Document Title: AutoBAHN System Deployment Guidelines SA2 Task5 Release 1.0.4

Document Title: AutoBAHN System Deployment Guidelines Release 3.0

Document Details

Activity: / SA3
Work Item: / Task1
Nature of Deliverable: / O
Author: / Jacek Lukasik, Ophelia Neofytou, Afrodite Sevasti, Stella-Maria Thomas, Kostas Stamos, Giannis Zaoudis, Giorgos Adam, Akis Kalligeros, Kim Kramaric
Dissemination: / PP (Project Participants)

Page 1

Document Title: AutoBAHN System Deployment Guidelines Release 3.0

Table of Contents

1Introduction

1.1Prerequisites table

2Control plane: AutoBAHN software suite installation

2.1AutoBAHN server specifications

2.1.1Hardware

2.1.2Default ports used (may be reconfigured)

2.2Installation of prerequisites

2.2.1Java installation

2.2.2RDBMS installation

2.3AutoBAHN installation

2.3.1Using APT

2.3.2Manually

2.4Upgrading AutoBAHN

2.4.1Using APT

2.4.2Manually

2.5Adding the network topology information

2.5.1cNIS as topology information registry for AutoBAHN

2.5.1.1Inserting topology information in cNIS

2.5.1.2Adding the connections to the external domains

2.5.1.3Connections to end points

2.5.1.4Configure DM to use cNIS as topology information source

2.5.2Public identifiers

2.5.3Multiple links attached to a single port

2.6AutoBAHN system configuration

autobahn.properties (Configuration of general AutoBAHN parameters)

public_ids.properties (Configuration of public identifiers’ mappings)

security/aai/dm_security.xml (Configuration of local authorization policies)

2.7Initializing the AutoBAHN service

2.8Shutting down the service

3Technology Proxy configuration

3.1Configuring DM to communicate with the TP

3.2Supporting more technologies

3.2.1Case A: End host at the domain’s ingress Point-of-Presence from GÉANT

3.2.2Case B: End host connected to any Point-of-Presence in the domain

4Appendix

4.1Installing Topology Service (TS)

4.1.1On Linux

4.1.2Configuring TS

application.properties

securityContext.xml

4.2WebGUI deployment

4.2.1Web Application Container installation

4.2.2Web GUI installation

4.2.3Configure AAI

4.2.3.1XML file IdP

4.2.3.2Crowd IDP

4.2.3.3Enable eduGAIN authentication

4.2.4Configure TS access and IDMs tear down time

4.2.5Configure WebGUI SSL/TLS communication with AutoBAHN instances

4.2.6Configure Tomcat SSL/TLS communication with browsers

4.2.7psi-probe Configuration

4.2.8Accessing the portal

4.3Security mechanisms summary

4.3.1Trusted communication between system components and other domains using HTTPS

4.3.2Secure CLI access

4.3.3User authentication / authorization at the Web GUI

4.3.4Authorization policies at each AutoBAHN instance

4.4AA how-to

4.4.1Audience

4.4.2Prerequisites

4.4.3Step-by-step guide

5Glossary

6References

1Introduction

The document describes the prerequisites needed, and sets out the instructions to follow, in order to deploy the Automated Bandwidth Allocation across Heterogeneous Networks (AutoBAHN) system in a domain.

To provide guaranteed end-to-end dynamic circuit service with resource reservation, service requests must be co-ordinated across domains. This role is undertaken by instances of the AutoBAHN system deployed in each involved domain.

AutoBAHN system comes with the following software components:

Single AutoBAHN instance – software suite to be deployed in each involved domain:

InterDomain Manager (IDM): the module that handles communication with neighboring domains

Domain Manager (DM): the module that handles operations within the domain

Common Network Information System (cNIS): a tool for storing network topology, described in detail in section 2.5.

Technology Proxy (TP): the module that takes care of communication with the underlying Network Management System (NMS) or the network devices. It is the only part of the system that needs to be customized depending on the underlying network technology and the existing network device access policies.

Additionally to make separate instances of AutoBAHN be aware of each other and operate as one environment following components need to be deployed (they are only installed once centrally and serve all AutoBAHN domains):

Topology Service

Web based graphical user interface (Web GUI)

1.1Prerequisites table

Below is a table with an overview of prerequisites for installing each part of the software (details are given in the corresponding sections):

Prerequisite / AutoBAHN software suite (IDM, DM, TP, cNIS) / Topology Service / WebGUI
Java 1.7 VM / Required / Required / Required
NTP server synchronization / Required / Required / Required
PostgreSQL 8.x or higher / Required
(see section 2.2.2) / Not needed / Not needed
Apache Tomcat / Required Tomcat 6 (for cNIS, see section 2.3) / Required Tomcat 7
(see section 4.1.1) / Required Tomcat 6 or 7 (see section 4.2.1)

2Control plane: AutoBAHN software suiteinstallation

2.1AutoBAHN server specifications

The server that hosts the AutoBAHN system must fulfill the following requirements hardware:

2.1.1Hardware

  • Central Processing Unit (CPU) – minimum 1 gigahertz (GHz).
  • RAM – minimum 1 gigabyte (GB).
  • Disk space – minimum 1 GB, recommended 5GB (for long term logs).
  • Network Interface Controller (NIC) – 1 Fast Ethernet NIC.
  • Operating System (OS) – any supporting Java. The software has been tested on Fedora, Debian, Suse, and Ubuntu Linux. Recommended options (and the ones used for reference in this manual) are Ubuntu and Debian Linux.

2.1.2Default ports used (may be reconfigured)

  • 8080 – Inter-domain, IDM – WebGUI, IDM – DM.
  • 8091 – Secure (HTTPS) Inter-domain, IDM – WebGUI, IDM – DM.
  • 5432 – Database access within the domain.
  • 5000 – Console (Telnet) access to the IDM.
  • 25 – Simple Mail Transfer Protocol (SMTP) for sending mails with notifications (optional).

AutoBAHN should be running on a server with a globally routable IP address. It cannot properly function on a machine that has only been configured with a NAT address because some of the messages exchanged by AutoBAHN instances contain IP addresses, and therefore NAT operation is not transparent.

Please also check section 2.6for configuring HTTP and HTTPS ports.

2.2Installation of prerequisites

Please consult the table with prerequisites in the introduction section 1.1 in order to identify the appropriate prerequisites.

Important: Do not forget to use NTP based time synchronization. Certain reservations events are launched at the strictly specified time in all domains across a path so it is highly important to have the hosts in synchronization.

2.2.1Java installation

DownloadJava 1.7. You may use either your preferred package manager (such as apt-get) or directly download and install it from Oracle/Sun website following the instructions there.Because of Oracle licensing restrictions you may first have to add a repository before being able to install Java 1.7.

Ubuntu/Debian Linux tip: In order to see if a package is currently known by your apt-get repository run:
apt-cache search <package name>
For example,
apt-cache search java7

Below some examples are given, but situation may change in the future, so consult your distribution documentation.

For an Ubuntu system you may need to run:

add-apt-repository ppa:webupd8team/java

apt-get update

apt-get install oracle-java7-installer

For a Debian system you may need to run:

echo "deb precise main" | tee -a /etc/apt/sources.list

echo "deb-src precise main" | tee -a /etc/apt/sources.list

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EEA14886

apt-get update

apt-get install oracle-java7-installer

apt-get install oracle-java7-set-default

2.2.2RDBMS installation

Install PostgreSQL 8.x or higher (You can download the latest release from and follow the installation instructions from the documentation, e.g. for Debian

Other SQL RDBMS mayalso be used, as long as they are supported by Hibernate [Hibernate]. However you are strongly advised to use PostgreSQL as it is the only one that has been tested.

For example, in a Debian / Ubuntu system you may run:

apt-get install postgresql-8.4

(or any higher PostgreSQL version such as 9.3)

Make sure that local access to the database is allowed (e.g. you can connect to PostgreSQL by running psql). In order to do that, you can perform the following steps:

/etc/init.d/postgresql start

Then try to connect to the database to make sure that local access has been opened. In order to connect you have to be a user that is registered in the database.So connect as the default user(postgres)user, for example by running:

su postgres

psql

You should then create an empty database that will be used by AutoBAHN. For example the following command will create a user called abahn with password geant:

CREATE ROLE abahn ENCRYPTED PASSWORD 'geant' SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN;

Then the following command creates a database called abahn1 owned by the newly created abahn user.

CREATE DATABASE abahn1WITH OWNER abahn;

To exit psql use the following command:

\q

Finally, verify that the database was created by checking the output of the command:

psql -l

2.3AutoBAHN installation

2.3.1Using APT

In a Debian system you can install AutoBAHN via apt-get command.

  • Open the /etc/apt/sources.list file and add the following repository:

deb /

  • Run the following command to update the list of packages:

apt-get update

  • Run the following command to install the AutoBAHN package:

apt-get install autobahn

AutoBAHN will then be installed in /usr/local folder.

2.3.2Manually

This assumes you have downloaded the autobahn.zip which contains the desired AutoBAHN release (usually the latest one).

  • Extract AutoBAHN.zip at the folder where you intend to install autobahn. The zip contains everything in a single folder named autobahn.
  • Run the following command to make sure all scripts are executable:

chmod +x *.sh

2.4Upgrading AutoBAHN

2.4.1Using APT

In a Debian system where you have already installed AutoBAHN using apt-get you can upgrade it by running:

apt-get update

apt-get install autobahn

AutoBAHN will then be upgraded in /usr/local folder, and pre-existing configuration in etc folder will be preserved.

2.4.2Manually

Download the latest autobahn.zip.

  • Extract AutoBAHN.zip at the folder where you intend to install autobahn. The zip contains everything in a single folder named autobahn.
  • Run the following command to make sure all scripts are executable:

chmod +x *.sh

  • Overwrite the etc/ folder from the previous installation to preserve pre-existing configuration.

2.5Adding thenetwork topologyinformation

The Common Network Information Service (cNIS) is a tool that provides a unified repository of all relevant network information about a single administrative domain. It is used by AutoBAHN as the module that stores and fetches network topology information. Therefore, network topology of your domain (including links connecting with neighbouring domains) should be stored in cNIS which will then be retrieved by AutoBAHN.

A valid topology which can be utilized by AutoBAHN needs to include at least two connections to the external domains. By “external domain” we meana neighboringAutoBAHN domain (which is out of our management) or an end point (place where the circuit may terminate – called client domain). AutoBAHN is designed to set up the connections between a pair of end points across multiple heterogeneous domains. In order to be able to build a valid connection each domain should have the connections to at least two external domains (valid possibilities are: two other AutoBAHN domains, one AutoBAHN domain and one end point, or two end points).

The following sections describe the steps of using cNIS to provide the topology information to AutoBAHN system.

2.5.1cNIS as topology information registry for AutoBAHN

In order to configure your domain’s internal topology using cNIS, the following steps have to be performed:

  1. Install cNIS (visit instructions). AutoBAHN 3.0 requires cNIS 3.2 or higher.

Quick cNIS installation steps (if you want to skip reading the whole cNIS installation guide):

  1. Download cnis.war from and store them in Tomcat webapps folder.
  2. Connect to postgres and create a cnis database owned by cnis user

su postgres

psql

postgres=# create user cnis with password ‘cnis’;

postgres=# create database cnis with owner cnis;

postgres=# \q

  1. Run the following command to increase Tomcat memory allocation:

export JAVA_OPTS="$JAVA_OPTS -Xmx512M -XX:PermSize=128M"

Edit the WEB-INF/conf/as.properties file and set the alarm.service.url property to where server.ip and server.port are the IP and port where AutoBAHN is installed.

Please note that you can find the as.properties file and edit it either directly in cnis.war, or, if you have already started Tomcat, edit it in the webapps/cnis folder that Tomcat has produced from the WAR file.

  1. Run (or restart) Tomcat, for example by running:

/etc/init.d/tomcat7 restart

  1. Verify that cnis works – launch an internet browser and enter the following URL: (if an xml file is displayed then your cNIS instance has been launched properly).
  2. Insert information about the topology of your domain using cNIS web application (see 2.5.1.1)
  1. Add connections to other AutoBAHN enabled domains or client end points (see 2.5.1.2 and 2.5.1.3)
  2. Change the DM configuration to use cNIS as a topology information source (autobahn.properties file).

Step 5 is performed during the installation of the AutoBAHN software (section 2.6).

Figure 1 Sample physical topology (two ethernet domains)

Figure 1 presents a sample physical ethernet topology of two AutoBAHN enabled domains: Domain1 and Domain2. There is a single connection between these two domains, each domain has a single client connected to it (CLI1 and CLI2).

The following sections describes the process of configuring AutoBAHN for this sample scenario. The scenario assumes two AutoBAHN domains, each of them is controlling separate network, cNIS and AutoBAHN instances have to be deployed and configured for each of them separately.

2.5.1.1Inserting topology information in cNIS

Launch cNIS UI in your internet browser, credentials are admin/admin for the default installation. Insert the information about network elements using web forms.

You can learn more about editing a topology in cNIS by watching the screencasts available at:

Topology for Domain1:

Add the nodes (Navigation: ‘Ethernet’ Tab -> ‘Nodes’ \ ‘Add Node’) (in the example: two nodes – Node1 and Node2)

  • Specify the ‘name’ attribute of the node
  • Specify the ‘IP address’ (management address) of the node
  • Specify Vlan ranges available for ports on the given node (in the example: add the range of available vlan ids 100-200). You can specify multiple ranges if the available vlans are not a continuous range.
  • Add the interfaces (ports) for each of the nodes (Navigation: ‘Ethernet’ Tab -> ‘Nodes’ \ ‘Node list’ -> ‘view’ -> ‘Ports’ Tab -> ‘Add new port’) (in the example ports: eth1.4 and eth1.2 belong to Node1)
  • Fill in the attributes required by AutoBAHN:
  • Name
  • Status
  • Bandwidth

Add the link between the interfaces eth1.4 (Node1) and eth1.3 (Node2) (Navigation: Ethernet Tab -> Add Link)

Process of adding the topology information for Domain2 is similar.

2.5.1.2Adding the connections to the external domains

Choose the Ethernet tab and Add Link from the left menu labeled ‘External domains links’. Then a form should be displayed. Following information must be provided:

External domain ID:

  • Specify here the identifier of the external domain. This has to be exactly the domain name that your neighboring domain is using (e.g. GEANT). If your connection goes to an end point then you can put an arbitrary identifier (i.e. Client-domain).

End port ID:

  • Specify the public identifier of the terminating interface in the other domain (i.e. p-to-dom1)

Bandwidth:

  • Specify here the capacity of the connection.

Start node:

  • Choose a node from the list. It is the node from your domain where the external link is attached.

Start interface:

  • Choose an interface from the list. It is the termination of the connection that belongs to your domain.

VLAN ranges:

  • Specify range of available VLAN identifiers on your side of the connection. (it can be a range or a single value or a combination i.e. 5,800-802,100-120)

If the connection is to another domain (e.g. GEANT), click on the Start port name, then click on ‘Edit’ and in the input field ‘Public name’put the port’s public name (e.g. p-to-dom2). The public name is the identifier that this port will be known to other domains (so that you do not have to announce internal identifiers to other domains). For more details, read section 2.5.2.

2.5.1.3Connections to end points

Client end points are treated similarly to neighboring domains. No separate node is needed to represent the client end host. In other words, all you have to add in cNIS is an external link (using the same steps shown above needed to create a connection to an external domain). The difference for client end points is that you also have to do the following step:

When you create the external link, you have to tick the checkbox for ‘Client’in ‘General’ tab (mandatory). It is also preferable to give a description to this client through the ‘Description’ input box. The latter is optional, you can add for example ‘Data calculation cluster in Poznan’.

Click ‘Ok’ button to submit the data.

2.5.1.4Configure DM to use cNIS as topology information source

To plug cNIS to your DM you must edit the <autobahn_home>/etc/autobahn.properties file. Find the line with cnis.address property and insert the correct address to the abs service of your cNIS instance.

cnis.address=

For example:

cnis.address=

The above configuration are should take place during the installation of the AutoBAHN software (section 2.6).

2.5.2Public identifiers

As the domain administrators may not want to announce the topology details such as port or node identifiers to the external domains, in AutoBAHN we introduced a concept of public identifiers hiding real ports/nodes physical identifiers.

In the sample diagram we can see that although the port connecting Domain2 with Domain1 has identifier ‘eth.2.1’, Domain1 sees it as ‘p-to-dom1’ while Domain2 sees ‘eth1.1’ as ‘p-to-dom2’. And this is the only information that Domain2 has got about the physical topology of Domain1. The topology information seen by Domain1 is shown by the green colour and by Domain2 by the red one.

There are 2 alternative ways to store information about the mapping:

1. Insert the relevant information in cNIS, as described in section 2.5.1.2.

2. Enter the information about the mapping in a special property file named<autobahn_home>/etc/public_ids.properties:

At <autobahn_home>/etc/public_ids.properties file of Domain1 installation:

#Public names for domain ports

p-to-dom2=eth.1.1

At <autobahn_home>/etc/public_ids.properties file of Domain2 installation:

#Public names for domain ports

p-to-dom1=eth.2.1

2.5.3Multiple links attached to a single port

cNIS allows to define a topology where more than one links are attached to the same port. However, AutoBAHN will normally not allow such a topology: it will assume an insertion error and report it as such when reading the topology information from cNIS. In most cases this is desirable and helps the user identify insertion errors and correct the link and port definitions.