range_min:6530,port_range_max:6530,direction:egress,ethertype:IPv4}]

BOACluster-DNS-group:type:OS::Neutron::SecurityGroupproperties:description:ThisismandatedbytheVCIOrchestrationFrameworktoprovidetheDNS

throughaConsulserver.name:BOACluster-DNS-grouprules:[{remote_ip_prefix:0.0.0.0/0,protocol:tcp,port_range_min:8500,port_range_max:8500,direction:egress,ethertype:IPv4},{remote_ip_prefix:0.0.0.0/0,protocol:tcp,port_range_min:8500,port_range_max:8500,direction:ingress,ethertype:IPv4},{remote_ip_prefix:0.0.0.0/0,protocol:tcp,port_range_min:8400,port_range_max:8400,direction:egress,ethertype:IPv4},{remote_ip_prefix:0.0.0.0/0,protocol:tcp,port_range_min:8400,port_range_max:8400,direction:ingress,ethertype:IPv4},{remote_ip_prefix:0.0.0.0/0,protocol:udp,port_range_min:8600,port_range_max:8600,direction:egress,ethertype:IPv4},{remote_ip_prefix:0.0.0.0/0,protocol:udp,port_range_min:8600,port_range_max:8600,direction:ingress,ethertype:IPv4}]

50

boa_resource_group:type:OS::Heat::ResourceGroupproperties:count:{get_param:"boa.numinstances"}resource_def:type:OS::Nova::Serverproperties:name:str_replace:template:$instance_name-server-$indexparams:$instance_name:{get_param:"OS::stack_name"}$index:"%index%"key_name:{get_param:"urn:com:cisco:vci:heat:stack:keypairid"}image:{get_param:"boa.imagename"}flavor:{get_param:"boa.flavorname"}availability_zone:{get_param:"boa:zone.azname"}networks:-network:{get_param:"urn:com:cisco:vci:heat:stack:networkid"}security_groups:[get_param:"urn:com:cisco:vci:service:parameter:securitygroup",get_resource:BOA-security,get_resource:BOACluster-DNS-group]user_data_format:RAWuser_data:str_replace:template:|#!/bin/bash-v

date

$vci_utility_scriptsvciUtilregisterservice$stack_prefix-boa-rest8080

if[$clearreposflag="true"];thenrm-f/etc/yum.repos.d/*.repofiexportHOST_IP=`/sbin/ifconfigeth0|grep'inetaddr:'|cut-d:-f2|awk'{print$1}'`exportBOA_JBOSS_CONFIG_FILE="/etc/jboss-as/conf.d/boa.conf"exportAPP_REPO_FILE="/etc/yum.repos.d/app-repo.repo"echo"[app-repo]">$APP_REPO_FILEecho"name=app-repo">>$APP_REPO_FILEecho"baseurl=$url">>$APP_REPO_FILEyum-y-q--nogpgcheckinstalljdk-1.7.0_79yum-y-q--nogpgcheckinstalljboss-asecho"JBOSS_CONFIG=standalone.xml">$BOA_JBOSS_CONFIG_FILEecho"JAVA_OPTS=\"-Xms2g-Xmx4g-XX:MaxPermSize=2g\"">>

51

$BOA_JBOSS_CONFIG_FILEecho"STARTUP_WAIT=120">>$BOA_JBOSS_CONFIG_FILEecho"SHUTDOWN_WAIT=60">>$BOA_JBOSS_CONFIG_FILEecho"JAVA_OPTS=\"\$JAVA_OPTS-d64\"">>$BOA_JBOSS_CONFIG_FILEecho"JAVA_OPTS=\"\$JAVA_OPTS-Djava.net.preferIPv4Stack=true\"">>$BOA_JBOSS_CONFIG_FILEecho"JAVA_OPTS=\"\$JAVA_OPTS-Djava.awt.headless=true\"">>$BOA_JBOSS_CONFIG_FILEecho"JAVA_OPTS=\"\$JAVA_OPTS-Djboss.bind.address=$HOST_IP\"">>$BOA_JBOSS_CONFIG_FILEecho"exportJAVA_OPTS">>$BOA_JBOSS_CONFIG_FILEecho"$HOST_IP"`hostname`>>/etc/hostschkconfig--level2345jboss-asonservicejboss-asstartyum-y-q--nogpgcheckinstall$boaversionecho-e"connections.upm.host=$upmip\nconnections.upm.port=$upmport">/opt/cisco/billingadaptor/conf/config.propertiesecho-e"serviceDirectory.ip=$sdip\nserviceDirectory.port=$sdport\nserviceDirectory.requiredFlag=$sdreqflag">>/opt/cisco/billingadaptor/conf/config.propertiesecho-e"kd.sn.processingFlag=$kdsnflag">>/opt/cisco/billingadaptor/conf/config.propertiesif[-n"$rshostaddr"];thenecho-e"connections.rs.host=$rshostaddr\nconnections.rs.port=$rshostport\n">>/opt/cisco/billingadaptor/conf/config.propertiesfiif[-n"$tvodtriggerids"];thenecho-e"tvodReport.enableAutoTrigger.billingId=$tvodtriggerids\n">>/opt/cisco/billingadaptor/conf/config.propertiesfiif[-n"$enabledsvcs"];thenecho-e"enabledServices=$enabledsvcs\n">>/opt/cisco/billingadaptor/conf/config.propertiesfichownjboss:jboss/opt/cisco/billingadaptor/conf/config.properties/opt/cisco/billingadaptor/bin/billingadaptor.shdeploydate

result=`echo$?`if[$result-eq0];then/opt/aws/bin/cfn-signal-e0-r"serversetupcomplete"'$wait_handle'else/opt/aws/bin/cfn-signal-e1-r"serversetupfailed"'$wait_handle'fi

52

params:$vci_utility_scripts:{get_file:vci-utility-scripts}$boaversion:{get_param:"urn:com:cisco:vci:service:parameter:boaversion"}$upmip:{get_param:"urn:com:cisco:vci:service:parameter:upmip"}$upmport:{get_param:"urn:com:cisco:vci:service:parameter:upmport"}$sdip:{get_param:"urn:com:cisco:vci:service:parameter:sdip"}$sdport:{get_param:"urn:com:cisco:vci:service:parameter:sdport"}$sdreqflag:{get_param:"urn:com:cisco:vci:service:parameter:sdusedflag"}$clearreposflag:{get_param:"urn:com:cisco:vci:service:parameter:clearreposflag"}$rshostaddr:{get_param:"urn:com:cisco:vci:service:parameter:connections:rs:host"}$rshostport:{get_param:"urn:com:cisco:vci:service:parameter:connections:rs:port"}$tvodtriggerids:{get_param:"urn:com:cisco:vci:service:parameter:tvodreport:enableautotrigger:billingids"}$enabledsvcs:{get_param:"urn:com:cisco:vci:service:parameter:enabledservices"}$kdsnflag:{get_param:"boa.kdsnflag"}$stack_prefix:{get_param:"OS::stack_name"}$wait_handle:{get_resource:wait_handle}wait_handle:type:AWS::CloudFormation::WaitConditionHandlewait_condition:type:AWS::CloudFormation::WaitConditionproperties:Handle:{get_resource:wait_handle}Timeout:1200outputs:BOA_instances_stdout:description:AlloftheIPaddressesoftheBOAResourceGroupvalue:{get_attr:[boa_resource_group,networks]}BOA_pool_stdout:description:TheIPaddressoftheloadbalancer(theaddresspool)value:str_replace:template:$stack_prefix-boa-rest:8080params:$stack_prefix:{get_param:"OS::stack_name"}

53

AppendixBAvailable Configuration Parameters:

Explanationoftheparameters:DatabaseSettings:

db.primaryDbServerIP - Enter the IP address for the primary Mongo Database Server. db.primaryDbServerPort - Enter the connection port for the primary Mongo Database Server, usually 27017. db.secondaryDbServerIP - Enter the IP address for the secondary Mongo Database Server. db.secondaryDbServerPort - Enter the connection port for the secondary Mongo Database Server, usually 27017. db.database -- Enter the Mongo Database name for the BOA instance. db.user -- Enter the Mongo Database user name for the BOA instance. db.password -- Enter the Mongo Database user password for the BOA instance.

ServiceConnections:connections.upm.host – Enter the IP address of the UPM server. connections.upm.port – Enter the port for UPM server communications, default port is 6040. connections.ci.host – Enter the IP address of the Catalog Import Host. connections.ci.port – Enter the port for Catalog Import communications, default port is 5155. connections.hep.host – Enter the IP address for the Headend Purchase (HEP) host. connections.hep.port – Enter the port for HEP, default port is 6030. connections.cmdc.host – Enter the IP address for the Catalog Merchandiser Host. connections.cmdc.port – Enter the port for the CMDC communications, default port is 5600. connections.pps.host – Enter the IP address for the Personal Planner System (PPS) host. connections.pps.port – Enter the port for the PPS communications, default port is 6060 connections.vvla.host – Enter the IP address for the VVLA host. connections.vvla.port – Enter the port for the VVLA communications, default port is 8010 connections.ds.host - Enter the IP address for the DS host. connections.ds.port – Enter the DS port, default port is 6045.

54

connections.rs.host - Enter the IP address for the RS host. connections.rs.port - Enter the RS port, default port is 6530. connections.bef.host – Enter the IP address of the BEF (Business Event Forwarder). connections.bef.port – Enter the BEF port. connections.consul.host – Enter the IP address of Consul (used for leader election). connections.consul.port – Enter the Consul port. connections.sync.soap.longtimeoutinseconds – Enter the timeout value for sync SOAP BOSS commands that are delivered to an STB connections.rabbitmq.host – Enter the RabbitMQ hostname connections.rabbitmq.port – Enter the RabbitMQ port connections.rabbitmq.userName – Enter the RabbitMQ user name connections.rabbitmq.password – Enter the RabbitMQ password connections.rabbitmq.timeoutinseconds – Enter the RabbitMQ timeout value in seconds. This is the amount of time that BOA will wait before a timeout condition is identified. connections.rabbitmq.exchangeName - Enter the RabbitMQ exchange name

MutualAuthenticationSettings:sec.twoWayAuthEnabled - Enable/disable mutual authentication (true/false). sec.keystore.truststorePath – Enter the path to the trust store (/opt/cisco/vcs/certs/client-truststore.jks). sec.keystore.keystorePath – Enter the path to the keystore (/opt/cisco/vcs/certs/keystore.jks). sec.keystore.password – Enter the password to the keystore.

PurchaseClientConnections:NOTE:Configurebothorneither.purchase.client.sdmp.host -- Enter the IP address for the SDMP billing system. purchase.client.sdmp.port – Enter the communication port for the SDMP host. purchase.client.sdmp.path – Enter the path for the SDMP host. purchase.client.flex.host -- Enter the IP address for the FlexView billing system. purchase.client.flex.port – Enter the communication port for the FlexView host. purchase.client.flex.path – Enter the path for the FlexView host. purchase.retry.rateinseconds – Enter the purchase retry rate in seconds. purchase.retry.maxcount – Enter the maximum number of purchase retries.

55

ServiceDirectorySettings:serviceDirectory.ip – Enter the IP address of the Service Directory application. serviceDirectory.port – Enter the port of the Service Directory application, default port is 2013. serviceDirectory.requiredFlag – If this installation is for a deployment where Service Directory is not in use, set this flag to false. serviceDirectory.type – Enter the service discovery type to be used (“consul” or “dirserver”) serviceDirectory.datacenter – Enter the data center value if the service discovery type is set to Consul (“dc1”)

SerialNumberProcessing:kd.sn.processingFlag – This flag should only be set to true if special serial number processing is required.

DefaultAuthorizationsvod.free.packageName – If a default SVOD package is used to enable free content, this value should be included in the configuration settings with the correct offer key value. With this value set, the ModifyHouseholdAuthorizations command in the web service interface will ensure that this default package is not inadvertently removed.

AutomaticTVODReportTriggertvodReport.enableAutoTrigger.billingId – This value should be included in the configuration to enable the automatic triggering of a TVOD report request to the Reporting Service. The arguments for this attribute are the billing ID and the frequency of the report request in hours (e.g. tvodReport.enableAutoTrigger.billingId=sms1, 1). Separate billing IDs can be configured with report requests being triggered for each ID (e.g. tvodReport.enableAutoTrigger=sms1, 1; sms2, 2).

EnabledServicesenabledServices – This parameter should be populated with a comma-separated list of enabled service values if the validation of enabled service values is desired. If the list is populated, only the specified values will be accepted in the REST interface commands to add or remove enabled services. If the list is not populated, the enabled service values will not be validated.

56

PackageCreation:caproduct.ppv.value – Enter the CA product ID parameter name for PPV packages caproduct.subscription.value – Enter the CA product ID parameter name for subscription packages. business.rule.ppv.id – Enter the business rule parameter name for PPV packages business.rule.subscription.id – Enter the business rule parameter name for subscription packages. region.ppv.value – Enter the region parameter name for PPV packages region.subscription.value – Enter the region parameter name for subscription packages. region.validationFlag – Enable/disable region validation (true/false).

LocationAssignmentservice.feature.fipsLookup – Enable/disable location assignment when a household is created or updated (true/false). service.name.get_eas_location – Enter the URL used to retrieve the location code.

TransactionFlowservice.feature.trackflowFlag – Enable/disable the transaction flow feature (true/false). This feature requires the use of RabbitMQ so those configuration settings would be necessary.

RequestIdentifierservice.feature.generateRequestIdentifierFlag – Enable/disable the automatic generation of a unique request identifier in the SOAP web service interface. This can be enabled to produce a unique transaction identifier if it’s not feasible to include one in each SOAP request.

BookmarkDefaultCIIDservice.feature.bookmark.defaultciid – Enter the default CIID value if one is required when creating a new bookmark.

57

AppendixC

Jboss Certificate Management SecureSocketsLayer(SSL)encryptsnetworktrafficbetweentwosystems.Trafficbetweenthetwosystemsisencryptedusingatwo-waykey,generatedduringthehandshakephaseoftheconnectionandknownonlybythosetwosystems.Forsecureexchangeofthetwo-wayencryptionkey,SSLmakesuseofPublicKeyInfrastructure(PKI),amethodofencryptionthatutilizesakeypair.Akeypairconsistsoftwoseparatebutmatchingcryptographickeys-apublickeyandaprivatekey.Thepublickeyissharedwithothersandisusedtoencryptdata,andtheprivatekeyiskeptsecretandisusedtodecryptdatathathasbeenencryptedusingthepublickey.Whenaclientrequestsasecureconnection,ahandshakephasetakesplacebeforesecurecommunicationcanbegin.DuringtheSSLhandshaketheserverpassesitspublickeytotheclientintheformofacertificate.Thecertificatecontainstheidentityoftheserver(itsURL),thepublickeyoftheserver,andadigitalsignaturethatvalidatesthecertificate.Theclientthenvalidatesthecertificateandmakesadecisionaboutwhetherthecertificateistrustedornot.Ifthecertificateistrusted,theclientgeneratesthetwo-wayencryptionkeyfortheSSLconnection,encryptsitusingthepublickeyoftheserver,andsendsitbacktotheserver.Theserverdecryptsthetwo-wayencryptionkey,usingitsprivatekey,andfurthercommunicationbetweenthetwomachinesoverthisconnectionisencryptedusingthetwo-wayencryptionkey.TouseaSSL-encryptedHTTPconnection(HTTPS),aswellasothertypesofSSL-encryptedcommunication,youneedasignedencryptioncertificate.YoucanpurchaseacertificatefromaCertificateAuthority(CA),oryoucanuseaself-signedcertificate.

Prerequisites

• Youneedtheopensslutility,whichisprovidedbyOpenSSLfoundation.• Youneedthekeytoolutility,whichisprovidedbyanyJavaDevelopmentKit

implementation.OpenJDKonLinuxinstalledthiscommandto/usr/bin/keytool.

• Understandthesyntaxandparametersofthekeytoolcommand.

58

Create the Root CA (for NextX Admin Node installations)

PerformontheAdminNode(ifthishasalreadybeendone,skiptothesectiontitled,GenerateandSigntheApplicationNextXSSLCertificate,below)

CreatetheRootCAusingCisco’sCNFfile

1. Typethefollowingcommand:cd/etc/pki/tls

2. ChangedirectorytotheCAdirectory:cd/etc/pki/CA

3. Typethefollowingcommand:touchindex.txtserial

4. Typethefollowingcommandtoplaceanentryintotheserialfile:echo03e8>serial

5. TypethefollowingcommandtomaketheCSRdirectory:mkdircsr

6. TypethefollowingcommandtocreatetheRootCA:opensslreq–x509-extensionsv3_ca-days1825–sha384–newkeyrsa:3072-keyout/etc/pki/CA/private/cakey.pem-out/etc/pki/CA/certs/cacert.pemResults:Generatinga3072bitRSAprivatekey...............................................................................................................................++...............................++writingnewprivatekeyto'private/ca.key.pem'EnterPEMpassphrase:Verifying-EnterPEMpassphrase:-----Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue,Ifyouenter'.',thefieldwillbeleftblank.-----CountryName(2lettercode)[XX]:USStateorProvinceName(fullname)[]:GeorgiaLocalityName(eg,city)[DefaultCity]:LawrencevilleOrganizationName(eg,company)[DefaultCompanyLtd]:CiscoOrganizationalUnitName(eg,section)[]:SPVSSCommonName(eg,yournameoryourserver'shostname)[]:NextX_CAEmailAddress[]:[email protected]

7. Typethefollowingcommands:chmod0400private/cakey.pemchmod0444certs/cacert.pem

59

8. ConfirmtheRootCertificateParameters,type:opensslx509–noout–text–incerts/cacert.pem

Results:

Certificate:Data:Version:3(0x2)SerialNumber:10442059454161242809(0x90e9a5bfc8ca4ab9)SignatureAlgorithm:sha384WithRSAEncryptionIssuer:C=US,ST=Georgia,L=Lawrenceville,O=Cisco,OU=SPVSS,CN=NextXCA/[email protected]:Mar1712:21:302017GMTNotAfter:Mar1612:21:302022GMTSubject:C=US,ST=Georgia,L=Lawrenceville,O=Cisco,OU=SPVSS,CN=NextXCA/[email protected]:PublicKeyAlgorithm:rsaEncryptionPublic-Key:(3072bit)Modulus:00:cb:a7:34:b3:4a:fb:17:b1:44:a6:87:62:73:c8:73:8b:53:13:76:63:c2:79:08:50:6c:79:80:15:f8:59:f8:a7:eb:38:1f:a5:5a:6d:96:e5:4c:f1:3d:f8:……….........07:b1:53:6a:fa:54:14:9f:d5:cb:2d:d6:33:2e:ce:f4:fc:71:68:b7:0d:46:a3:b2:81:4e:19:2a:9a:5d:f2:45:2b:15:59:8f:b9:93:9b:d1Exponent:65537(0x10001)X509v3extensions:X509v3SubjectKeyIdentifier:B7:7B:FA:AF:D0:02:9C:BE:24:02:EF:AF:A0:09:C7:6F:72:38:71:95X509v3AuthorityKeyIdentifier:keyid:B7:7B:FA:AF:D0:02:9C:BE:24:02:EF:AF:A0:09:C7:6F:72:38:71:95X509v3BasicConstraints:criticalCA:TRUEX509v3KeyUsage:criticalDigitalSignature,CertificateSign,CRLSignSignatureAlgorithm:sha384WithRSAEncryption30:e0:5b:34:c5:ec:f5:89:22:ad:f4:39:8a:90:50:8c:93:94:81:d2:50:51:26:64:fc:2c:59:2f:5b:7b:f5:65:a0:04:c6:2f:……………64:a4:a9:84:dc:52:ad:82:99:5f:2e:69:ef:7e:6a:07:e7:e9:7f:09:65:4b:19:de:b0:1c:c4:d3:61:d4:e4:2e:9f:e6:be:61:4b:c2:31:64:5c:5c

9. Verifythefollowing:

a. TheSignatureAlgorithmusedshouldbesha384WithRSAEncryptionb. TheIssuer(IssuerandSubjectshouldbeidentical)c. Validityofthecertificated. Subjectofthecertificate

60

10. ConfirmthePrivilegesoftheRootCAbytypingthefollowingcommand:opensslx509-purpose-incerts/cacert.pem-informPEMResults:Certificatepurposes:SSLclient:YesSSLclientCA:YesSSLserver:YesSSLserverCA:YesNetscapeSSLserver:YesNetscapeSSLserverCA:YesS/MIMEsigning:YesS/MIMEsigningCA:YesS/MIMEencryption:YesS/MIMEencryptionCA:YesCRLsigning:YesCRLsigningCA:YesAnyPurpose:YesAnyPurposeCA:YesOCSPhelper:YesOCSPhelperCA:YesTimeStampsigning:NoTimeStampsigningCA:Yes-----BEGINCERTIFICATE-----MIIFAjCCA2qgAwIBAgIJAJDppb/Iykq5MA0GCSqGSIb3DQEBDAUAMIGNMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHR2VvcmdpYTEWMBQGA1UEBwwNTGF3cmVuY2V2aWxsZTEOMAwGA1UECgwFQ2lzY28xDjAMBgNVBAsMBVNQVlNTMREwDwYDVQQDDAhOZXh0XUAUdI8lb7014fqH/4iE5Nufs293Y6JsVYQsCFRWI0v4SIX8Bqb3U8RAJNtkpKmE3FKtgplfLmnvfmoH5+l/CWVLGd6wHMTTYdTkLp/mvmFLwjFkXFw=-----ENDCERTIFICATE-----

11. Theoutputshouldlooksimilartotheabove.

61

GenerateandSigntheApplicationNextXSSLCertificateTosignaservercertificateyoufirstneedtocreateakey/certificatepairforthenodeinordertocreateaCertificateSigningRequest(CSR).Certificatesandkeyswillbeplacedin/etc/pki/tls/certsand/etc/pki/tls/private,respectively.Note:Youmustusethe-nodes(noDES)optioninthefollowingopensslcommandinordertoavoidhavingtoenterapassphrase.

1. Preparetheopenssl.cnffile(s)fortheapplicationnode(s).2. Copythefollowinglinesintoafilenamed<FQDN_cert>:

[server_cert]#Extensionsforservercertificates(`manx509v3_config`).basicConstraints=CA:FALSEsubjectKeyIdentifier=hashauthorityKeyIdentifier=keyid,issuer:alwayskeyUsage=critical,digitalSignature,keyEnciphermentextendedKeyUsage=serverAuth,clientAuthsubjectAltName=@altNames[altNames]DNS.1=<FQDN>DNS.2=<FQDN>DNS.3=<FQDN>IP.1=<IP>IP.2=<IP>IP.3=<IP>NOTE:Fornodeswithredundantcomponentsyoushouldaddtherespective<FQDN>and<IP>entriesintothealtNamestoallowforseamlessfailover.Certificatesandkeyswillbeplacedin/etc/pki/tls/certsand/etc/pki/tls/private,respectively.

3. Edittheopenssl.cnffileandchangethefollowing:a. Inthe“altNames”sectionofthe<FQDN>_certfilecompletetheDNS

andIPentriesforyourapplicationserver(s).NOTE:seeSampleApplicationfileforx509Certificate

62

4. Typethefollowingcommandandprivodeuniqueparameterstotheprompts:opensslreq–nodes–newkeyrsa:3072–keyout/etc/pki/tls/private/<FQDN>Key.pem–out/etc/pki/CA/csr/<FQDN>cert.csrResult:Generatinga3072bitRSAprivatekey..................................++....................................................................++writingnewprivatekeyto'/etc/pki/tls/private/amkey.key'-----Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue,Ifyouenter'.',thefieldwillbeleftblank.-----CountryName(2lettercode)[XX]:USStateorProvinceName(fullname)[]:GALocalityName(eg,city)[DefaultCity]:LawrencevilleOrganizationName(eg,company)[DefaultCompanyLtd]:CiscoOrganizationalUnitName(eg,section)[]:SPVSSCommonName(eg,yournameoryourserver'shostname)[]:AMEmailAddress[]:[email protected]'extra'attributestobesentwithyourcertificaterequestAchallengepassword[]:cert1234yAnoptionalcompanyname[]:Cisco

5. TypethefollowingcommandtosigntheCSR:opensslca–extensionsserver_cert–extensionsv3_req–notext–in/etc/pki/CA/csr/<FQDN>.csr–out/etc/pki/tls/certs/<FQDN>.crt.pemResult:Usingconfigurationfrom/etc/pki/tls/openssl.cnfEnterpassphrasefor/etc/pki/CA/private/ca.key.pem:CheckthattherequestmatchesthesignatureSignatureokCertificateDetails:SerialNumber:1000(0x3e8)ValidityNotBefore:Mar1713:29:372017GMTNotAfter:Mar1613:29:372022GMTSubject:countryName=USstateOrProvinceName=GeorgiaorganizationName=CiscoorganizationalUnitName=SPVSScommonName=vcsconsoleemailAddress=somebody@cisco.comX509v3extensions:X509v3SubjectAlternativeName:DNS:vcsconsole.local,IPAddress:10.90.185.112CertificateistobecertifieduntilMar1613:29:372022GMT(1825days)Signthecertificate?[y/n]:y1outof1certificaterequestscertified,commit?[y/n]y

63

Writeoutdatabasewith1newentriesDataBaseUpdated

6. ConfirmtheCertificateParametersbytypingthefollowingcommand:opensslx509–noout–text–in/etc/pki/tls/certs/<FDQN>.crt.pemResult:Certificate:Data:Version:3(0x2)SerialNumber:1000(0x3e8)SignatureAlgorithm:sha384WithRSAEncryptionIssuer:C=US,ST=Georgia,L=Lawrenceville,O=Cisco,OU=SPVSS,CN=NextXCA/[email protected]:Mar1713:29:372017GMTNotAfter:Mar1613:29:372022GMTSubject:C=US,ST=Georgia,O=Cisco,OU=SPVSS,CN=vcsconsole/[email protected]:PublicKeyAlgorithm:rsaEncryptionPublic-Key:(3072bit)Modulus:00:ad:72:26:cc:59:70:6e:ba:ba:be:ac:15:10:33:49:8f:84:5a:27:c5:82:36:72:1f:0a:ab:99:73:b9:8d:cd:a3:3e:89:c7:ab:35:f7:d2:37:57:af:7b:ef:………..b6:76:34:68:c0:2b:d2:76:d0:ac:db:7b:40:bc:ef:40:f8:35:43:52:d4:68:fd:24:5e:f2:45:0b:68:de:70:5e:c4:3d:a7:42:c7:3e:d1:b7Exponent:65537(0x10001)X509v3extensions:X509v3SubjectAlternativeName:DNS:vcsconsole.local,IPAddress:10.90.185.112SignatureAlgorithm:sha384WithRSAEncryption4e:04:5b:0d:bc:0e:71:0d:79:df:8c:48:df:f7:65:a4:fd:06:36:79:90:14:ca:b6:d4:b4:b8:e8:c4:b5:7c:78:04:00:b8:21:ea:8d:8a:e5:46:5a:12:2a:68:81:51:ec:55:fc:f6:93:a9:71:da:d4:82:59:72:ed:ac:b1:a3:6b:5c:9b:07:0a:30:7c:ae:60:………….66:3a:ce:37:b3:c2:95:a5:3f:f2:f7:fd:69:0c:1f:7b:2e:cc:18:99:82:4a:d9:3e:c2:b6:a8:28:3c:01:4e:a9:85:98:02:de:d4:f8:bf:36:ba:35

7. Copythefollowingfilesovertotheapplicationnode:a. <FQDN>privatekeyfileb. <FQDN>certificatefilec. CArootcertificatefile

64

UpdatetheapplicationSecuritystores(executeontheApplicationnode)

1. CreatethePKCS12filebytypingthefollowingcommand:

opensslpkcs12–export–in<path-to-file>/<FQDN>-cert.pem–inkey<path-to-file>/<FQDN>.key–out<pkcs12fileout>.p12-name<aliasforkeystore>-CAfile<path-to-file>/ca.crt.pem–canameroot

Result:

EnterExportPassword:(Passwordsameasthepasswordforyourkeystorebelow)Verifying-EnterExportPassword:(Samepassword)

2. CreateakeystorefromthePKCS12filecreatedinstep1.

keytool–v–importkeystore–srckeystore<filenamecreatedinstep1above>.p12–srcstoretypePKCS12–destkeystore<keystoreJKSfilename>-deststoretypeJKS

Sampleresult: Enterdestinationkeystorepassword:(Passwordforthekeystore)

Entersourcekeystorepassword:(Passwordenteredinstep1above)NOTE:Thetwopasswordsmustbethesame.Entryforalias<aliasfrom“-name”instep1above)successfullyimported.Importcommandcompleted:1entriessuccessfullyimported,0entriesfailedorcancelled[Storingvcsconsolekeystore.ks]

3. CreatethetruststorewiththerootCAcertificatebytypingthefollowing:keytool–import–trustcacerts–aliascaserver–file<path-to-file>/ca.crt.pem–keystore<TrustStoreJKSfilename>

Sampleresult:Enterkeystorepassword:Owner:[email protected],CN=NextXCA,OU=SPVSS,O=Cisco,L=Lawrenceville,ST=Georgia,C=USIssuer:[email protected],CN=NextXCA,OU=SPVSS,O=Cisco,L=Lawrenceville,ST=Georgia,C=USSerialnumber:90e9a5bfc8ca4ab9Validfrom:FriMar1708:21:30EDT2017until:WedMar1608:21:30EDT2022Certificatefingerprints: MD5:05:49:9C:07:C2:2A:10:EF:24:AE:38:2D:C6:77:1F:40 SHA1:0B:E3:52:A5:BC:0E:65:9C:E4:FD:D8:FC:12:52:23:A6:3E:A2:38:BC SHA256:97:AC:95:D6:CA:71:07:5A:6A:77:A1:CD:A9:D3:53:56:81:89:76:B6:69:33:3E:7E:2B:D7:D0:26:20:71:68:56 Signaturealgorithmname:SHA384withRSA Version:3Extensions:#1:ObjectId:2.5.29.35Criticality=falseAuthorityKeyIdentifier[KeyIdentifier[0000:B77BFAAFD0029CBE2402EFAFA009C76F........$......o0010:72387195r8q.]

65

]#2:ObjectId:2.5.29.19Criticality=trueBasicConstraints:[CA:truePathLen:2147483647]#3:ObjectId:2.5.29.15Criticality=trueKeyUsage[DigitalSignatureKey_CertSignCrl_Sign]#4:ObjectId:2.5.29.14Criticality=falseSubjectKeyIdentifier[KeyIdentifier[0000:B77BFAAFD0029CBE2402EFAFA009C76F........$......o0010:72387195r8q.]]Trustthiscertificate?[no]:yesCertificatewasaddedtokeystore

4. Editthe/opt/cisco/vcs/security.propertiesfiletochangethepathtothekeystoreandtruststore.

5. RestartJbossusingsetup:

Enter:

/opt/cisco/jboss-config/setup.sh--authtwo-way--restart-jbosstrue

6. Undeployandredeploytheservice.NOTE:ForAlertManageryoumayneedtore-runthedatabaseconnectionscript.

66

Sample AlertManager Cert file for x509 NOTE:FormultipleApplicationNodesoneDNSentrycanbeusedwithmultipleIPsforthevariousnodesusedforfailoverorinaredundantinstallation.[ server_cert ] # Extensions for server certificates (`man x509v3_config`). basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = @altNames [ altNames ] DNS.1 = <name>.local IP.1 = 10.50.3.45 IP.2 = 10.50.3.20

67

AppendixD

AlertManager –HAProxy Configuration

HAProxyConfigurationwithCertificates#---------------------------------------------------------------------#Exampleconfigurationforapossiblewebapplication.Seethe#fullconfigurationoptionsonline.##http://haproxy.1wt.eu/download/1.4/doc/configuration.txt##---------------------------------------------------------------------#---------------------------------------------------------------------#Globalsettings#---------------------------------------------------------------------global#tohavethesemessagesendupin/var/log/haproxy.logyouwill#needto:##1)configuresyslogtoacceptnetworklogevents.Thisisdone#byaddingthe'-r'optiontotheSYSLOGD_OPTIONSin#/etc/sysconfig/syslog##2)configurelocal2eventstogotothe/var/log/haproxy.log#file.Alinelikethefollowingcanbeaddedto#/etc/sysconfig/syslog##local2.*/var/log/haproxy.log#log127.0.0.1local2chroot/var/lib/haproxypidfile/var/run/haproxy.pidmaxconn4000userhaproxygrouphaproxydaemon#turnonstatsunixsocket

68

statssocket/var/lib/haproxy/stats#DefaultSSLmateriallocations(Location/pathforSSLCertificates)ca-base/opt/cisco/vcs/certscrt-base/opt/cisco/vcs/certs#---------------------------------------------------------------------#commondefaultsthatallthe'listen'and'backend'sectionswill#useifnotdesignatedintheirblock#---------------------------------------------------------------------defaultsmodehttplogglobaloptionhttplogoptiondontlognulloptionhttp-server-closeoptionforwardforexcept127.0.0.0/8optionredispatchretries3timeouthttp-request10stimeoutqueue1mtimeoutconnect5000timeoutclient50000timeoutserver50000timeouthttp-keep-alive10stimeoutcheck10smaxconn3000#---------------------------------------------------------------------#HAProxyMonitoringConfig#---------------------------------------------------------------------listenhaproxy3-monitoring*:8081#HaproxyMonitoringrunonport8080modehttpoptionforwardforoptionhttpclosestatsenablestatsshow-legendsstatsrefresh5sstatsuri/stats#URLforHAProxymonitoringstatsrealmHaproxy\Statisticsstatsauthhowtoforge:howtoforge#UserandPasswordforlogintothemonitoringdashboardstatsadminifTRUEdefault_backendapp-main#Thisisoptionallyformonitoringbackend#---------------------------------------------------------------------

69

#mainfrontendwhichproxystothebackends#---------------------------------------------------------------------frontendapp#aclurl_staticpath_beg-i/static/images/javascript/stylesheets#aclurl_staticpath_end-i.jpg.gif.png.css.js#use_backendstaticifurl_staticbind*:80bind*:443sslcrtmycrtca-file/opt/cisco/vcs/certs/cacert.pemverifyrequiredmodehttpredirectschemehttpsif!{ssl_fc}optionforwardfordefault_backendapp-main#---------------------------------------------------------------------#roundrobinbalancingbetweenthevariousbackends#---------------------------------------------------------------------backendapp-mainbalanceroundrobinmode http#optionhttpchkHEAD/HTTP/1.1\r\nHost:localhost#serverapp110.90.185.44:8080check#serverapp210.90.185.210:8080checkserverapp110.90.185.44:8443checksslverifyrequiredca-file/opt/cisco/vcs/certs/cacert.pemcrt/opt/cisco/vcs/certs/server.crtserverapp210.90.185.210:8443checksslverifyrequiredca-file/opt/cisco/vcs/certs/cacert.pemcrt/opt/cisco/vcs/certs/server.crtNOTE:ThisconfigurationcontainstwoAlertManagerinstances,requestswillbeloadbalancesbetweenthetwo.

70

HAProxywithoutSSLCertificates#--------------------------------------------------------------------- # Example configuration for a possible web application. See the # full configuration options online. # # http://haproxy.1wt.eu/download/1.4/doc/configuration.txt # #--------------------------------------------------------------------- #--------------------------------------------------------------------- # Global settings #--------------------------------------------------------------------- global # to have these messages end up in /var/log/haproxy.log you will # need to: # # 1) configure syslog to accept network log events. This is done # by adding the '-r' option to the SYSLOGD_OPTIONS in # /etc/sysconfig/syslog # # 2) configure local2 events to go to the /var/log/haproxy.log # file. A line like the following can be added to # /etc/sysconfig/syslog # # local2.* /var/log/haproxy.log # log 127.0.0.1 local2 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy daemon # turn on stats unix socket stats socket /var/lib/haproxy/stats # Default SSL material locations ca-base /opt/cisco/vcs/certs crt-base /opt/cisco/vcs/certs #--------------------------------------------------------------------- # common defaults that all the 'listen' and 'backend' sections will # use if not designated in their block

71

#--------------------------------------------------------------------- defaults mode http log global option httplog option dontlognull # option http-server-close # option forwardfor except 127.0.0.0/8 # option redispatch # retries 3 # timeout http-request 10s timeout queue 1m timeout connect 5000 timeout client 50000 timeout server 50000 # timeout http-keep-alive 10s # timeout check 10s # maxconn 3000 #--------------------------------------------------------------------- # main frontend which proxys to the backends #--------------------------------------------------------------------- frontend main *:5000 acl url_static path_beg -i /static /images /javascript /stylesheets acl url_static path_end -i .jpg .gif .png .css .js use_backend static if url_static default_backend app bind *:8080 #--------------------------------------------------------------------- # static backend for serving up images, stylesheets and such #--------------------------------------------------------------------- backend static balance roundrobin server static 127.0.0.1:4331 check #--------------------------------------------------------------------- # round robin balancing between the various backends #--------------------------------------------------------------------- backend app mode http

72

balance roundrobin option forwardfor http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc } option httpchk HEAD / HTTP/1.1\r\nHost:localhost server app1 10.90.185.44:8080/AlertManager/api/CAP check server app2 10.90.185.210:8080/AlertManager/api/CAP check listen stats *:8080 stats enable stats uri / stats hide-version

73

Commands

1. RestartJBoss:servicejboss-asrestart/stop/status

2. DeployBOA:/opt/cisco/billingadaptor/bin/billingadaptor.shdeploy

3. UndeployBOA:/opt/cisco/billingadaptor/bin/billingadaptor.shundeploy

4. RedeployBOA:/opt/cisco/billingadaptor/bin/billingadaptor.shredeploy

5. StatusBOA:/opt/cisco/billingadaptor/bin/billingadaptor.shstatus

installing the billing adaptor (boa) user’s · pdf fileinstalling the billing adaptor...

Documents