TNMS-V15 Administration Manual

TNMS NCT
15.11
Coriant TNMS NCT

Administration Manual (ADMN)
Issue: 1 Issue date: November 2015
A50023-K4045-X030-01-7672
Coriant is continually striving to reduce the adverse environmental

effects of its products and services. We would like to encourage you as
our customers and users to join us in working towards a cleaner, safer
environment. Please recycle product packaging and follow the recom-
mendations for power use and proper disposal of our products and their
components.
The information in this document is subject to change without notice and describes only the
product defined in the introduction of this documentation. This documentation is intended for the
use of Coriant customers only for the purposes of the agreement under which the document is
submitted, and no part of it may be used, reproduced, modified or transmitted in any form or
means without the prior written permission of Coriant. The documentation has been prepared to
be used by professional and properly trained personnel, and the customer assumes full respon-
sibility when using it. Coriant welcomes customer comments as part of the process of contin-
uous development and improvement of the documentation.
The information or statements given in this documentation concerning the suitability, capacity,
or performance of the mentioned hardware or software products are given "as is" and all liability
arising in connection with such hardware or software products shall be defined conclusively and
finally in a separate agreement between Coriant and the customer. However, Coriant has made
all reasonable efforts to ensure that the instructions contained in the document are adequate
and free of material errors and omissions. Coriant will, if deemed necessary by Coriant, explain
issues which may not be covered by the document. Coriant will correct errors in this documen-
tation as soon as possible.
IN NO EVENT WILL CORIANT BE LIABLE FOR ERRORS IN THIS DOCUMENTATION OR
FOR ANY DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, DIRECT, INDIRECT,
INCIDENTAL OR CONSEQUENTIAL OR ANY LOSSES, SUCH AS BUT NOT LIMITED TO
LOSS OF PROFIT, REVENUE, BUSINESS INTERRUPTION, BUSINESS OPPORTUNITY OR
DATA,THAT MAY ARISE FROM THE USE OF THIS DOCUMENT OR THE INFORMATION IN
IT.
This documentation and the product it describes are considered protected by copyrights and
other intellectual property rights according to the applicable laws.
Other product names mentioned in this document may be trademarks of their respective
owners, and they are mentioned for identification purposes only.
Copyright © Coriant 2015. All rights reserved.
f Important Notice on Product Safety

This product may present safety risks due to laser, electricity, heat, and other sources
of danger.
Only trained and qualified personnel may install, operate, maintain or otherwise handle
this product and only after having carefully read the safety information applicable to this
product.
The safety information is provided in the Safety Information section in the "Legal, Safety
and Environmental Information" part of this document or documentation set.
The same text in German:
f Wichtiger Hinweis zur Produktsicherheit

Von diesem Produkt können Gefahren durch Laser, Elektrizität, Hitzeentwicklung oder
andere Gefahrenquellen ausgehen.
Installation, Betrieb, Wartung und sonstige Handhabung des Produktes darf nur durch
geschultes und qualifiziertes Personal unter Beachtung der anwendbaren Sicherheit-
sanforderungen erfolgen.
Die Sicherheitsanforderungen finden Sie unter „Sicherheitshinweise“ im Teil „Legal,
Safety and Environmental Information“ dieses Dokuments oder dieses Dokumentation-
ssatzes.
2 A50023-K4045-X030-01-7672
Table of Contents
Table of Contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1 Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1 Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2 Structure of this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.3 Symbols and conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.4 TNMS NCT documentation set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.5 Other documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.6 History of changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2 Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.1 Power management options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2 Setting the date and time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2.1 Setting the time and the time zone in a Windows server . . . . . . . . . . . . 13
2.2.2 Setting the time zone in TNMS NCT Client (Windows) . . . . . . . . . . . . . 13
2.3 Getting started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.3.1 TNMS NCT login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.3.2 Terminating a client session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.3.3 Changing the password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.4 Internet Explorer configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.5 User and security management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.5.1 Single Sign-on configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.5.2 Domain management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.5.3 Policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.5.4 User management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.5.5 User group management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.5.6 Access rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.5.7 Security settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3 Basic Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.1 Managing Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2 TNMS NCT Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2.1 License Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2.2 System Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2.3 System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2.4 System Preferences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.2.5 SFTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.3 Importing and exporting data from TNMS NCT . . . . . . . . . . . . . . . . . . . 26
3.3.1 Exporting configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.3.2 Importing configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.4 Log administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.4.1 Log data retention policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.4.2 Log export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
A50023-K4045-X030-01-7672 3
3.4.3 License log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3.4.4 System event log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.5 Backup and restore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.5.1 General description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.5.2 Overview of the Backup and Restore interfaces. . . . . . . . . . . . . . . . . . . 35
3.5.3 Backup procedures through the command line . . . . . . . . . . . . . . . . . . . 36
3.5.4 Backup procedures through the TNMS NCT client. . . . . . . . . . . . . . . . . 39
3.5.5 Recovery & Restore procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4 Advanced Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4.1 Security hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4.1.1 Physical and hardware hardening. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4.1.2 Operating System hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4.1.3 Networking and firewall configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.1.3.1 List of ports to open in the firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.1.4 OEM Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
4.1.5 TNMS Maintenance Packages and Workaround Updates . . . . . . . . . . . 59
4.1.6 User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
4.2 IPSec policy configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
4.2.1 IPSec policy configuration for Windows . . . . . . . . . . . . . . . . . . . . . . . . . 62
4.3 7100 IP Sec NE Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
4.4 Monitoring system resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
4.5 Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
4 A50023-K4045-X030-01-7672
List of Figures
Figure 1 ASCII characters.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Figure 2 System Information window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Figure 3 Modify Alarm Log window (Export tab) . . . . . . . . . . . . . . . . . . . . . . . . . 31
Figure 4 System Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Figure 5 Backup & Restore console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Figure 6 Changing the Oracle database backup schedule settings. . . . . . . . . . . 37
Figure 7 Backup submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Figure 8 Backup window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
A50023-K4045-X030-01-7672 5
6 A50023-K4045-X030-01-7672
List of Tables
Table 1 Structure of the manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Table 2 List of symbols and conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Table 3 History of changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Table 4 Tabular export file format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Table 5 Output folders for log types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Table 6 List of the available arguments in non-interactive mode . . . . . . . . . . . . 36
Table 7 Windows default shares. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Table 8 Firewall rules between TNMS NCT Server and TNMS NCT Client
machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Table 9 Firewall rules between TNMS NCT Server machine and NEs (firewall not
recommended) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Table 10 Firewall rules between TNMS NCT Server machine for base services 57
Table 11 Firewall rules for Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Table 12 Default TNMS user accounts and security hardenings. . . . . . . . . . . . . 60
A50023-K4045-X030-01-7672 7
8 A50023-K4045-X030-01-7672
Administration Manual (ADMN) Preface
1 Preface
This preface describes the audience, structure, conventions, history of changes and
prerequisites of the Coriant TNMS NCT Administration (ADMN) manual.
1.1 Intended audience

This document is intended for personnel responsible for configuring, maintaining and
administrating the TNMS NCT system. Personnel performing these tasks must under-
stand basic networking concepts and have a good knowledge of management systems.
1.2 Structure of this document

This document comprises the following main chapters:
Chapter Title Subject

1 Preface Provides an introduction and overview of this manual.
2 Initial Configura- Provides the initial configuration information after install-
tion ing TNMS NCT.
3 Basic Adminis- Provides the log, backup and standby server descriptions
tration as basic administrative tasks.
4 Advanced Provides advanced security descriptions and procedures
Administration for external components.
Abbreviations Contains a list of acronyms used in TNMS NCT.
Glossary Contains a definition of the most important technologies
referred in the TNMS NCT documentation.
Index Contains the index entries for this document.
Table 1 Structure of the manual
A50023-K4045-X030-01-7672 9
Preface Administration Manual (ADMN)
1.3 Symbols and conventions

The following symbols and mark-up conventions are used in this document:
Representation Meaning
f DANGER! A safety message indicates a dangerous situation where

personal injury is possible.
f WARNING! The keywords denote hazard levels with the following meaning:
f CAUTION! DANGER! - Indicates a hazardous situation which, if not
avoided, will result in death or serious (irreversible) personal
injury.
WARNING! - Indicates a hazardous situation which, if not
avoided, could result in death or serious (irreversible) personal
injury.
CAUTION! - Indicates a hazardous situation which, if not
avoided, may result in minor or moderate (reversible) personal
injury.
w NOTICE: A property damage message indicates a hazard that may result

in equipment damage, data loss, traffic interruption, and so on.
g A note provides important information related to the topic, for

example, not obvious exceptions to a rule or side effects.
t A tip provides additional information related to the topic which is

not essential in the context, but given for convenience.
Bold ವ All names of graphical user interface (GUI) objects, such as
windows, field names, buttons, and so on.
Example: Select the Full Screen check box and press OK.
ವ Terms and abbreviations which are linked to an entry in the
glossary and list of abbreviations respectively.
ವ Important key words.
Italic ವ Files, folders, and file system paths.
Example: /usr/etc/sbin/ftpd.exe
ವ Emphasized words.
typewriter ವ Input to be typed in a command line or a GUI field.
Examples:
ping -t 192.168.0.1
Enter World in the Domain field.
ವ Output from a command, error messages, content of a status
line, and so on.
ವ File content, such as program sources, scripts, logs, and set-
tings.
<angle brackets> Placeholders, for example as part of a file name or field value.
Examples:
<picture name>.png or <ip address>:<port number>
Table 2 List of symbols and conventions
10 A50023-K4045-X030-01-7672
Administration Manual (ADMN) Preface
Representation Meaning
[square brackets] A key to be pressed on a PC keyboard, for example [F11].
Keys to be pressed simultaneously are concatenated with a “+”
sign, for example [CTRL]+[ALT]+[DEL].
Keys to be pressed one after another are concatenated with
spaces, for example [ESC] [SPACE] [M].
> The greater than symbol “>” is used to concatenate a series of
GUI items in order to depict a GUI path. This is an abridged pre-
sentation of a procedure to be carried out in order to perform an
action or display a window or dialog box.
Examples:
A simple menu path: File > Save as
A more complex GUI path:
> Main window > File menu > Change Password command >
Change Password dialog box
x For convenience, card names are sometimes listed with a lower
(in card names) case x variable, in order to concisely represent multiple cards.
Example:
I01T40G-x (is to be interpreted as I01T40G-1 and I01T40G-2)
(parentheses) For convenience, card variants are sometimes listed with a
section of their name between parentheses, in order to concisely
represent both card variants.
Example:
CCEP-3(/S) (is to be interpreted as CCEP-3 and CCEP-3/S)
Table 2 List of symbols and conventions (Cont.)
Screenshots of the graphical user interface are examples only to illustrate principles.
This especially applies to a software version number visible in a screenshot.
1.4 TNMS NCT documentation set

See the Documentation Guide for a complete and updated list of all TNMS NCT related
documents and their descriptions.
For your convenience, the operational documents are available via the TNMS NCT help
menu, while all others are stored in the help folder of your TNMS NCT Client installation.
1.5 Other documents

Legacy products and Network Elements
This manual concerns TNMS NCT only. For more detailed information on other legacy
products or the managed network elements (NEs), see the corresponding documenta-
tion.
A50023-K4045-X030-01-7672 11
Preface Administration Manual (ADMN)
Release notes
Where applicable, contains installation hints, patch descriptions, list of supported NEs,
list of supported cards and any relevant last-minute information.
1.6 History of changes

This chapter describes the main changes for the current document and since the last
version.
Issue Issue date Remarks

A50023-K4045-X030-01-7672 November 2015
Chapter 2.1 Power management options was
added.
Chapter 4.1.2 Operating System hardening was
updated regarding Microsoft Windows Critical and
Security patches.
Table 3 History of changes
12 A50023-K4045-X030-01-7672
Administration Manual (ADMN) Initial Configuration
2 Initial Configuration
2.1 Power management options

Disable all power management options for network adapters in machines running TNMS
Server and/or TNMS Netserver.
2.2 Setting the date and time

Follow the procedure to update the date and time of a TNMS NCT machine:
Stop all TNMS NCT components running in the machine.
Stop all TNMS NCT OEMs such as Oracle DB, etc.
Update date and time.
Start all TNMS NCT OEMs such as Oracle DB, etc.
Start all TNMS NCT components running in the machine.
For a description of how to set the timezone in the TNMS NCT Client, refer to chapter
2.2.2 Setting the time zone in TNMS NCT Client (Windows).
2.2.1 Setting the time and the time zone in a Windows server
For Windows, you do not need to set the time, since the Windows Server will adopt the
time set by the domain server. This allows the times to be synchronized
automatically.
2.2.2 Setting the time zone in TNMS NCT Client (Windows)

TNMS NCT client allows time and timestamps to be expressed in different time zones.
Open Main > View > Time Display and switch between Local Time, GMT and US
Central Time. Local time is the client machine’s own time zone setting; US Central Time
is CST.
The time zone indication is always available in the main window status bar.
2.3 Getting started

Upon installation, make sure TNMS NCT Server is up and running and log in to your
TNMS NCT Client. If you decide to harden the system’s security, you must do so before
starting TNMS NCT in a production environment.
You will be asked for your default username and password, and after your first success-
ful login you need to change your password.
2.3.1 TNMS NCT login
If you are logging in after an update rather than an installation from scratch, the users
and passwords remain unchanged from the previous version.
A50023-K4045-X030-01-7672 13
Initial Configuration Administration Manual (ADMN)
Press the spacebar or click the icon to get the login window where you must fill in the
following fields:
ವ Server name
You can select a previously used value set from the menu. Alternatively, input server
data either in the <server IP address> or <server name> formats. The default values
are localhost:4447.
ವ User name
Input a valid user name. The default user name is administrator.
ವ Password
Input the user’s password. The default password is e2e!Net4u#.
For security reasons, the administrator is requested to change the password, based
on password complexity rules.
Refer to 2.3.3 Changing the password for a description of these rules.
Username rules
Usernames are validated according to a set of rules:
ವ The characters of the username must match the allowed character set. Refer to
Figure 1 to check the valid characters.
ವ The username must have at least 1 valid character.
ವ The maximum length of the username is 32 characters, except for usernames
configured at RADIUS servers, in which case the limit is 29 characters.
ವ The username must not begin nor end with a space.
ವ The username must be unique.
Figure 1 ASCII characters.
Figure 1 displays the valid characters for the username and password (white back-
ground):
- the first two rows display ASCII control characters (not valid);
- the remaining characters are ASCII printable characters;
- additional characters not displayed in this table are not valid.
Functions authorized by the administrator user’s access rights can now be accessed.
The user defined below has full access rights:
ವ Default available user - Administrator
ವ Default user group - Administrators
ವ Default policy - Global
14 A50023-K4045-X030-01-7672
ವ Default domain - Global
If the Server is unavailable the following error message is displayed:

”Server not reachable. Please check your network connectivity or if server is
running”
In this situation check for one of the following scenarios:
ವ The server is not reachable.
ವ Network connectivity.
ವ The server may not be running.
ವ You are trying to connect to a standby server instead of the active server.
2.3.2 Terminating a client session

A Client session terminates when you log off. All windows are closed and only the login
function is accessible.
2.3.3 Changing the password

The first password change is performed in a popup window after the first login. Subse-
quent changes are performed in the Administration > User Management > User Modifi-
cation window. You are asked to enter the new password twice for confirmation, check
whether that user can’t change the password or otherwise whether the user has to
change the password at next logon and/or define the password expiration deadline
between 3 and 90 days.
TNMS NCT stores the history of passwords registry in the Oracle database.
g If Single Sign-on is enabled later on, this menu item will no longer be displayed as no
password within TNMS NCT will be required.
Password complexity rules

New passwords are validated by the system according to the rules below:
ವ The password must have at least 8 valid characters - refer to Figure 1 to check the
valid characters.
ವ The maximum length of the password is 32 characters.
ವ The password must not contain the username, the reversed username nor a circular
shifted version of the username.
ವ The password must not contain sequences of three or more characters of the user
name or the previous password.
ವ The password must not contain more than three repeated characters of the same
type, either lower or upper-case, for example aAaA.
ವ The password must not contain more than three consecutive characters in ascend-
ing or descending order, either lower or upper-case, for example aBcD.
ವ The password must not contain a sequence of two or more repeated characters, for
example a12b12.
ವ The password must be different from the last 5 passwords used.
ವ The password must not begin nor end with a space.
A50023-K4045-X030-01-7672 15
ವ The password must include at least three of the following four specifications: one
lower case alpha character, one upper case alpha character, one numeric character
and one special character.
2.4 Internet Explorer configuration

To ensure the correct behavior of the context sensitive online help, configure Internet
Explorer as follows:
Within Internet Explorer go to Tools > Internet Options > Security.
Select the desired security level and then click Custom.
In the Scripting section enable Active Scripting.
2.5 User and security management

User and security data stored in the TNMS NCT database includes:
ವ Username, password
ವ User group
ವ Domains
ವ Policies
ವ Component command tree
ವ Group-domain-policy mappings
g All user and security configurations must be executed via the TNMS NCT system GUI.
Direct manipulation of the user and security database with another tool is not supported
and could damage the system.
To ensure a secure system, the user and security management component provides the
capability to administer and visualize user and security relevant data by:
ವ Authenticating - allowing only valid users to, and preventing malicious ones from,
accessing the system.
ವ Authorizing - regulate the operations that can be performed by the authenticated
users by placing restrictions on the kind of operations that a user can carry out.
ವ Auditing - keep track of the operations that a user performs creating a record of the
operations that an authenticated user has performed on the secure system.
All the other software components rely on user and security management to ensure a
secure TMN system.
User management
User management allows the creation of a user account that belongs to a human user,
who is obligated to authenticate with the system. User accounts are assigned to user
groups that have access rights managed and configured by security management.
User management provides users with a single login throughout the TNMS NCT system
and stores their unique credentials and profiles. Each user’s profile records a number of
16 A50023-K4045-X030-01-7672
settings, including personal GUI preferences. Security management supports the

binding of profiles to specific users, but the responsibility of the profile content is not
within the scope of security management.
Security management
User authentication and policy management are means of creating a secure TNMS NCT
system and authorizing a user to perform a particular action. Each component provides
a command tree with all the possible actions or commands to the security management
administration service.
User authorization is based on policy administration (on a certain action or command).
Security management allows a security administrator to:
ವ Retrieve the command tree from a given component.
ವ Retrieve a list of securable objects from that component.
ವ Create policies by assigning desired actions.
ವ Assign user groups with desired policies.
g For users logged in with Single Sign-on the list of groups is synchronized with Active
Directory. Any manual changes to these groups within the application will be over-
written the next time the account is accessed through Single Sign-on.
ವ Each user only has access to permissions/policies that were assigned to the user-
groups which in turn were assigned to that user.
Based on this information, the component can query security management and verify
whether a user has permission to execute a specific action on a certain securable object.
Alarming and logging
User and security management supports security and command logging as well as
security alarming. Component commands to be logged or raised alarms, have the same
granularity as defined for the command tree and offered in policy administration. These
functions rely on fault management and log management for implementation.
Main features
User and security management supports the following main features:
User management
ವ Create, delete and modify user accounts and user groups.
ವ Activate or deactivate user accounts.
ವ Force a user to logoff.
ವ Unlock user accounts.
ವ View the existing user accounts, the login status and the user groups they belong to
ವ Assign or unassign users accounts to user groups.
ವ User profile: user’s workspace settings, such as windows size and positioning, filter
and column settings.
Security management
A50023-K4045-X030-01-7672 17
ವ Configure security settings

ದ Initial password change interval.
ದ Inactivity duration for an operator.
ದ Automatic deactivation and activation rules for operators.
ದ Display of the advisory message.
ದ Manage the password history.
ವ Domain and policy operations
ದ Create, delete and modify policies.
ದ View the existing domains and policies.
ವ Configure and view the access rights or mapping between a user group and policy.
ವ Import or export of security data: policies, domains, mappings, users and user
groups.
Alarming and Logging
ವ Security alarms.
ವ Security log.
ವ Command log.
2.5.1 Single Sign-on configuration

By enabling Single Sign-on (SSO) users can log in into TNMS NCT using the operating
system credentials, without having to enter another user name and password.
Domain Controller configuration

In order to enable Single Sign-on, the following configurations have to be performed in
the Domain Controller machine:
Log in as Administrator.
Depending on the operating system installed in the Domain Controller machine, go
to Start > All Programs > Administrative Tools >
Active Directory Users and Computers
Create the following user groups, which are the same as those associated to TNMS
NCT’s default policies:
ವ TNMS UserClass Administration.
ವ TNMS UserClass Supervision.
ವ TNMS UserClass Maintenance.
ವ TNMS UserClass Operation.
ವ TNMS UserClass Configuration.
g ವ In order for users to login to TNMS NCT, they must be included in one of the
TNMS UserClass Groups according to the required access rights.
ವ In order for TNMS NCT to be able to import users from another domain, a two-
way, forest type trust must be set up.
18 A50023-K4045-X030-01-7672
Enable Single Sign-on authentication in TNMS NCT Server

Follow the configurations below to enable Single Sign-on authentication in TNMS NCT
Server:
Log in to TNMS NCT using a user with TNMS NCT Administration privileges. For
example, log in as Administrator.
Go to Administration > System preferences > Security Settings > Single Sign-
on tab and check Enable to activate the following configuration fields:
ವ Domain name - The Fully Qualified Domain Name (FQDN) to which the client
machines and the user accounts belong to.
ವ Domain server name - The IP address or server name or FQDN of the server of
the Active Directory (Kerberos and LDAP) for the domain is configured.
ವ Use default active directory LDAP port - TCP/IP port in which the Active Direc-
tory LDAP service is listening. The default port is 389.
Click OK.
A message appears informing these configurations have been saved and that you
should log in using a domain account to confirm these settings.
In case you install a TNMS NCT Client on Windows Server 2012, you must also:
D Open the Windows command line as administrator: Start > Accessories > right-
click Command Prompt and select Run as administrator.
E Run the following command as administrator for each TNMS NCT user that logs
in the machine:
kinit <user_name> <user_password>
where <user_name> and <user_password> are the Windows credentials of
the TNMS NCT user.
Enable Single Sign-on authentication in TNMS NCT Clients

The following configurations must be performed in the client machine:
Make sure the Windows User Account Control is disabled, as described in the "User
Account Control" sub-chapter of the Installation Manual. Otherwise TNMS NCT will
still ask you for the user password even after all Single Sign-on configurations are
performed.
Login in Windows using a domain user.
In the TNMS NCT Login window, check Single Sign-On before clicking OK.
g By checking Single Sign-On no password is requested.
2.5.2 Domain management

TNMS NCT allows you to restrict user groups to operate only a set of NEs or DCN
subnets instead of the entire network. This partitioning is called a “Domain” and limits
the operation on nodes outside of their partitions by assigning user groups to domains.
Further, you can also assign policies to domains for further control and security, limiting
the user groups to specific menu entries and actions.
A50023-K4045-X030-01-7672 19
This arrangement is required, for example, in network centers that are responsible for
maintaining only a subset of the nodes. The main purpose is security: it avoids that a
login to the system grants access to the entire network.
TNMS NCT now supports the creation, modification or deletion of multiple domains,
granting
or restricting their accesses.
By default, all NEs belong to the GLOBAL domain which cannot be modified or deleted.
The Domain management window (Administration > Domain Management) allows
an administrator to:
ವ View the list of available domains and assigned NEs.
ವ Create, modify and delete domains.
g Please note that in the domains you create, you have both reading and writing permis-
sions. However, regarding the NEs left outside those domains, you only have reading
permissions, which means you cannot modify or delete them.
2.5.3 Policy management

A policy is a pre-defined set of permissions. These permissions are based on existing
user classes and TNMS NCT components. A user must always be assigned to a policy
before performing any action. The scope of the actions can be further controlled by
adding
permissions to (removing from) a policy. One permission can belong to one or more pol-
icies. By default, all permissions belong to the default GLOBAL policy, which cannot be
modified or deleted.
The Policy management window (Administration > Policy management) allows an
administrator to:
ವ View the list of configured policies.
ವ Create, modify and delete policies.
ವ View the list of permissions assigned to the selected policy (via tooltip).
TNMS NCT ships with a set of predefined policies for:
ವ supervision users
ವ maintenance users
ವ configuration users
ವ operations users
ವ administration users
It is strongly recommended that you review and adapt the default policies or that you
define your own custom policies appropriate for the different roles in the network oper-
ation teams. Those policies should contain the minimum set of required system permis-
sions to do the job.
2.5.4 User management

A user account allows the user to authenticate and have access to the TMN system. The
user is authorized to perform actions within a domain depending on the user group(s)
that the user account is assigned to. Whenever a user’s authorized actions change the
20 A50023-K4045-X030-01-7672
administrator must force a log off. Once the user logs in again the new permissions
become active. A user account must be a member of at least one group.
The User Administration window allows the user to:
ವ View all user accounts and status.
ವ Create, modify and delete user accounts.
ವ Unlock, force logoff, activate and deactivate user accounts.
When creating or modifying a user you can specify an inactivity timeout per user. If the
User inactivity timeout check box is selected, the timeout defined for that user will
override the inactivity timeout value defined in System Preferences > Security
Settings > General.
When setting either the specific value or the value in the general settings to zero, the
session never times out.
During creation or modification of a user you can specify the number of allowed
simultaneous user sessions, which means the number of TNMS NCT client sessions the
user can be logged into simultaneously.
When the maximum number of simultaneous sessions is reached, either log off from a
client session or contact your System Administrator.
You can also define an account expiration date, rendering the user account temporary.
Whenever a user account expires, you must contact your System Administrator so the
account can be reactivated.
2.5.5 User group management

A user group comprises a group of users that are granted the same access rights for a
certain domain. If a user belongs to more than one user group, then the effective access
rights are based on all the relevant access rights granted by each user group.
The User group management window (Administration > User group management)
allows the user to:
ವ View all user groups.
ವ Create, modify and delete user groups.
g For users logged in with Single Sign-on the list of groups is synchronized with Active
Directory. Any manual changes to these groups within the application will be overwritten
the next time the account is accessed through Single Sign-on.
2.5.6 Access rights

Creating a policy or domain is not enough to keep a set of users from accessing a set
of operations and resources. To restrict the use of operations and resources, a relation-
ship must be created between a policy, a domain and a user group:
ವ Such relationship is called a mapping.
ವ Domains, policies and user groups participating in mappings cannot be deleted
without first deleting the mapping.
A50023-K4045-X030-01-7672 21
Mappings can be configured via the Modify User Group window, under the Domains
and Policies tab. It is also possible to view all the mappings in the read-only Access
Rights window.
2.5.7 Security settings

General security settings can be configured under Main > Administration > System
preferences > Security Settings:
ವ General:
ವ Password change interval and timeout settings.
ವ Account lockout settings.
ವ Single Sign-on (see 2.5.1 Single Sign-on configuration)
ವ Advisory message.
These settings are applied to all user accounts.
22 A50023-K4045-X030-01-7672
Administration Manual (ADMN) Basic Administration
3 Basic Administration
3.1 Managing Services

Before accessing TNMS NCT it is important to check if the system is running correctly.
Go to Start > Control Panel > Administrative Tools > Services.
Scroll down to find the TNMS NCT entries.
ವ TNMS EML Mediator (automatically started)
ವ TNMS Generic Mediator (automatically started)
ವ TNMS MultiVendor Mediator (automatically started)
ವ TNMS Platform (automatically started).
ವ TNMS Server (automatically started).
ವ TNMS Trap Handler (automatically started)
ವ RCTSrv (automatically triggered off by TNMS NCT and thus listed as Manual).
In the server machine.
Check under the column Status if all services are Started.
Right-click to either Start, Stop or Restart.
3.2 TNMS NCT Administration
3.2.1 License Management

License manager is the component that provides and manages the licensing functions.
The license management component allows you to manage license keys and view
license logs, making it possible to enable or disable functions or features on an installa-
tion.
TNMS NCT has different types of licenses depending on the customer requirements.
For more information on the available licenses contact your sales representative.
g A 30 days free trial license is available where all menus and functionalities are enabled.
If you decide to import licenses during this period, the trial is not affected. After the 30
days expire only licensed TNMS NCT features are available and you will need to import
licenses keys to access further functionalities.
License management window

The License Management window (Main > Administration > License Management)
allows you access to the list of available license keys.
Keys can be added, deleted, imported and exported. Details of a license are available if
you double-click the license or press the Details button.
The License Log window (Main > Administration > License Log) keeps a record of
all licensing actions and can be exported via the Log List window.
A50023-K4045-X030-01-7672 23
Basic Administration Administration Manual (ADMN)
3.2.2 System Administration

TNMS NCT client has several administration features, accessible via Main > Adminis-
tration > System:
ವ In the Debug Settings window you can:
ವ Configure the current debug level of a server component.
ವ Set the current debug level of a server component to default.
ವ View the current debug settings.
ವ In the Notifications window you can:
ವ View the current details for JMS topic/queues, NE queues and Non-NE queues.
ವ Edit the NE Queues settings.
ವ The Event Log displays a list of all system log records in a given context as a table.
3.2.3 System Information

The System Information window displays a list of TNMS NCT components corre-
sponding to the software parts that compose the TNMS NCT system itself. For example,
you can check the Java home path and its version, the client system architecture, the
language and time zone defined and many other configurations.
You can also use the Updates tab to check all the patches and updates installed.
You can find this window through the Help menu > About TNMS NCT > System Infor-
mation.
Figure 2 System Information window
24 A50023-K4045-X030-01-7672
3.2.4 System Preferences

You can access the system preferences through Main > Administration > System
preferences.
Security Settings
In this tab you can set general security settings, such as timeout and account lockout
definitions. You can also configure the single sign-on authentication and authorization
and whether you wish to display an advisory message at logon.
After your initial single sign-on configuration, whenever you change any of the settings
you will need to restart the TNMS Server for your changes to be applied.
Network Settings
This setting allows the NE native location to be displayed in addition to the TNMS NCT
location identifiers in all TNMS NCT fault windows.
If this setting is checked the object's location is presented in the following format:
TNMS location identifier (NE native location identifier)
Example: If the column Location in the Alarm List window displays by default: 1-15-04
when you check this setting it will display:1-15-04 (SLOT-15-4).
Synchronizations
In this setting, you can set the maximum number of synchronization reschedules in case
of a failed synchronization, as well as the maximum number of retries within the same
synchronization.
You can also set the number of scaled synchronizations, which means the number of
NEs that will simultaneously synchronize in each TNMS NCT software component. Note
that the new value only becomes effective after a TNMS NCT server restart.
Fault
In this tab you can configure several fault-related settings, such as customize the alarm
colors to be displayed. You can also define sound notifications for alarms and choose
to filter recurrent alarms triggered by the same cause.
SFTP
Use this tab to enable global SFTP settings, such as IP, user, password and path. If you
have Embargo NE versions in your network that only support FTP, the settings in the
SFTP tab will also be applied to FTP.
Map Automatic Position

Enable this setting, in order to have TNMS NCT use background image maps and geo-
graphical coordinates present in hiT 7300 and hiT 7100 NEs.
Physical Trails
Select the check box in this tab to activate the alarm correlation for internal physical
trails.
A50023-K4045-X030-01-7672 25
3.2.5 SFTP
In this setting you can configure the SFTP server to be used in all TNMS NCT.
g The settings below will also apply to FTP servers in case of some Embargo NE versions
that do not support SFTP and must use FTP.
g To use this setting you must configure all SFTP services to use the same user.
To configure the SFTP server do as follows.

Go to Main > Administration > System preferences, SFTP.
Enter the IP address of the SFTP server. This IP address is the one of the machine
of the TNMS NCT Netserver component where the SFTP services are configured
and running.
In case the machine has more than one IP address, use the one that is visible from
the network and is used by the NEs to transfer files.
Enter the User and Password of the SFTP user configured during the CopSSH
installation (refer to the SFTP sections in the Installation Manual).
w Enter the User in lowercase. For example, if the original User is TNMS_sftp, enter
tnms_sftp.
Enter the following mandatory Upload Path:

Enter “/home/$user$”, where $user$ is the non-administrator user configured in
CopSSH (refer to CopSSH section in the Installation Manual).
w Enter the $user$ in lowercase. For example, if the original $user$ is TNMS_sftp,
enter tnms_sftp.
- For 7100 Nano NEs enter /home/$user$/.
g The upload path is relative to the SFTP root directory:

C:\Program Files (x86)\ICW\; in Solaris /coriant/tnms/nedata.
Use Test Connection to check the status of the SFTP server only available for the
active server).
3.3 Importing and exporting data from TNMS NCT

TNMS NCT allows you to export and import data (configurations) via xml files. You can
use this feature for backup purposes and, in the specific cases of TNMS NCT settings,
to audit and compare them with other reference application settings.
The following types of configurations can be exported and imported:
ವ Security Management
ವ DCN Management (EMs / NEs)
ವ Topology Management
ವ (TNMS NCT) Settings (exportable only)
For security reasons, the user Administrator is never exported or imported.
26 A50023-K4045-X030-01-7672
3.3.1 Exporting configurations

To export some or all possible configurations:
Go to File > Export Configuration.
The Export Configuration wizard opens.
On the Item Selection step, select the items you want to export.
Click Next.
On the File Selection step, select the file that will contain the exported data or enter
a name to create a new file.
Click Finish to start the export operation.
w The exported file may contain sensitive information and should be kept in a secure
location.
On the Summary step:

In this step you can follow the progress of the exporting process. Any errors that
occur are displayed in this step. You can right-click the details of the import to select
and copy any part of it.
A pop up is displayed when the export operation finishes.
Click OK.
Click Close to leave the wizard.
3.3.2 Importing configurations

The following import sequence is mandatory:
DCN Management configuration
NE activation
Topology management configuration
The remaining configurations can be imported with the DCN Management configuration
(as described below) or with the Topology management configuration or even sepa-
rately.
g If your export file does not contain some of the configurations you can skip the corre-
spondent import procedure.
To import the DCN and Security configurations

Go to Main window > File > Import Configuration.
The Import Configuration wizard opens.
On the File Selection step, click Browse to select the exported xml file from where
to import the data.
Click Next.
On the Item Selection step:
ವ Select the DCN and Security branches.
ವ Select Delete all the selected objects before importing if the selected items
already exist in TNMS NCT and require updating with the import.
A50023-K4045-X030-01-7672 27
ವ Unselect all other items in the tree.

Click Next.
On the Confirmation step:
ವ Do you want to import the (S)FTP settings?
Select Yes to import the (S)FTP settings from the NE, as defined in the
configuration file.
Click Finish.
In this step you can follow the progress of the importing process. All actions per-
formed and errors that occur are displayed in this step. You can right-click the details
of the import to select and copy any part of it.
Click Close to leave the window when the import finishes.
Go to Main window > Network > DCN > Management and activate all NEs.
Wait until all NEs are Running and synchronized.
Proceed to importing the Topology Management configuration.
To import the Topology Management configuration

Go to Main window > File > Import Configuration.
The Import Configuration wizard opens.
On the File Selection step, click Browse to select the exported xml file from where
to import the data.
Click Next.
On the Item Selection step:
ವ Select the Topology Management branch.
ವ Select Delete all the selected objects before importing if the selected objects
already exist in TNMS NCT and require updating with the import.
ವ Unselect all other items in the tree.
Click Next.
On the Confirmation step:
ವ Do you want to import the (S)FTP settings?
Select Yes to import the (S)FTP settings from the NE, as defined in the
configuration file.
Click Finish.
ವ Some Physical Trails were marked with the "Prevent Deletion" flag. Are you sure
you want to delete them?
This confirmation appears if you selected the "Delete all the selected objects
before importing" option in the previous panel and if there are Physical Trails
with the "Prevent deletion" check box checked (in the Modify Physical Trail
window). Check Yes to have all Physical Trails deleted during the import opera-
tion. If you check No, the Physical Trails with "Prevent deletion" checked will not
be deleted.
28 A50023-K4045-X030-01-7672

In this step you can follow the progress of the importing process. All actions per-
formed and errors that occur are displayed in this step. You can right-click the details
of the import to select and copy any part of it.
Click Close to leave the window when the import finishes.
3.4 Log administration

Log administration allows you to configure log settings and to export log records to the
local file system.
Even though these actions are provided by log management, the windows are log-type-
dependent, that is, they are provided by the responsible component.
TNMS NCT component log output
Components output to logs and provide for viewing and exporting log contents. The fol-
lowing logs exist:
ವ Client log (View > Client Log) - keeps a log of all events originating from your
TNMS NCT client. This log stores events such as timeout warnings and errors
arising from using local resources.
ವ Network event log (Network > Event Log) - logs all network event records, includ-
ing unsolicited messages from NEs and state change notifications
ವ Network resource log (Network > Resource Log) - logs higher-level network
resource and network route additions or changes.
ವ Alarm log (Supervision > Fault > Alarm Log) - contains all the raised and cleared
alarms over a specific period of time.
ವ System event log (Administration > System > Event Log) - logs the overall
system messages. This log is used by all components to log system wide informa-
tion, warnings and error messages that occur during the execution of commands.
ವ License log (Administration > License Log) - lists all license log records.
ವ Command log (Administration > Command Log) - logs all types of configuration
commands used by other components input by the user.
ವ Security log (Administration > Security Log) - stores security alarm notifications
and security configuration commands.
3.4.1 Log data retention policy

Log management comprises a data retention policy which specifies the number of days
that data is kept on the system. Data older than the retention period is deleted. You can
configure the retention period on the Log List window.
The modification of the retention period can be done by selecting the appropriate log and
clicking Modify either on the toolbar or by using the menu entry in the table cell context
menu.
3.4.2 Log export

TNMS NCT allows you to export logs in order to store them indefinitely for further pro-
cessing. You can trigger an export operation manually or automatically from the Log
List window.
A50023-K4045-X030-01-7672 29
Manual export of logs

The Export Log window (accessible through Administration > Log List > Export
toolbar button while selecting the desired log type) provides a user interface to configure
log export settings and start a manual export operation for one or more files.
Log management has the responsibility for the security, network event, system event
and command log types. The following export settings are provided for these log types:
ವ File name prefix: a prefix to be used in the complete file name.
ವ Date format: the date format used in the exported file.
ವ File format: the file format used in the export operation.
ವ Maximum file size: the maximum size per file. If there are more records than file
capacity, more than one file is created.
ವ Maximum log records: number of records per file. If number of records is greater
than this number, more than one file is created.
The set of log records to be exported is defined with the filter settings. These settings
can be saved and loaded from the local file system.
Since log management requires access to external storage, unexpected errors may
occur. If an error occurs during the exportation of a single record, then the whole export
operation will be considered as having failed. Thus, log management generates system
event messages.
Scheduled export of logs

The Modify Log window (accessible through Administration > Log List > Modify
toolbar button while selecting the desired log type) provides a user interface for viewing
and configuring all log-related settings, including activating the exporting of the log
whenever a cleanup is performed. The cleanup can be scheduled in this same window.
g To ensure no records are lost TNMS NCT executes hourly background checks of the
logs, to find those which have not been exported in the previous day(s). If TNMS NCT
was not running at the time scheduled for a log export and therefore the export did not
happen, an exceptional export is triggered.
All the export settings described for the manual export, except for the filter settings, can
also be configured for scheduled exports.
30 A50023-K4045-X030-01-7672
Figure 3 Modify Alarm Log window (Export tab)
Export file formats

The following export file formats are supported by log management:
ವ eXtensible Markup Language (XML) - the fields of a log record are described as
XML elements. A log is exported as a collection of log record elements.
ವ Tabular - the fields of a log record are presented in a data table format.
ವ Comma Separated Values (CSV) - each line (up to the carriage return) is considered
a log record. Fields within each record are divided by a delimiter character (that can
be chosen), typically a comma. Each line must have the same number of fields
(commas). If a comma or leading and/or trailing blanks appear in any field value the
field must be enclosed in quotation marks (") to indicate the information is data and
not a field divider.
A50023-K4045-X030-01-7672 31
Example XML:
Example Tabular:
Field1 Name Field2 Name ... FieldN Name

Record1 Field1 Record1 Field2 ... Record1 FieldN
Record2 Field2 Record2 Field2 ... Record2 FieldN
... ... ... ...
RecordN FieldN RecordN Field2 ... RecordN FieldN
Table 4 Tabular export file format
Example CSV:
Output location
Log management uses a predefined output directory on the server file system for the
export files. Table 5 shows the output directories for the different types of log and export
operations.
32 A50023-K4045-X030-01-7672
Output Directory
Log Type
Manual export Scheduled export
Alarm Log ...\TNMS\logs\Export\Alarm\Manual ...\TNMS\logs\Export\Alarm\Scheduled
License Log ...\TNMS\logs\Export\License\Manual ...\TNMS\logs\Export\License\Scheduled
Network Resource ...\TNMS\logs\Export\NeResource\Manual ...\TNMS\logs\Export\NeResource\Sched-
Log uled
Security Log ...\TNMS\logs\Export\Security\Manual ...\TNMS\logs\Export\Security\Scheduled
System Event Log ...\TNMS\logs\Export\SysEvent\Manual ...\TNMS\logs\Export\SysEvent\Scheduled
Network Event Log ...\TNMS\logs\Export\NetEvent\Manual ...\TNMS\logs\Export\NetEvent\Scheduled
Command Log ...\TNMS\logs\Export\Command\Manual ...\TNMS\logs\Export\Command\Sched-
uled
Table 5 Output folders for log types
Although the operator is free to define a prefix for the name of the export files, the
complete name is generated by log management. This name includes full information
about the time that the export operation was triggered (year, month, day, hour, minute,
second and locale).
Example: pm_15min_log_export_2013_07_27_16h06m10s_cst.xml.
3.4.3 License log

The License Log window (Main > Administration > License Log) gives you access
to the license log. You can freeze or unfreeze the automatic updating of the log, as well
as filter or sort it for any field.
The information is arranged in a table format and shows relevant information for each
log record such as, date, severity, source type, source and description.
3.4.4 System event log

This log is used by all components to log the overall system messages, system wide
information, warnings and error messages that occur during the execution of commands
either in the NEs or in the TMN system.
A50023-K4045-X030-01-7672 33
Figure 4 System Event Log
3.5 Backup and restore

This chapter guides you through the backup and restore procedures.
Backup and restore is a safeguard mechanism to back up the system and recover it, in
case a problem occurs.
3.5.1 General description

You must back up information contained in the Oracle server.
The required information is backed up into three sets:
ವ Oracle database backups are used to recover the database from corruption events
or unexpected integrity issues and recover it to its last most consistent state. These
backups contain TNMS NCT specific data plus other Oracle files required for
database recovery.
The Oracle database backups are stored in the Oracle’s Fast Recovery Area under
the BACKUPSET directory.
w You must not use the BACKUPSET directory for any operations other than Oracle
database backups.
Full backups of the Oracle database are stored with a retention policy that allows for
a redundancy of 2 backups. Therefore the BACKUPSET directory contains the last
3 backups and older ones are automatically removed.
ವ TNMS NCT database backup files are used to restore TNMS NCT to a previous
state in order to, for example, undo undesired user configurations or restore the
TNMS NCT state to a clean installation.
34 A50023-K4045-X030-01-7672
g TNMS NCT database backup files cannot be used to directly recover from an Oracle
database corruption event.
TNMS NCT database backup files are stored under a target directory (local or
remote) of your creation or choice. Inside this directory, each backup operation
creates a subdirectory named after the backup timestamp
<yyyy_MM_dd_HH_mm_ss>, where the backup files are saved.
w When performing a database backup, ensure that the target directory is writable by
the oracle user.
3.5.2 Overview of the Backup and Restore interfaces

The TNMS NCT database backup can be performed via console, interactive (CLI) and
non-interactive mode (script friendly), or via TNMS NCT Client (GUI). TNMS NCT
database restore can only be performed via console (interactive or non-interactive
modes).
Interactive mode
To access the interactive mode console, run:
backuprestore.bat
with no arguments from
C:\Program Files (x86)\Coriant\TNMS\server\bin\backuprestore (default location).
The following interactive menu is displayed (Figure 5).
Figure 5 Backup & Restore console
Non-interactive mode
The non-interactive mode allows you to embed the B&R feature into a scriptable
language in order to automate common and repetitive tasks.
To use the non-interactive mode, run one of the following using the available arguments
(Table 6):
backuprestore.bat from
C:\Program Files (x86)\Coriant\TNMS\server\bin\backuprestore (default location).
You can enter backuprestore-h in the command line to see this list.
A50023-K4045-X030-01-7672 35
Options Description
-b --backup Performs a TNMS NCT database backup.
-r --restore Performs a TNMS NCT database restore.
-s --schema Performs the operation on the TNMS NCT database.
-d --directory When saving or loading a backup, this option must be followed
by the path to the directory where the backup files will be stored
in or loaded from.
-u --username This option must be followed by the TNMS NCT username.
-p --password This option must be followed by the password matching the
TNMS NCT username.
-R --recovery Use this option to recover the Oracle database. Note that it does
not refer to the TNMS NCT database.
-h --help This option displays the list of the available arguments.
Table 6 List of the available arguments in non-interactive mode
3.5.3 Backup procedures through the command line

This chapter describes how to back up the system data using the command line. Before
proceeding, some general considerations and advice apply:
ವ Oracle server must be running.
ವ You are advised to back up the files onto a safe repository.
ವ You are responsible for guaranteeing that the TNMS NCT server backup data files
are not corrupted or changed in any way, including the file name. Otherwise restor-
ing the backup will not be possible.
The following operations are described below:
ವ Backing up the Oracle database
ವ Backing up the TNMS NCT database
ವ Automating the Backup procedures
Backing up the Oracle database

Backing up the Oracle database performs the full backup of the entire Oracle database,
including the TNMS NCT database backup files.
The backup of the Oracle database runs automatically and is scheduled inside Oracle
Scheduler to run daily at a predefined hour, which, by default, is 03:00 AM. You can
change the scheduled time using the B&R console schedule settings option. No other
parameter is changeable.
t In case you reschedule the daily backup, set it to run off high load periods, so that the
application performance is not affected.
The operation’s logs are stored in the B&R application folder,

C:\Program Files (x86)\Coriant\TNMS\server\bin\backuprestore\RMAN_TNMS.log
36 A50023-K4045-X030-01-7672
t You should consider scheduling an independent backup of the TNMS NCT database
backup files since Oracle backup files are only kept for 3 days maximum. Refer to the
section Automating the Backup procedures in this chapter, for more information.
To change the scheduled backup time:

Open a command line window (in Windows, use the option "Run as Administrator").
Go to the B&R application folder (the default is
C:\Program Files (x86)\Coriant\TNMS\server\bin\backuprestore).
Run backuprestore.
Select option 4> Schedule settings on the console.
Provide the TNMS NCT credentials (Figure 6).
Figure 6 Changing the Oracle database backup schedule settings
Provide the new time for the scheduled backup to run, in a 24-hour format (Figure 6).
Press Enter.
Backing up the TNMS NCT database

To back up the TNMS NCT database:
Open a command line window (use the option "Run as Administrator").
Define a folder where to store the backup. You can either use an existing folder or
create one as long as all users have reading / writing privileges over it.
Back up the TNMS NCT database using either the interactive mode console (go to
step 5) or the non-interactive mode (go to step 6).
Either
back up the TNMS NCT database using the interactive mode console:
D Run backuprestore.
E Select option 1> Perform backup.
F Provide the TNMS NCT credentials upon request (Figure 7).
A50023-K4045-X030-01-7672 37
Figure 7 Backup submenu
G Select option 1> TNMS database from the submenu in Figure 7.

H Enter the directory of your choice (local or remote) where the backup files will be
stored and press Enter.
Or
Run
backuprestore -b -s -d <directory> -u <username> -p <password>
As a result, a subdirectory named after the backup timestamp
<yyyy_MM_dd_HH_mm_ss> is created under the directory you provided and the backup
file of the TNMS NCT database is saved within. The backup file is saved as <name of
the TNMS database>.DMP.
Automating the Backup procedures

It is recommended to back up the TNMS NCT database at least weekly. You can create
command scripts for the backup and restore procedures and configure the operating
system scheduler to run them at scheduled times.
w It is recommended to automate the backup using TNMS NCT instead of a command

script (see 3.5.4 Backup procedures through the TNMS NCT client). The script contains
sensitive data, such as usernames or passwords, that require access control. By using
TNMS NCT you overcome such security issues.
Ensure the correct access rights, according to your security policy, to any command
script containing sensitive data, such as usernames or passwords.
For example, you can create a weekly schedule with the following command.
SCHTASKS.EXE /CREATE /SC WEEKLY /TN "<SCHEDULE_NAME>" /ST
<SCHEDULE_TIME> /TR "<COMMAND>" /RU "SYSTEM"
Where:
ವ <SCHEDULE_NAME> is the name of the schedule.
ವ <SCHEDULE_TIME> is the time at which the command will be run (for example,
02:50:00).
ವ <COMMAND> is the command to be run.
You can also use SCHTASKS.EXE to inspect the schedule details or delete schedules.
To list schedule details run:
SCHTASKS.EXE /TN "<SCHEDULE_NAME>"
And to delete a schedule run:
SCHTASKS.EXE /DELETE /TN "<SCHEDULE_NAME>"
38 A50023-K4045-X030-01-7672
w You must create a user in TNMS NCT dedicated to scheduled backups and do not allow
it to expire. Create the user via “User Administration” and select the option “User cannot
change password”. When setting the backup commands to be run by the schedules, use
this user.
3.5.4 Backup procedures through the TNMS NCT client

The Backup feature is also embedded in the TNMS NCT Client. It allows you to run a
manual backup of the TNMS NCT database (TNMS NCT data) or to schedule a backup.
The Backup window (Figure 8) allows you to see information about the backup status,
and choose to run a manual backup or schedule a backup. This window is for informa-
tion purposes only.
Figure 8 Backup window
To run a manual backup of the TNMS NCT database:

In the TNMS NCT main window, click the Administration > System > Backup
menu item.
The Backup window opens.
Click the Manual button.
This opens the Manual Backup window.
Select the Path to save the backup file.
g About the upload folder:

ವ The backup path must already exist beforehand otherwise the task fails and you
receive the following error message in a notification popup, in the bottom right
corner: Backup operation failed.
ವ Everyone within the domain must have read and write permissions on the folder,
so that no credentials are requested to read it. However, for accesses from
outside the domain, the credentials will still be requested.
A50023-K4045-X030-01-7672 39
ವ If you use a remote drive, you have to specify the full network drive path, since
TNMS NCT is not able to reach the mapped drive through the letter assigned by
Windows.
Example:
ವ Local drive - C:\<BackupFolder>.
ವ Remote drive - \\<IP address>\<BackupFolder>
Click Start to run the backup.

The backup task starts.
If the backup operation fails, refer to the Troubleshooting Manual, Alarm logs chapter for
a solution description.
g When there is a backup running through the command line, it is not possible to run a
manual backup through the TNMS NCT Client.
To schedule a backup of the TNMS NCT database:

In the TNMS NCT main window, click the Administration > System > Backup
menu item.
The Backup window opens.
Click the Schedule button.
This opens the Schedule Backup window.
Check the Activate checkbox.
Under Backup Options, select the Start date.
Under Recurrence pattern, select the recurrence of the scheduling.

Periodic: allows you to define the recurring time and the backup period in days and
hours. It also allows you to define the end date.
Weekly: allows you to define the recurring time and the week days.
Monthly: allows you to define the recurring time and the days of the month.
At least one of these fields needs to be selected.
Select the Path where to save the backup file (check the notes in step 3, of To run
a manual backup of the TNMS NCT database:).
Click OK.
This schedules the backup.
3.5.5 Recovery & Restore procedures

This chapter describes how to recover/restore the previously backed up system data.
This application runs only through the command line.
The following operations are described below:
ವ Recovering the Oracle database
ವ Restoring the TNMS NCT database
40 A50023-K4045-X030-01-7672
Recovering the Oracle database
w A database recovery is not the same as a TNMS NCT database restore and should
only be performed in case of Oracle database corruption. Recovering the Oracle
database will restore the TNMS NCT database. However, recovering the TNMS NCT
database alone will not restore the Oracle database.
The database recovery automatically stops and restarts the "TNMS Server" service.
To restore the Oracle database:

Open a command line window (in Windows, use the option "Run as Administrator").
C:\Program Files (x86)\Coriant\TNMS\backuprestore).
Use either the non-interactive mode or the interactive console:
ವ Run backuprestore -R -u <username> -p <password>
or
backuprestore --recovery -u <username> -p <password>
ವ Run backuprestore.
Select option 3> Perform database recovery.
Start “TNMS Server” service.
An Oracle database recovery is made using the last consistent backup found in the Fast
Recovery Area of Oracle.
g After the Oracle database recovery, a TNMS NCT database restore is not necessary
since the Oracle database backups also contain the TNMS NCT specific data.
Restoring the TNMS NCT database

The restore must be executed by the same user that has installed the Oracle DB or a
user that belongs to ora_dba group (Computer Management > Local Users and
Groups > Groups).
Refer to the Installation Manual Windows for the complete procedure to add a user to
the ora_dba group.
During this procedure the “TNMS Server” service is automatically stopped and
restarted.
To restore the TNMS NCT database:
Open a command line window (use the option "Run as Administrator").
Restore the TNMS NCT database using either the interactive mode console (go to
step 4) or the non-interactive mode (step 5)
Either
restore the TNMS NCT database using the interactive mode console:
D Run backuprestore.
E Select option 2> Perform restore.
A50023-K4045-X030-01-7672 41
F Provide the TNMS NCT credentials upon request.

G Select option 1> TNMS database from the submenu.
H Enter the directory where to load the backup file <name of the TNMS data-
base>.DMP from and press Enter.
Or
run
backuprestore -r -s -d <directory> -u <username> -p <password>
The "TNMS Server" service is automatically restarted when the restore procedure is
complete.
42 A50023-K4045-X030-01-7672
Administration Manual (ADMN) Advanced Administration
4 Advanced Administration
4.1 Security hardening

This chapter describes the existing TNMS NCT security hardenings.
Note that TNMS NCT already applies security hardening during installation. This means
that, for example, security settings are defined so that no unnecessary permissions are
granted. The remaining items are, in a default installation, hardened to an acceptable
level. However it is possible to improve from that level as is described in the following
sections.
4.1.1 Physical and hardware hardening

Any effort in securing a system is useless if possible attackers can have physical access
to a TNMS NCT machine. It is very easy to disable security mechanisms or compromise
the system if there is easy physical access to a machine. For this reasons the following
measures should be taken:
ವ The TNMS NCT server machine should be located in a room where only the system
administrators have access.
ವ A physical access control should be put in place, including, for example, electronic
door locks.
ವ Any non-required I/O interfaces, such as USB interfaces or DVD drives, should be
removed or, at least, disabled.
ವ Any type of communication interfaces not required for the operation of TNMS NCT
should be removed or, at least, disabled. This is especially important for wireless
interfaces such as Bluetooth or WLAN adapters.
ವ All hardware should be securely installed so that it cannot easily be moved.
ವ The facilities where the hardware is located should have sufficient heat dissipation
and, if needed, the server room should be air-conditioned.
ವ Additional security measures like video surveillance of server rooms is recom-
mended.
ವ The BIOS of the machines used for TNMS NCT should be protected by password,
to prevent unauthorized modification of the machines BIOS configuration.
4.1.2 Operating System hardening

Microsoft Windows Critical and Security patches
Coriant recommends you to keep Windows constantly updated with the latest Microsoft
Windows Critical and Security patches in all TNMS machines. In order to do so, enabling
the automatic Windows Update Service for Security Updates is recommended.
g If you use the Windows Server Update Services (WSUS), refer to the official Microsoft
WSUS documentation for configuration instructions.
To assure compatibility between TNMS and the latest Microsoft Windows Critical and
Security patches, this TNMS release is automatically tested in machines installed with
the latest Microsoft Windows Critical and Security patches. These tests will be run after
Global Availability for as long as they are relevant for this TNMS release.
A50023-K4045-X030-01-7672 43
Advanced Administration Administration Manual (ADMN)
Microsoft issued in a Security Bulletin MS15-011 a security update to solve a vulnera-

bility in group policy that could allow remote code execution. Coriant recommends the
installation of this patch for a domain connected server. This patch will create a new
Group Policy Object Hardened UNC Paths that may be used to improve security in the
way a computer receives group policies. Please consult Microsoft documentation for a
description of this new policy: https://support.microsoft.com/en-us/kb/3000483.
Disable and delete unnecessary accounts

Unnecessary accounts should not exist as the machine should be exclusively used by
TNMS NCT server. Anyhow, it should be verified before TNMS NCT is installed that no
additional unnecessary users exist.
TNMS NCT only requires the existence of the following users:
ವ Administrator
ವ sshd
ವ SvcCOPSSH
All other users should be disabled. For example, during the Windows Server 2008 instal-
lation, the Administrator, Guest and Help Assistant accounts are created by default.
Both Guest and Help Assistant accounts should be disabled at all times.
To disable an account in Windows 7, do as follows:
Go to Start > All Programs > Administrative Tools > Computer Management.
The Computer Management window opens.
Expanding the tree on the left pane go to Computer Management > System Tools
> Local Users and Groups > Users.
Right-click on the user name (for example Guest or Help Assistant) and select Prop-
erties.
Click on Disable Account.
To disable an account in Windows Server 2008, do as follows:

Go to Start > All Programs > Administrative Tools > Server Manager > Config-
uration > Local Users and Groups > Users.
erties.
To disable an account in Windows Server 2012, do as follows:

Go to Start > All Programs > Administrative Tools > Server Manager > Local
Server.
In Tools, select Computer Management > Local Users and Groups > Users.
erties.
44 A50023-K4045-X030-01-7672
Uninstall unnecessary applications and roles

TNMS only requires the following roles (only available in Windows Server 2008 and
2012):
ವ Management Tools
ವ IIS Management Console
ವ FTP Server (optional - only if legacy NEs, which only support FTP, are to be
managed by TNMS)
ವ FTP Service
ವ FTP Extensibility
All other roles should be uninstalled.
To uninstall an unnecessary role:

ವ Go to Start > All Programs > Administrative tools > Server manager > Roles
and click to remove roles.
To uninstall an unnecessary application:

ವ Go to Start > Control Panel > Programs and Features, select the application and
click to remove.
Configure Auditing
To automatically configure the audit policies, run the following command, located in the
TNMS NCT software:
TNMS_Prerequisites\Audit Policies\AuditPolicies.bat
t You can check the configured audit policies by running in the command line:
auditpol /get /category:*
Disable unnecessary shares

System and security administrators should disable all unnecessary shares, configure
the necessary ones and harden all NTFS and Share permissions.
To disable shares, do as follows:
Get a list of all the shares on the server by running the following command:
#> net share
Disable all shares that are not in use. See Table 7 Windows default shares for
guidance on which default shares you should disable.
ವ Via command line:
#> net share <sharename> /delete
ವ Via the graphical user interface:
Go to Start > Control panel > Administrative tools > Computer Manage-
ment-> System Tools > Shared Folders > Shares, select the share and
choose Stop sharing.
A50023-K4045-X030-01-7672 45
Share Description Recommended Harden-

ing measure
DriveLetter$ - Disable
ADMIN$ Only needed in case of remote -
administration of the machine.
Should not be disabled.
IPC$ Needed by Windows and can/must -
thus not be disabled.
NETLOGON Used by domain controller and -
should not be disabled.
SYSVOL Used by domain controller and -
should not be disabled.
Print$ Only needed in case of remote Disable manually, if exists.
administration of printers.
FAX$ Only needed in case of remote Disable manually, if exists.
administration of fax clients.
Table 7 Windows default shares
Disable Remote Registry

The Remote Registry service allows registry access to authenticated remote users.
Even though this service is blocked by the firewall and ACLs, if you have no reason to
allow remote registry access, Remote Registry should be disabled.
To disable the remote registry:
Go to Start > All Programs > Accessories > Run, enter regedit and press
Enter.
Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecureP ipe-
Servers\
Select winreg and right-click and select Permissions.
Select the appropriate users/groups and appropriate permissions.
Click OK and close the window.
Disable remote server management (Windows Server 2008 / 2012 only)

Remote management should be disabled. Servers running Windows Server 2008 R2
have remote management disabled by default, so no intervention is required. However
those running Windows Server 2012 R2 require disabling according to the following
instructions:
Click Start, type gpedit.msc in the search box. Click the gpedit tile when it is dis-
played.
The Local Group Policy Editor opens.
46 A50023-K4045-X030-01-7672
In the tree on the left navigate to Computer Configuration\Administrative Tem-

plates\Windows Components\Windows Remote Management (WinRM)\
WinRM Service.
In the pane on the right, double-click Allow remote server management through
WinRM.
A dialog box opens.
In the dialog box select Disabled to disable remote management.
Click OK.
Enable Windows Error Reporting

Windows Error Reporting (WER) is a set of Windows technologies that capture software
crash data and support end-user reporting of crash information. WER should be
enabled.
In Windows 7 the Windows Error Reporting is enabled by default. However, in Windows
Server 2008 and Windows Server 2012 you should enable WER.
To enable WER in Windows Server 2008:

Go to Start > All Programs > Administrative tools > Server Manager and expand
Resources and Support.
Click on Configure Windows Error Reporting.
OIn the Windows Error Reporting Configuration dialog box, select one of the fol-
lowing options:
ವ Yes, automatically send detailed reports - personal data may be sent to Micro-
soft.
ವ Yes, automatically send summary reports - only non-personal data is sent to
Microsoft
Click OK.
To enable WER in Windows Server 2012:

Go to Start > All Programs > Administrative tools > Server Manager > Local
Server.
Locate Windows Error Reporting and click Off.
In the Windows Error Reporting Configuration dialog box, select one of the fol-
lowing options:
ವ Yes, automatically send detailed reports - personal data may be sent to Micro-
soft.
ವ Yes, automatically send summary reports - only non-personal data is sent to
Microsoft
Click OK or close the window.
A50023-K4045-X030-01-7672 47
Additional Software
The TNMS NCT server machine should be dedicated to run the TNMS NCT Server only.
No additional software should be installed beyond the TNMS NCT application and the
applications listed below:
ವ CopSSH
ವ OSI Stack
ವ Oracle Database Express Edition 11g Release 2 (64-bit)
ವ Java JRE7u79
ವ Virus Scanner (for example, TrendMicro OfficeScan Client)
Digitally signed communications (Local Security Policy)

It is possible to digitally sign all Microsoft network server communications. By default this
security feature is not switched on. To enable this feature, do as follows:
Go to Start > Control Panel > Administrative Tools and double-click Local
Security Policy.
Click to expand Local Policies and select Security Options.
From the list, right-click Microsoft network server: Digitally sign communica-
tions (always) and select Properties.
Select Enable and click OK to apply the changes.
Repeat step 3 and step 4 for the policy Microsoft network server: Digitally sign
communications (if client agrees).
Minimize system services

TNMS NCT enables all services it requires for its proper operation. So, any active
default service should be disabled. If required, the Remote Access can be kept open for
remote configuration of the system, such as in case of headless server (see Remote
Access/Remote Desktop).
The following services must be disabled as they are not needed by TNMS NCT. Some
of them must be considered inherently insecure:
g ftp shall only explicitly enabled whenever legacy NEs are used, which only support ftp
and not SFTP/SCP or FTPS.
48 A50023-K4045-X030-01-7672
ವ ActiveX Installer ವ Any type of bluetooth adapter ವ Smart card

ವ Application Layer Gateway ವ Interactive Service Detection ವ SNMP
ವ Application Management ವ Internet Connection Sharing ವ SPP Notification
ವ ASP.NET State ವ KtmRm for Distributed Transac- ವ SSDP Discovery
ವ Block Level Backup Engine tion Coordinator ವ Tablet PC Input
ವ DHCP Server/Client ವ Link-Layer Topology Discovery ವ Telephony
ವ Bluetooth Manager ವ Thread Ordering Server
ವ Bluetooth Support ವ Microsoft Office Diagnostics ವ TPM Base
ವ BranchCache ವ Microsoft Software Shadow ವ UPnP
ವ Certificate Propagation Copy provider ವ Virtual Disk
ವ Credential Manager ವ Net.Msmq Listener Adapter ವ WebClient
ವ Distributed Link Tracking Client ವ Net.Pipe Listener Adapter ವ Windows Backup
ವ Enterprise Connect WebDAV ವ Net.TCP Listener Adapter ವ Windows Biometric
ವ Fax ವ Network Location awareness ವ Windows CardSpace
ವ FTP* ವ Office Source Engine ವ Windows Connect Now
ವ Function Discovery Provider ವ Parental Controls ವ Windows Media Player Network
Host ವ Peer Name Resolution Protocol Sharing Service
ವ Function Discovery Provider ವ Peer Networking ವ Windows Remote Management
Publication ವ Performance Counter DLL Host / (**)
ವ Health Key and Certificate Man- Logs / Alerts ವ Windows Search
agement ವ Problem Report and Solution ವ Windows Update
ವ HomeGroup Listener Control Panel ವ WinHTTP
ವ HomeGroup Provider ವ Program compatibility Assistant ವ Wired AutoConfig
ವ IKE and AuthIP IPSec Keying ವ Remote Access (**) ವ WLAN AutoConfig
Modules *** ವ Remote Desktop (**)
ವ Any type of wireless LAN ವ Routing and Remote Access
adapters ವ Secondary Logon
ವ Secure Socket tunneling
Protocol
* FTP is only needed if TNMS NCT manages legacy NEs, which support FTP but do not
support any secure protocol.
** Disable only if no remote server administration shall be permitted.
*** Disable only if IPSec is not used for communication with the NEs.
Windows services can be disabled via Start > Administrative Tools > Services.
If a service is changed to "disabled" via context menu it is no longer running and will no
longer be automatically started during OS startup.
TNMS NCT Server uses the following services:
ವ Application Host Helper Service
ವ Certificate Propagation
ವ COM+ Event System
ವ COM+ System Application
ವ Cryptographic Services
ವ DCOM Server Process Launcher
A50023-K4045-X030-01-7672 49
ವ Desktop Window Manager Session Manager

ವ Diagnostic Policy Service
ವ Distributed Transaction Coordinator
ವ DNS Client
ವ IIS Admin Service
ವ IP Helper
ವ IPsec Policy Agent
ವ Microsoft FTP Service
ವ Net.Pipe Listener Adapter
ವ Net.Tcp Listener Adapter
ವ Net.Tcp Port Sharing Service
ವ Netlogon
ವ Network Connections
ವ Network List Service
ವ Network Location Awareness
ವ Network Store Interface Service
ವ Optional: Virus Scanner - e.g. OfficeScan NT RealTime Scan
ವ Openssh SSHD
ವ OracleOraDb11g_home1TNSListener
ವ OracleServiceTNMS
ವ Plug and Play
ವ Portable Device Enumerator Service
ವ Power
ವ Print Spooler
ವ RCTSrv
ವ Remote Desktop Configuration*
ವ Remote Desktop Services*
ವ Remote Desktop Services UserMode Port Redirector*
ವ Remote Procedure Call (RPC)
ವ RPC Endpoint Mapper
ವ Security Accounts Manager
ವ Server
ವ Shell Hardware Detection
Remote Access/Remote Desktop

TNMS NCT does not rely on the remote access/remote desktop feature provided by the
Windows operation system. However, it is possible to remotely administer TNMS NCT
machines. It is therefore recommended that you configure the Network Level Authenti-
cation for the allowed connections as described below.
To configure the Network Level Authentication for a connection in Windows 7:

On the Remote Desktop Session Host server, go to Start > Control Panel >
System > Remote settings.
The System Properties window opens.
On the Remote tab, select Allow connections only from computers running
Remote Desktop with Network Level Authentication.
50 A50023-K4045-X030-01-7672
g If the Allow connections only from computers running Remote Desktop with
Network Level Authentication check box is selected and not enabled, the Require
user authentication for remote connections by using Network Level Authenti-
cation Group Policy setting has been enabled and applied to the Remote Desktop
Session Host server.
Click OK.
To configure the Network Level Authentication for a connection in Windows

Server 2008:
On the Remote Desktop Session Host server, go to Start > Administrative Tools
> Remote Desktop Services > Remote Desktop Session Host Configuration.
Under Connections, right-click the name of the connection and then click Proper-
ties.
On the General tab, select Allow connections only from computers running
Remote Desktop with Network Level Authentication.
g If the Allow connections only from computers running Remote Desktop with
Network Level Authentication check box is selected and not enabled, the Require
user authentication for remote connections by using Network Level Authenti-
cation Group Policy setting has been enabled and applied to the Remote Desktop
Session Host server.
Click OK.
To configure the Network Level Authentication for a connection in Windows

Server 2012:
On the Remote Desktop Session Host server, go to Start and type sysdm.cpl to
open the System Properties.
In System Properties click the tab Remote.
In the Remote Desktop area, select Allow remote connections to this computer.
Check the option Allow connections only from computers running Remote
Desktop with Network Level Authentication (recommended).
Click OK or close the window.
Reduce passive FTP port range

By default FTP uses any port of the dynamic port range 49152-65535, which is quite
wide. To limit this range do as follows:
w The range should contain 50 or more ports.
Go to the Start > Control Panel > Administrative Tools > Internet Information
Services (IIS) Manager. In the Connections pane, click the server-level node in the
tree.
Double-click the FTP Firewall Support icon in the list of features.
A50023-K4045-X030-01-7672 51
Enter a range of values for the Data Channel Port Range.

Click Apply in the Actions pane to save your settings.
4.1.3 Networking and firewall configuration

You should configure the network in a way that makes the TNMS NCT machines only
accessible from machines with which TNMS NCT needs to communicate. This can be
done by network segmentation and by firewall deployment. The hardening description
below is general, as the measures highly depend on the network infrastructure and
topology.
You should consider disabling any default gateways and using static routes between the
TNMS NCT machines and other machines with which TNMS NCT needs to communi-
cate. Access to the general internet should also be disabled.
It is recommended that you install a network firewall. However, you can also use local
firewalls, such as Windows Firewall (see How to configure the Windows firewall).
w Coriant does not recommend the deployment of a firewall between the mediation
(TNMS NCT Server machine) and the NE network. This scenario is not tested and there-
fore is not officially supported. In case the costumer needs to deploy one due to topol-
ogy/security reasons, the ports listed for Mediation <> NE communication in this manual
can be used as a starting point to configure the firewall. Refer to the specific NE's doc-
umentation to gather the required information to configure your firewall.
4.1.3.1 List of ports to open in the firewall

Below is the list of ports to be open in the firewall, as well as their description.
g Below are the lists of ports to be open in the firewall:

ವ Firewall rules between TNMS NCT Server and TNMS NCT Client machines
ವ Firewall rules between TNMS NCT Server machine and NEs
ವ Firewall rules for base services
ವ Firewall rules for Remote Access
52 A50023-K4045-X030-01-7672
Firewall rules between TNMS NCT Server and TNMS NCT Client machines
Host address Service Optional / Man-

datory
Source Destina- Destina- Protocol Applica- Encrypted Description
tion tion Port tion
TNMS TNMS 4447 TCP JBOSS No JBOSS Synchro- Mandatory
NCT NCT nous messaging
Client Server 5445 TCP JBOSS No JBOSS Asynchro-
nous messaging
8080 TCP WebDAV No File transfer from
TNMS NCT Client to
TNMS_NCT Server.
Used, for example,
to store new NE
software loads on
the TNMS NCT
Server for centrally
coordinated network
upgrades.
TNMS SFTP 22 TCP SFTP Yes TNMS NCT Client Optional
NCT Server can open the craft Only used for
Client (TNMS terminal as it is NEs which use
(Embed- NCT embedded in the SFTP in the
ded EM) Server/ TNMS NCT Client LCT (GM medi-
GM Medi- itself. To be able to ation: hiT7300 /
ation / communicate with hiT7100; MVM
MVM the central SFTP mediation: 7100
Media- server running on Nano, mTera)
tion) the TNMS NCT
Server machine, a
tunnel is created.
The location of the
SFTP Server
depends on the NE
and deployment
types.
Table 8 Firewall rules between TNMS NCT Server and TNMS NCT Client machines
A50023-K4045-X030-01-7672 53
Firewall rules between TNMS NCT Server machine and NEs

datory
tion tion Port tion
GM Medi- NE/GNE 161 TCP SNMPv3 Yes Direct connection of Mandatory for
ation) over TCP (SNMPv3) the mediation to the hiT7300 /
(RFC342 GNE hiT7300X
0)
10000 TCP TNMS NCT Client
- can open the craft
13999 terminal as it is
embedded in the
TNMS NCT Client.
To be able to com-
municate with the
NEs, a tunnel is
created. This allows
access to the GNE
and non-GNEs.
MVM NE 22 TCP NetConf Yes NETCONF manage- Mandatory for
Mediation ment interface for Juniper NEs.
Juniper NEs.
NE 161 UDP SNMPv3 Yes Management inter- Mandatory for
(default) face with 7090 CE NEs.
7090-15 CE NEs
NE 161 UDP SNMP Yes SNMPv3 Manage- Mandatory for
(default) Traps (SNMPv3) ment interface for 7100 Nano /
Packet Subsystem mTera / Pico.
NE 3333 TCP RMT No Management inter- Mandatory for
(Default) face with 7090 M 7090 M NEs.
NEs.
NE 3082 TCP TL1 Yes (if TL1 Management Mandatory for
IPSEC interface 7100 Nano /
used) mTera / Pico.
SNMP NE 161 UDP SNMP Yes Management inter- Mandatory for
Mediation (SNMPv3) face for hiT 70xx and hiT70xx and
(Legacy) FSP3000 NEs. FSP3000 NEs.
MVM NE 500 UDP IKE Yes Internet Key Optional

Media- Exchange for IP Sec Only if IP Sec is
tion / used for 7100
7100 CM Nano.
Server
Table 9 Firewall rules between TNMS NCT Server machine and NEs (firewall not recommended)
54 A50023-K4045-X030-01-7672

datory
tion tion Port tion
NE/GNE SFTP 22 TCP SFTP Yes (SSL) File transfers from Mandatory for
Server the GNE to the hiT7300 /
(GM SFTP server hiT7300X
Media- running locally on
tion) the TNMS NCT
machine.
MVM 32666 UDP SNMPv3 Yes Trap notifications Mandatory for
Mediation from Juniper NEs. Juniper NEs.
TNMS 990-993 TCP FTPS Yes FTP over SSL for Optional for hiT
NCT LCT Communication 7300 / hiT
Client The number of ports 7300X
(LCT) within this range that Only required
are in use at a given for FTPS file
time is the same as operations
LCTs communicat- between LCT
ing with the NE up and NE and not
until a maximum of 4 recom-
ports. Additional mended. To
ports may be avoid direct
opened if more connectivity
simultaneous LCTs configure the
are required. TNMS NCT
SFTP settings
for tunneling
communica-
tions between
LCT and NEs.
49152 - TCP FTPS Yes FTP over SSL for Optional for hiT
65535 LCT Communica- 7300 / hiT
tion. 7300X
NE MVM 500 UDP IKE Yes Internet Key Optional
Media- Exchange for IP Sec Only if IP Sec is
tion / used for 7100
7100 CM Nano.
Server
Table 9 Firewall rules between TNMS NCT Server machine and NEs (firewall not recommended) (Cont.)
A50023-K4045-X030-01-7672 55

datory
tion tion Port tion
NE MVM 3380 UDP SNMP Yes SNMP Traps for Mandatory for
Mediation Traps (SNMPv3) Packet subsystem, 7100 Nano FP9
with Nano FP9 and and FP10.
Nano FP10 NEs.
3381 UDP SNMP Yes SNMP Traps for Mandatory for
Traps (SNMPv3) Packet subsystem, mTera NEs.
with mTera NEs.
3382 UDP SNMP Yes SNMP Traps for Mandatory for
Traps (SNMPv3) Packet subsystem, 7100 Nano FP8
with Nano FP8 NEs.
7487 UDP SNMP Yes Trap notifications Mandatory for
Traps from 7090-15 CE 7090 CE NEs.
NEs
SNMP 8002 TCP SNMP No SNMP trap listener Mandatory for
Mediation traps port for 70xx NEs hiT70xx NEs
(Legacy) 162 UDP SNMP Yes SNMP trap listener Mandatory for
traps (SNMPv3) port for 70xx NEs FSP3000 NEs
22 TCP SCP Yes File Transfer Mandatory for
FSP3000 NEs
21 TCP FTP No File Transfer Optional for
Protocol hiT70xx NEs
49152- TCP FTP No File Transfer Optional for
65535 Protocol hiT70xx NEs
See Limiting the
dynamic range used
by the FTP server.
Table 9 Firewall rules between TNMS NCT Server machine and NEs (firewall not recommended) (Cont.)
Limiting the dynamic range used by the FTP server

Go to IIS connection manager > Connections Column (Server) > FTP Firewall
Support > Set Data Channel Port Range and insert desired range.
Restart IIS.
Insert the same range in the firewall.
56 A50023-K4045-X030-01-7672
Firewall rules for base services

datory
tion tion Port tion
TNMS NTP 123 TCP / NTP No NTP Mandatory
NCT server UDP Use TCP or UDP
depending on the
configuration of the
NTP server.
Syslog 514 (con- TCP / Syslog Yes TNMS can send log Optional
server figurable) UDP messages to an Only if TNMS is
external syslog configured to
server. send log
messages from
TNMS and NEs
to an external
log server.
Only for
Windows
Server 2008 /
2012.
DNS 53 TCP DNS No DNS Optional
server Only if a DNS
service is used.
External 21 TCP FTP No External server to Optional
FTP store logs Only required if
server logs are to be
External 22 TCP SFTP Yes transferred to
SFTP an external log
server file server.
Domain 88 UDP Kerberos No Communication with Optional
controller domain controller for Only required if
135 TCP / DCE /
UDP RPC Single Sign-on SSO is used.
(SSO).
389 LDAP
445 AD / SMB
464 Kerberos
Table 10 Firewall rules between TNMS NCT Server machine for base services
A50023-K4045-X030-01-7672 57
Firewall rules for Remote Access

datory
tion tion Port tion
TNMS TNMS 3389 TCP RDP Yes (when Windows Remote Optional
NCT NCT (Windows TNMS Desktop for remote Only if TNMS
Adminis- Server Remote NCT hard- administration. machines need
trator Access) ening is to be adminis-
machines followed) tered remotely
Table 11 Firewall rules for Remote Access
How to configure the Windows firewall

To configure the Windows 7 / Windows Server 2008 firewall proceed as follows:
Go to Start > Control Panel > Windows Firewall.
Click on Advanced settings.
In the left pane click on Inbound Rules or Outbound Rules, depending on the
direction of the connection you are configuring.
In the right pane, click on New Rule to open a port for the traffic of a service.
The New In/Outbound Rule Wizard starts.
In the Rule Type step select port.
Click Next.
In the Protocols and Ports step:
ವ select TCP.
ವ select Specific local ports and enter the port number to which the rule applies.
Click Next.
In the Action step check Allow the connection.
Click Next.
In the Profile step check Domain (uncheck all others).
Click Next.
In the Name step type a name for the rule.
Click Finish to create the rule and close the wizard.
Repeat the procedure for each of the remaining ports.
58 A50023-K4045-X030-01-7672
4.1.4 OEM Hardening

In this section you can find instructions on how OEM and 3rd party software that works
with TNMS can be hardened to decrease the attack surface for attacks against TNMS.
CopSSH (SFTP)
If you wish to further restrict the CopSSH's user privileges by making the user
"chroot'ed" to the installation directory, do as follows:
Go to <CopSSH installation path>\etc\ and edit the sshd_config file.
Edit the line (example assuming default installation path, that is,
c:\program files (x86)\icw) from
(...)
Match User copsshuser
ChrootDirectory "/cygdrive/c/program files (x86)/icw"
PasswordAuthentication yes
(...)
Save the file.
Go to (Windows) Control panel > Administrative tools > Services, select
"Openssh SSHD" and restart the service.
w Note that, if you run the CopSSH's Control Panel after the procedure above, all the
changes to the sshd_config file will be reset. In order to keep your changes, for further
CopSSH restarts use the “Openssh” service through the Windows services.
Internet Explorer
The Internet Explorer should not be used for browsing the public internet, as this raises
the threat to compromise the system. You should disable the access to public internet.
4.1.5 TNMS Maintenance Packages and Workaround Updates

Coriant recommends that you install, when available, the TNMS Maintenance Packages
and Workaround Updates, since they may contain relevant security improvements.
A50023-K4045-X030-01-7672 59
4.1.6 User Management
Components Username/Password Location Explana- Hardening

tion/Goal
TNMS NCT User: admin <installation path>\ Access manage- N/A: JBOSS console
Server Password (default): server\bicnet\configura- ment console with only available locally.
(JBOSS Man- 123QWEasd tion\mgmt-users.proper- Administrator role
agement) ties for JBoss
instance.
Only required for
JBoss administra-
tion / configura-
tion.
Generic User: admin <installation path>\medi- Access manage- N/A: JBOSS console
Mediator Password (default): ation\gm\configuration\ ment console with only available locally.
(JBOSS Man- 123QWEasd mgmt-users.properties Administrator role
agement) for JBoss
instance.
Only required for
JBoss administra-
tion / configura-
tion.
Multi Vendor User: admin <installation path>\medi- Access manage- N/A: JBOSS console
Mediator Password (default): ation\mvm\configuration\ ment console with only available locally.
(JBOSS Man- 123QWEasd mgmt-users.properties Administrator role
agement) for JBoss
instance.
Only required for
JBoss administra-
tion / configura-
tion.
Generic User: Hardcoded. Authentica- The Generic N/A because this user
Mediator RemoteLoginFunction tion from TNMS (GM) to Mediator uses the is only needed to fulfill
the NE is possible when following user RADIUS protocol
Password: checking the option in only in the first requirements.
<no password> NE Properties window: message of the This user cannot be
"Use RADIUS server for authentication used for login pur-
authentication". Then the process between poses.
option "Use TNMS the Generic
username for LCT login Mediator and the
(Radius required at NE)" RADIUS server.
in GCT User tab is
checked automatically.
Table 12 Default TNMS user accounts and security hardenings.
60 A50023-K4045-X030-01-7672
Components Username/Password Location Explana- Hardening

tion/Goal
LCT User: <User- Hardcoded. Authentica- The EM/NE uses N/A because it is not
name_RU> tion sent from GM to this authentication possible to change this
(concatenation of the EM/NE to open LCT to allow the password (solution
username from tab window is possible when opening of the underway).
SNMP Settings in NE the option "Use TNMS LCT window cor-
Properties window username for LCT login responding to that
and the string (Radius required at NE)" NE.
"_RU")Password: in GCT User tab is
<Password from tab checked.
SNMP Settings in NE
Properties window>
Table 12 Default TNMS user accounts and security hardenings. (Cont.)
Restricting the specified files’ permissions

To restrict the specified files’ permissions:
Navigate to the file using Windows Explorer.
Right-click the file and select Properties.
In the Security tab click on Advanced.
In the Advanced Security Settings window, Permissions tab, click on Change
Permissions.
Select all users except SYSTEM and the Administrators group and click on
Remove.
Only the user SYSTEM and the Administrators group should remain and both having
full access.
Click OK to accept the changes and close the window.
A50023-K4045-X030-01-7672 61
4.2 IPSec policy configuration

This optional procedure describes how to configure the IPSec policy to establish a
secure connection for 7100 Nano.
4.2.1 IPSec policy configuration for Windows

This optional procedure describes how to configure the IPSec policy to establish a
secure connection for 7100 Nano.
The following description is valid for Windows 7, Windows Server 2008 and 2012.
Use either the machine where TNMS (with MVM) or Node Manager (with 7100 CM) is
installed.
Open the Control Panel > Administrative Tools > Local Security Policy window.
Browse to IP Security Policies on Local Computer and right click to Create IP
Security Policy.
The IP Security Policy Wizard opens.
In the Welcome to the IP Security Policy Wizard click Next.
In the IP Security Policy Name window, enter the name for the policy. Optionally
you can enter a description.
Click Next.
Click Next in the Requests for Secure Communication window.
In the Completing the IP Security Policy Wizard, check the Edit properties check
box and click Finish.
The Policy Properties window opens.
In the Rules tab, click Add to add a new security rule.
The New Rule Properties opens.
D In the Tunnel Setting tab select This rule does not specify an IPsec tunnel.
E In the Connection Type tab, select All network connections.
F In the IP Filter List tab click Add to add a new IP filter.
The IP Filter List window opens.
Enter the name of the IP filter and click Add.
The IP Filter Properties opens.
In the Addresses tab select as Source Address: A specific IP Address or
Subnet.
In IP Address or Subnet, enter the DCN IP address of the GNE or the
subnet which includes the primary and the secondary GNE.
In the Destination address select: A specific IP Address or Subnet.
In IP Address or Subnet, enter the DCN IP address of the MVM.
In the Protocol tab, select Any.
Click OK.
G In the Authentication Methods tab click Add.
The New Authentication Method Properties window opens.
62 A50023-K4045-X030-01-7672
Select Use this string (preshared key). The preshared key should be 64
or 128 characters long.
Click OK.
H In the Filter Action tab click Add.
The New Filter Action Properties opens.
In the Security Methods tab select Negotiate security, select Use
session key perfect forward secrecy (PFS) and click Add.
In the New Security Method window select Integrity and Encryption and
click OK.
Click Apply and then OK.
I Select both filters you created in the Filter Action tab and in the IP Filter List
tab.
Click Apply and then OK.
In the Policy Properties window click OK.
In the Local Security Policy window, right-click in the policy you created and select
Assign to activate the policy.
4.3 7100 IP Sec NE Configuration

NE IP Sec provisioning may be done either through the Craft Station. The following pro-
cedure describes the high level steps required to provision IP Sec in a 7100 Nano:
In the IPsec Management option create a Pre Shared Key with the following set-
tings:
ವ ID: select an available id.
ವ Name: enter a name for the key.
ವ PSK: The shared key, 64 or 128 characters long.
Create a new security policy database with the following settings:
g The following settings must match the settings introduced in TNMS.
ವ ID: select an available id.

ವ Name: enter a name for the policy.
ವ Mode: Transport
ವ Action: Protect
ವ Transport Protocol: ALL
ವ Local IP/Port: IP address for management interface.
ವ Remote IP Address: IP address of the mediation server.
ವ Ike info: v1
ವ Ike type: PSK-1 (select PSK id of the previously created PSK)
ವ Cipher Suite: Select a cipher suite
g NULL ciphers provide authentication but not encryption.
Enable IPSec in the NE.

Once the IPsec is enabled you will loose connectivity to the NE until the remote end is
properly configured. In case of configuration mismatch that needs to be rolled back you
A50023-K4045-X030-01-7672 63
will have to connect to the local craft station physical interface of the NE. This interface
will always have IP SEC disabled.
4.4 Monitoring system resources

TNMS allows you to monitor system resources by editing the .xml file <Product
Install Directory>\SCS\etc\config.xml under section scs\nativeServer
\resourceSet.
Monitoring a set of processes:

<resource type="Process" enabled="true">
<name>Oracle</name>
<params type="Oracle">
<instance>TNMS</instance>
</params>
<user>oracle</user>
<frequency>23</frequency>
<procSet>
<procName>oracle.exe</procName>
<procName>TNSLSNR.EXE</procName>
</procSet>
</resource>
Monitoring a specific process:

<resource type="Process" enabled="true">
<name>TrapHandler</name>
<params type="TrapHandler"/>
<instance></instance>
<params>
<user></user>
<procSet>
<procName>traphandler.exe</procName>
</procSet>
</resource>
Monitoring a specific file system:

<resource type="FileSystem" enabled="true">
<name>Oracle software</name>
<location>/opt/oracle</location>
64 A50023-K4045-X030-01-7672
<threshold>90</threshold>
</resource>
4.5 Oracle
Oracle has policies for controlling the information-retention period of its trace files. In
some runtime scenarios Oracle can write information at such a rate that its file system
runs out of capacity, at which point those policies become inadequate.
When this happens, an alarm is generated. You must respond by cleaning up the trace
files as a user with Data Base Administrator (DBA) rights.
Proceed as follows:
ವ Issue:
adrci
ವ Issue:
adrci> purge -age 8640 -type TRACE
adrci> quit
g The argument figure to purge is time in minutes.

For your convenience:
4 hours = 240; 6 hours = 360; 8 hours = 480; 12 hours = 720;
1 day = 1440; 3 days = 4320; 5 days = 7200;
6 days = 8640; 7 days = 10080; 14 days = 20160; 30 days = 43200.
A50023-K4045-X030-01-7672 65
66 A50023-K4045-X030-01-7672
Abbreviations
Abbreviations
These abbreviations are intended for the entire TNMS product range and may not apply
to this document in particular.
ACS Actual Creation State
ALS Automatic Laser Shutdown
ASON Automatic Switched Optical Network
ASAP Alarm Severity Assignment Profile
BFD Bidirectional Forward Direction
BSHR Bidirectional Self Healing Ring
CAM Common Array Manager
CBS Committed Burst Size
CC Cross Connection
CDM Cross-domain Manager
CIR Committed Information Rate
CFM Connectivity Fault Management
CLI Console Interactive
CLFI Common Language Facility Identification
CORBA Common Object Request Broker Architecture
CPU Central Processing Unit
CSPF Constrained Shortest Path First
CST Central Standard Time
CSV Comma-Separated Values
DA (Oracle’s Sun Storage) Disk Array
DB Database
DCN Data Communications Network
DHCP Dynamic Host Configuration Protocol
DNS Domain Naming Service
DSR Dynamic Source Routing
DWDM Dense Wavelength Division Multiplexing
ELP Ethernet Linear Protection
EM Element Manager
EML Element Manager Layer
Issue date: November 2015

Abbreviations
EM/NE Element Manager/Network Element object management
EON Embedded Optical Network
FA-LSP Forwarding Adjacency LSP
FEC Forward Error Correction
FTP File Transfer Protocol
GBE Gigabit Ethernet
GCT GUI Cut-Through
GFPG Generic Framing Procedure Group
GM Generic Mediator
GmbH Gesellschaft mit beschränkter Haftung (Company with limited liability)
GMPLS Generalized Multi-Protocol Label Switching
GMT Greenwich Mean Time
GNE Gateway Network Element
GPS Global Positioning System
GUI Graphical User Interface
HW Hardware
IMA Independent Management Architecture
IMN Installation Manual
IP Internet Protocol
JRE Java Runtime Environment
LACP Link Aggregation Control Protocol
LAG Link Aggregation
LAN Local Area Network
LAPS Linear Automatic Protection Switching
LE Load Equivalent
LCT Local Craft Terminal
LDAP Lightweight Directory Access Protocol
LO Low Order
LoQ List of Quantities
LoM List of Materials
LSP Label Switched Path
LSR Label Switch Router

Abbreviations
MDI Multiple Document Interface
MIB Management Information Base
MLO Multi-Layer Optimization
MPLS-TP Multiprotocol Label Switching Transport Profile
MSDE Microsoft SQL Server Desktop Engine
MSP Multiplex Section Protection
MTOSI Multi Technology Operations System Interface
MVM Multi-Vendor Mediator
NBI Northbound Interface
NE Network Element
NEC NE Controller
NG Next Generation
NIC Network Interface Card
NMS Network Management System
NNI Network to Network Interface
NTFS (Microsoft’s) New Technology File System
NTI Northbound TMF Interface
NTP Network Time Protocol
NW Network
OAM Operation, Administration and Maintenance
OCH Optical Channel
ODU Optical Data Unit - transport technology
OM Optical Manager or Optical Management
OMS Optical Multiplex Section
OMT Object Model Template
OS Operating System
OPU Optical Payload Unit - transport technology
OTN Optical Transport Network
OTS Optical Transport Section - transport technology
OTU Optical Transport Unit - transport technology
PBS Peak Burst Size

Abbreviations
PC Personal Computer
PCEP Path Computation Engine Protocol
PDF Portable Document Format
PIR Peak Information Rate
PMP Performance Measurement Point
PT Physical Trail
PTC Planning Tool Connector
PTP Physical Termination Point
RAID Redundant Array of Independent Disks
RE Route Element
RNE Remote Network Element
SBI Southbound interface
SCP Secure Copy
SCSI Small Computer System Interface
SDH Synchronous Digital Hierarchy
SEL System Event Log
SFTP Secure File Transfer Protocol, or Secure Shell File Transfer Protocol
SLA Service-Level Agreement
SNC SubNetwork Connection
SNCP SubNetwork Connection Protection
SNMP Simple Network Management Protocol
SONET Synchronous Optical Networking
SPC Soft Permanent Connection
SQL Structured Query Language
SRLG Shared Risk Link Group
SSH Secure Shell
STP Spanning Tree Protocol
SVID Service Virtual Local Area Network Identifier
SW Software
TC Topological Container or TransConnect
TCP/IP Transport Control Protocol/Internet Protocol
TL1 Transaction Language 1

Abbreviations
TE-Link Traffic Engineering-Link
TMN Telecommunications Management Network
TN TransNet
TNMS Telecommunications Network Management System
TNMS NCT Telecommunications Network Management System Network Craft Terminal
TP Terminal Point
USB Universal Serial Bus
UMN User Manual
UNI User-to-Network Interface
UNI-S User-to-Network Interface-Service
UNO Universal Network Object
UPS Uninterruptible Power Supply
UPSR Unidirectional path-switched ring
VC Virtual Container
VLAN Virtual LAN
WAN Wide Area Network
WLAN Wireless LAN
XC Cross Connection
X-NE Cross-NE
XML eXtended Markup Language

Abbreviations

Glossary
Glossary
These glossary entries are intended for the entire TNMS product range and may not
apply to this document in particular.
@CT @CT is a web-based craft terminal (that is, element manager) software which provides
web access to hiT 7300 network elements (NEs) in the customer network without the
use of a management system. It communicates via SNMP with the NEs and uses the
FTPS for upload/download of software or other data configuration (for example, log
files).
3DES Triple DES is the common name for the Triple Data Encryption Algorithm (TDEA or
Triple DEA) symmetric-key block cipher, which applies the Data Encryption Standard
(DES) cipher algorithm three times to each data block.
Actual Creation Is the current state of the path which results from the accumulation of the actual creation
State (ACS) states of the path’s route elements.
Advanced Encryp- Is a specification for the encryption of electronic data. AES is based on a design principle
tion Standard (AES) known as a substitution-permutation network, and is fast in both software and hardware.
Alarm An alarm is a management mechanism intended to inform the user that there is a
standing fault condition in the system.
Alarm log An alarm log provides a list of the alarms associated with a managed object, and
provides the following information about each of the alarms:
ವ the identification of the affected object
ವ the identification of the failed NE or the NE in which the failed unit resides
ವ the alarm severity
ವ the time the event occurred
ವ the indication whether the alarmed event is service affecting or not
ವ the location and the affected traffic
Alarm severity Each failure is assigned a severity. The following values are used:
ವ indeterminate
ವ critical
ವ major
ವ minor
ವ warning
ವ cleared alarms
ವ not Existent
ವ not Alarmed
Element Manager (EM) can configure the severity which is assigned to each fault cause
by an alarm severity assignment profile. In addition, EM can specify that a fault cause
shall not be alarmed. These fault causes will be blocked, hence do not lead to any LED
alarm indications, log entries or alarm reporting.
Alien wavelength A wavelength that does not originate from a transponder or muxponder card, but is still
allowed to be multiplexed into the aggregate line signal for transport as an optical
channel by the system.
Issue date: November 2015 73

Glossary
Automatic Laser Is a technique used to automatically shut down the output power of the transmitter in
Shutdown (ALS) case of fiber break. This is a safety feature that prevents dangerous levers of laser light
from leaking out of a broken fiber, provided ALS is provisioned on both ends of the fiber
pair.
Alarm Severity The Alarm Severity Assignment Profile is a feature that allows the management of Alarm
Assignment Profile Severity profiles in TNMS and also at the NE side. .
(ASAP)
Automatically- ASON domains are built on the VC4 layer of hiT 7065, 7070 or 7080, and on OCh layer
Switched Optical of hiT 7300 and on ODU2 layer of hiT 7100, which have a Control Plane. The Control
Networks (ASON) Plane uses network-generated signaling and routing protocols to set up or release a
connection, and can restore one when it fails. ASON domains can be built up as part of
the transport network. They provide the benefit of easy end-to-end provisioning, and
fault and protection management. Soft permanent connections (SPCs) connect both
endpoints (NE1 and NE2) within an ASON domain. If a path fails, an alternative path is
automatically used.
ASON Call A Call is a Soft Permanent Connection between two end-points (inside the same domain
or between different domains) and defines the type and attributes of the connection. The
establishment of a Call leads to having a path (and/or multiple alternative paths) con-
necting the end-points that respect the constraints and attributes defined in the Call.
Bidirectional Self- Is a telecommunications term for loop network topology, a common configuration in tele-
healing Ring (BSHR) communications transmission systems, this loop or ring is used to provide redundancy.
The system consists of a ring of bidirectional links between a set of stations. In normal
use, traffic is dispatched in the direction of the shortest path towards its destination. In
the event of the loss of a link, or of an entire station, the two nearest surviving stations
"loop back" their ends of the ring. In this way, traffic can still travel to all surviving parts
of the ring, even if it has to travel "the long way round".
Capacity Planning Capacity planning is the process of determining the capacity needed by a system to
meet future needs.
Card A card is a plug-in unit that occupies one (or multiple) shelf slots. Cards perform specific
electrical and/or optical functions within an NE.
Each card has a faceplate with information LEDs and, in most cases, several ports for
interconnection of optical fibers and/or optical interfaces.
Card slot A card slot is the insertion facility for a card in a shelf. Each card slot is designed for one
or several particular card types.
Mechanical coding elements make sure that each card can be fully inserted only into a
card slot that is suitable for the given card type. Therefore, fundamental shelf equipping
errors (which might cause hardware damage or fatal malfunctions) are impossible.
Ethernet Connectiv- Is an end-to-end perservice Ethernet layer OA&M protocol. IEEE 802.1ag CFM is a
ity Fault Manage- service level OA&M protocol that provides tools for detecting and isolating connectivity
ment (CFM) failures in the network. This includes proactive connectivity monitoring, fault verification
and fault isolation for large Ethernet Metropolitan Area Networks (MANs) and WANs.
Committed Informa- Is the guaranteed average rate (in Mbit/s) at which the information units are transferred
tion Rate (CIR) through the port over a measurement interval.
CLFI CLFI Codes provide a standard, mnemonic naming scheme to uniquely identify cable
74 Issue date: November 2015

Glossary
and transmission facilities between two standardized locations within a network. It

comprises facility designation, facility type, channel/pair/time slot, location of facility
terminal A and location of facility terminal Z.
Commissioning Commissioning an network element (NE) is the process of taking an installed NE and
bringing it in to an operational state. The NE commissioning phase is performed after
the NE is installed and powered-up.
Controller card NE controller cards provide the central monitoring and controlling functions of the
system, as well as the MCF to operate the Q and QF Ethernet interfaces.
The controller card performs the following main functions: Fault Management, Perfor-
mance Management, Configuration Management, Security Management, Equipment
Management, Communication Management, Software Management (performing all
software downloads, uploads, and software integrity functions) and controlling the NE
alarm LEDs.
Data Communica- Data Communications Network is a management network for telecommunication trans-
tion Network (DCN) port systems.
A DCN domain interconnects several NEs for the purpose of network management. The
communication is established via the Optical Supervisory Channel (OSC) of the optical
links and an Ethernet/L2 switching network implemented by the NEs.
Dense Wavelength In fiber-optic communications, wavelength-division multiplexing (WDM) is a technology

Division Multiplex- which multiplexes a number of optical carrier signals onto a single optical fiber by using
ing (DWDM) different wavelengths (colors) of laser light, that is, simultaneously places a large
number of optical signals (in the 1550 nm band) on a single optical fiber. This technique
enables bidirectional communications over one strand of fiber, as well as multiplication
of capacity.
Data Encryption Is a widely-used method of data encryption using a private key. DES applies a 56-bit key
Standard (DES) to each 64-bit block of data. The process can run in several modes and involves 16
rounds or operations.
Dynamic Host Con- Is a standardized networking protocol used on IP networks that dynamically configures
figuration Protocol IP addresses and other information that is needed for Internet communication. DHCP
(DHCP) allows computers and other devices to receive an IP address automatically from a
central DHCP server, reducing the need for a network administrator or a user from
having to configure these settings manually.
Domain TNMS allows you to restrict user groups to operate only a set of NEs or DCN subnets
instead of the entire network. This partitioning is called a “Domain” and limits the oper-
ation on nodes outside of their partitions by assigning user groups to domains. Further,
you can also assign policies to domains for further control and security, limiting the user
groups to specific menu entries and actions.This arrangement is required, for example,
in network centers that are responsible for maintaining only a subset of the nodes. The
main purpose is security: it avoids that a login to the system grants access to the entire
network.TNMS now supports the creation, modification or deletion of multiple domains,
granting or restricting their accesses. By default, all NEs belong to the GLOBAL domain
which cannot be modified or deleted.
Ethernet Linear Pro- Is a protection scheme defined in the ITU-T G.8031 standard designed to protect point-
tection (ELP) to-point Ethernet paths such as VLAN based Ethernet networks. To achieve protection
ELP uses two disjointed paths, a working path and a protection path, traffic is carried

Glossary
firstly on the active path (working path) andin case of failure, traffic is switched to the
protection path. Both paths can be monitored using OAM protocols like CFM.ELP
provides 1:1 bi-directional protection switching with revertive mode capabilities.ELP
must first be configured at the NE side via the LCT, only then they are visible in TNMS
so that you can use it in the E-LAN and E-Line service creation via the New Ethernet
Service wizard.ELP is supported in specific network elements and cards only. Refer to
the NE dedicated documentation fore more information.
Element Manager Network elements enable the user to perform operation, administration and mainte-
(EM) nance tasks with the NE system in a GUI environment.
Ethernet Ethernet is a family of frame-based computer networking technologies for LANs. It

defines a number of wiring and signaling standards for the physical layer, through
means of network access at the MAC/Data Link Layer, and a common addressing
format.
Fault management Fault management reports all hardware and software malfunctions within an NE, and
monitors the integrity of all incoming and outgoing digital signals.
Forward Error Cor- Forward Error Correction (FEC) or channel coding is a technique used for controlling
rection errors in data transmission over unreliable or noisy communication channels.
File Transfer FTP is a network protocol used to transfer files from one computer to an NEand vice-
Protocol (FTP) versa through the network.
Frequency Frequency is a physical attribute of a wave (for example, an optical wave), defined as
the number of wave cycles per time unit. The frequency is directly related to the wave-
length.
Generalized Multi- Is a protocol suite extending MPLS to manage further classes of interfaces and switch-
Protocol Label ing technologies other than packet interfaces and switching, such as time division mul-
Switching (GMPLS) tiplex, layer-2 switch, wavelength switch and fiber-switch.
Internet Protocol (IP) Is the principal communications protocol in the Internet protocol suite for relaying data-
grams across network boundaries. Its routing function enables internetworking, and
essentially establishes the Internet.
Internet Protocol Is a connectionless protocol for use on packet-switched networks. It operates on a best
version 4 (IPV4) effort delivery model, in that it does not guarantee delivery, nor does it assure proper
sequencing or avoidance of duplicate delivery. These aspects, including data integrity,
are addressed by an upper layer transport protocol, such as the Transmission Control
Protocol (TCP).
Job A schedule load that must be processed by the system.
Link Aggregation Within the IEEE specification the Link Aggregation Control Protocol (LACP) provides a
Control Protocol method to control the bundling of several physical ports together to form a single logical
(LACP) channel. LACP allows a network device to negotiate an automatic bundling of links by
sending LACP packets to the peer (directly connected device that also implements
LACP).
Link Aggregation Allows a bridge to treat multiple physical links between two end-points as a single logical
(LAG) link, referred to also as a port-channel. The feature can be used to directly connect two
switches when the traffic between them requires high bandwidth and/or reliability, or to
provide a higher bandwidth connection to a public network. For this purpose, all the

Glossary
physical links in a given port-channel must operate in full-duplex mode and at the same
speed.If a physical port or the related link of a LAG fails, the traffic previously carried
over the failed link automatically is switched to the remaining link(s) of the LAG (rapid
reconfiguration). Bandwidth degradation is an obvious impact if the sum of throughput
of the two/multiple aggregated links are higher than the throughput of the remaining
link(s). Be aware that certain link failures are not always visible to both ends of a link.
Link Aggregation Control Protocol (LACP) and Automatic Laser Shutdown (ALS)
enabled, guarantees that both ends of a link properly detect all failures and perform the
correct response.LAG groups must first be created at the NE side via the LCT, only then,
they are visible in TNMS so that you can use it in the E-LAN and E-Line service creation
via the New Ethernet Service wizard. LAG is supported in specific network elements and
cards only. Refer to the NE dedicated documentation fore more information.
Laser A laser is a device that generates an intense narrow beam of light by stimulating the
emission of photons from excited atoms or molecules.
Laser safety Laser safety rules are a group of mechanisms and actions necessary to protect all users
from harmful laser light emissions.
Local Craft network LCT is a client-based craft terminal (that is, element manager) software which provides
(LCT) access to network elements (NEs) in the customer network without the use of a man-
agement system.
Lightweight Direc- Is an application protocol for accessing and maintaining distributed directory information
tory Access Protocol services over an Internet Protocol network.
(LDAP)
Line interface A line interface is a transponder interface that faces the line side of the link. Contrast
with “client interface” which faces the client equipment side of the link.
Long Haul (LH) hiT 7300 LH segment is a DWDM application characterized by a reach of more than 500
km and up to 1200 km.
Label Switched Path Is a path through an MPLS network, set up by a signaling protocol such as LDP, RSVP-
(LSP) TE, BGP or CR-LDP. The path is set up based on criteria in the forwarding equivalence
class (FEC).
Label switch router Sometimes called transit router, is a type of a router located in the middle of a Multipro-
(LSR) tocol Label Switching (MPLS) network. It is responsible for switching the labels used to
route packets. When an LSR receives a packet, it uses the label included in the packet
header as an index to determine the next hop on the Label Switched Path (LSP) and a
corresponding label for the packet from a look-up table. The old label is then removed
from the header and replaced with the new label before the packet is routed forward.
MD5 Message-digest algorithm is a widely used cryptographic hash function producing a

128-bit (16-byte) hash value, typically expressed as a 32 digit hexadecimal number
Maintenance Associ- Are points at the edge of the domain that define the boundaries and sends and receives
ation End Points CFM frames through the wire side (physical port) or relay function side.
(MEP)
Management Infor- Is used for backup purposes where you can plan automatic upload jobs.
mation Base (MIB)

Glossary
Multiprotocol Label Multiprotocol Label Switching (MPLS) is a mechanism in high-performance telecommu-

Switching nications networks that directs data from one network node to the next based on short
path labels rather than long network addresses, avoiding complex lookups in a routing
table. The labels identify virtual links (paths) between distant nodes rather than end-
points.
MX Juniper MX Series Universal Edge Routers are Ethernet-centric services routers that
are purpose-built for demanding carrier and enterprise applications (font: Juniper web-
site).
NetConf Network Configuration Protocol (NETCONF), is an IETF network management protocol.

NETCONF provides mechanisms to install, manipulate, and delete the configuration of
network devices. Its operations are realized on top of a simple Remote Procedure Call
(RPC) layer. The NETCONF protocol uses an Extensible Markup Language (XML)
based data encoding for the configuration data as well as the protocol messages. This
in turn is realized on top of the transport protocol.
NetServer A set of TNMS Mediation sub-systems that runs in a machine.
Network Craft NCT is a network management craft terminal (that is, element manager) software which
Terminal (NCT) is used for either local or remote network management.
Network Element A network element (NE) is a self-contained logical unit within the network. The NE can
(NE) be uniquely addressed and individually managed via software.
Each NE consists of hardware and software components to perform given electrical and
optical functions within the network.
Network Manage- The network management layer includes all the required functions to manage the optical
ment network in an effective and user-friendly way, such as the visualization of the network
topology, creation of services, and correlation of alarms to network resources.
Network topologies A topology of a network is defined by the list of NEs included in the network and the list
of links that connect those NEs (for example, point-to-point, chain, ring, and so on).
Network to Network Is an interface which specifies signaling and management functions between two net-
Interface (NNI) works. NNI circuit can be used for interconnection of IP (e.g. MPLS) networks.
Optical Channel A predefined wavelength that can be used to transmit a bit stream by means of a mod-
ulated light signal.
Optical Network An ONN is an NE where the incoming channels are either dropped or routed to a line in
Node (ONN) a different direction, outgoing channels can also be added locally. Apart from multiplex-
ing and demultiplexing an ONN NE implements optical or 3R signal regeneration and
dispersion compensation.
Optical path The path followed by an optical channel from the first multiplexer to the last demulti-
plexer.
Path Computation Implements, sets up and manages PCEP, while also notifying OM when PCEP is avail-
Engine Protocol able or unavailable to send/receive PCEP Route messages.
(PCEP)
Performance man- Performance monitoring and signal quality analysis provide information for detecting
agement and alerting, a cause that could lead to a degraded performance before a failure is
declared.

Glossary
Peak Information Is a burstable rate set on routers and/or switches that allows throughput overhead.
Rate (PIR) Related to Committed Information Rate which is a committed rate speed guaran-
teed/capped. For example, a CIR of 10 Mbit/s PIR of 12 Mbit/s allows you access to 10
Mbit/s minimum speed with burst/spike control that allows a throttle of an additional 2
Mbit/s.
Pseudo-Random Is a known sequence of bits that can be used as a test signal to measure transmission
Binary Sequence delay and bit error rate of a channel. In this test, one port inserts the PRBS signal in the
(PRBS) channel (source port) and another detects if the sequence was received correctly (sink
port). This kind of test is traffic affecting since the test sequence is inserted into the
OPUk until the test is stopped.
Physical Trails (PT) Trails are represented as Physical Trails (PTs). They connect two Physical Termination
Points (PTP) on a physical layer rate, but can also contain non-physical layers.
Planning Tool Con- Interfaces Coriant TransNet/Intelligent Optical Control DWDM network planning tool.
nector (PTC)
PMP A Performance Measurement Point is a metric represented by a set of counters for a

specific point in the network. It provides data for monitoring the performance and avail-
ability of the network.
PTX Juniper Packet Transport Routers are Converged Supercore platforms that deliver
powerful capabilities based on the Junos Express chipset and forwarding architectures
optimized for MPLS and Ethernet, with integrated, coherent 100GbE technology (font:
Juniper website).
Qualitative System Quality System Requirements are non-functional requirements that must be meet by a
Requirements System such as Reliability, Availability, Performance, Scalability, Security, Maintainabil-
ity, Portability, etc.
Required Creation Is the desired state of the path, which is set by the user upon creation.
State (RCS)
Optical Signal to OSNR is the ratio of an optical signal power to the noise power in the signal.
Noise Ratio (OSNR)
Ring network A ring network is a network topology in which each NE connects to exactly two other
NEs, forming a circular optical path for signals (that is, a ring).
Synchronous Digital Is a standardized protocol that transfer multiple digital bit streams over optical fiber using
Hierarchy (SDH) lasers or highly coherent light from light-emitting diodes. At low transmission rates data
can also be transferred via an electrical interface. The method was developed to replace
the Plesiochronous Digital Hierarchy system for transporting large amounts of telephone
calls and data traffic over the same fiber without synchronization problems.
Security manage- Security Management controls the individual access to particular NE functions via the
ment network management system and/or via a craft terminal, using a hierarchical security
management user ID, and password concept.
State Event Machine In computation, a finite-state machine is event driven if the transition from one state to
(SEM) another is triggered by an event or a message.
Service Provisioning Provisioning mode in hiT 7300.

via NMS

Glossary
The core equipment is provisioned by downloading and swapping NCFs, while

services are manually provisioned via the NMS.
When adding new services or expanding an existing network, the relevant line cards,
cross connections and internal port connections between line cards and multiplex-
ers/demultiplexers are provisioned via the NMS.
Secure Hash Algo- Is a family of cryptographic hash functions that takes an arbitrary block of data and
rithm (SHA) returns a fixed-size bit string, the cryptographic hash value, such that any (accidental or
intentional) change to the data will (with very high probability) change the hash value.
The data to be encoded are often called the message, and the hash value is sometimes
called the message digest or simply digest.
Simple Network SNMP is used in network management systems to monitor network-attached devices for
Management conditions that warrant administrative control. It consists of a set of standards for
Protocol (SNMP) network management, including an application layer protocol, a database schema, and
a set of data objects.
Software manage- Software management performs all software downloads, uploads, and software integrity
ment functions.
Secure Shell (SSH) Is a cryptographic network protocol for secure data communication, remote command-
line login, remote command execution, and other secure network services between two
networked computers that connects, via a secure channel over an insecure network, a
server and a client (running SSH server and SSH client programs, respectively).
Subsystem A subsystem is a set of shelves and cards in multicontroller NE that is controlled by a

subagent. All subagents within a multicontroller NE are controlled by the master agent.
Subsystem is defined for the HW only. In software, the concept is different. A major com-
ponent of a system. It is made up of two or more interacting and interdependent compo-
nents. Subsystems of a system interact in order to attain their own purpose(s) and the
purpose(s) of the system in which they are embedded.
Synchronous Synchronous Optical Networking and Synchronous Digital Hierarchy are standardized
Optical Networking protocols that transfer multiple digital bit streams over optical fiber using lasers or highly
(SONET) coherent light from light-emitting diodes.
Throughput Throughput measures the number of work units performed in a given time unit.
Topological Con- Defines a containment relationship between other topological container and/or NEs.
tainer (TC) This means they can contain NE symbols and other TCs. The network map is always
associated with one TC, which corresponds to a network view.
Tandem Connection TCMs are configurable parameters (via Element Manager) of the transponders. They
Monitoring (TCM) provide a Performance Management of all the Optical Transport Network (that is, end-
to-end connection) or specific sections only and implement an Optical channel Data Unit
(ODU) termination provisioned to support up to six TCM levels.
Transmission Is one of the core protocols of the Internet protocol suite (IP), and is so common that the
Control Protocol entire suite is often called TCP/IP. TCP provides reliable, ordered, error-checked
(TCP) delivery of a stream of octets between programs running on computers connected to a
local area network, intranet or the public Internet. It resides at the transport layer.
TL1 Transaction Language 1 (TL1) is a widely used management protocol in telecommuni-

cations. It is a cross-vendor, cross-technology man-machine language, and is widely

Glossary
used to manage optical (SONET) and broadband access infrastructure in North

America. TL1 is used in the input and output messages that pass between Operations
Systems (OSs) and Network Elements (NEs). Operations domains such as surveillance,
memory administration, and access and testing define and use TL1 messages to
accomplish specific functions between the OS and the NE.
TNMS Telecommunications Network Management System - is a standalone application that

provides a full range of network-management functions, from the transport network’s
physical structure and its NEs to those required for Automatically-Switched Optical
Networks (ASON), SW management (also referred to as X-NE or Cross-NE), Optical
Management and Ethernet Management.
TNMS Core TNMS Core is an integrated solution designed for large, medium and small size net-
works. It supports NEs with DWDM, OTH, SDH, PDH, Ethernet in line, star, ring and
mesh network configurations. TNMS Core can be used to manage networks in the
access, edge, metro, core and backbone levels.
TNMS CT TNMS CT is a transparent software platform for SDH and DWDM NEs using QD2, QST,
QST V2, Q3 or SNMP telegram protocols. It supports line, star, ring and mesh networks
and provides access to NEs via Ethernet interface or via a serial line interface (RS232).
TNMS DX TNMS DX is a telecommunications network management system to operate, administer

and maintain hiT 7300 NEs. It allows remote operation and control of these network ele-
ments.
TNMS NCT TNMS NCT is a lighter version of TNMS for smaller networks. It uses GM or MVM-based
mediations and includes the basic functionalities for network management.
TransNet Planning of a hiT 7300 network is done by the Coriant TransNet tool. Coriant TransNet
is a sophisticated software simulation tool developed specifically for designing and/or
upgrading optical DWDM networks with hiT 7300. It runs on PCs using Microsoft
Windows operating systems.
Trail Trace Identifier TTI is a transponder card parameter (configurable via Element Manager) of which is
(TTI) used to verify correct cabling or correct Tandem Connection Monitoring (TCM) configu-
ration. The basic principle is that specific overhead bytes are reserved for Trace
Messages of the user's choosing. By specifying the Actually Sent (transmitted) and the
Expected (received) trace messages, the system can automatically verify that fiber con-
nections have been made as intended. This is accomplished by comparing the expected
Trace Message to that actually received. If they differ, an alarm is raised, alerting per-
sonnel of the incorrect connections.
Transponder card A transponder card receives an optical input signal and converts it to an optical output
signal suitable for DWDM multiplexing and transmission.
Transponder Loopbacks are diagnostic tests that can be activated via Element Manager. Loopbacks
loopback return the transmitted signal back to the sending device after the signal has passed
across a particular link. The returned signal can then be compared to the transmitted
one. Any discrepancy between the transmitted and the returned signal helps to trace
faults.
User Datagram Is one of the core members of the Internet protocol suite (the set of network protocols
Protocol (UDP) used for the Internet). With UDP, computer applications can send messages, in this
case referred to as datagrams, to other hosts on an Internet Protocol (IP) network
without prior communications to set up special transmission channels or data paths.

Glossary
UDP uses a simple transmission model with a minimum of protocol mechanism. It has
no handshaking dialogues, and thus exposes any unreliability of the underlying network
protocol to the user's program. As this is normally IP over unreliable media, there is no
guarantee of delivery, ordering or duplicate protection. UDP provides checksums for
data integrity, and port numbers for addressing different functions at the source and des-
tination of the datagram.
Ultra Long Haul hiT 7300 ULH segment is a DWDM application characterized by long path lengths of up
(ULH) to 1600 km.
User-to-Network Is a demarcation point between the responsibility of the service provider and the respon-
Interface (UNI) sibility of the subscriber. This is distinct from a Network to Network Interface (NNI) that
defines a similar interface between provider networks.
Universal Network Universal Network Objects are software NEs that can be configured and used to repre-
Object (UNO) sent network elements which are not supported by TNMS. UNO also supports devices
with restricted functionalities, for example, without supervising interfaces.
They are also used to represent network services between third parties and TNMS net-
works.
Virtual Local Area In computer networking, a single layer-2 network may be partitioned to create multiple
Networks (VLAN) distinct broadcast domains, which are mutually isolated so that packets can only pass
between them via one or more routers; such a domain is referred to as a Virtual Local
Area Network, Virtual LAN or VLAN.
Wavelength Wavelength is a physical attribute of a wave (for example, an optical wave), defined as
the distance between corresponding points of two consecutive wave cycles.
The wavelength is directly related to the frequency of the wave.
Wait to restore time The time in minutes that TNMS waits until it tries to switch to the working path again,
(WTR) assuming the Revertive option is selected.
workload Model Representation of the typical load to be processed by the system.
eXtensible Markup Is a markup language that defines a set of rules for encoding documents in a format that
Language (XML) is both human-readable and machine-readable. The design goals of XML emphasize
simplicity, generality, and usability over the Internet. It is a textual data format with strong
support via Unicode for the languages of the world. Although the design of XML focuses
on documents, it is widely used for the representation of arbitrary data structures, for
example in web services.

Index Log
administration 29
data retention policy 29
A export file formats 31
Access rights 21 export output location 32
Audit policies 45 license 33
manual export 30
scheduled export 30
B Log export
Backup 34 manual 30
automating 38 scheduled 29
client 39 Log Management
command line 36 messages 30
console 35 Log management
interactive mode 35 data retention policy 29
non-interactive mode 35 Log settings 30
Oracle database 36 Login 13
TNMS database 37
M
C Microsoft Windows
Console 35 security hardening 43
CopSSH security patches 43
security hardening 59 Monitoring 64
system resources 64
D
Date and time 13 N
Domain management 19 Non-interactive mode 35
F O
Firewall Operating system
configuration 52 security hardening 43
Windows firewall 58 shares 45
Functional overview Oracle 65
user and security management 16 Oracle backup files 37
H P
Hardware Password
security hardening 43 change 15
complexity rules 15
I Policies 45
Importing 26 Policy management 20
Interactive mode 35 Power management 13
Internet Explorer 16
R
L Recovering
License log 33 Oracle 41
License Management 23 Recovery 40
License management Remote
function overview 23 access 50
functions 23 desktop 50
Local security policy 48 Remote registry 46
A50023-K4045-X030-01-7672 83
Restore 34, 40 User group management 21

TNMS database 41 User management 16, 20
Roles 45
W
S Windows Error Reporting 47
Security 43
Security hardening 43
audit policies 45
CopSSH 59
digitally signed communications 48
firewall 52
Internet Explorer 59
local security policy 48
Microsoft Windows security patches 43
networking 52
OEM 59
operating system 43
physical and hardware 43
remote access 50
remote registry 46
SFTP 59
system services 48
unnecessary accounts 44
unnecessary applications and roles 45
user management 60
Windows Error Reporting 47
Security settings 22
SFTP 26
security hardening 59
Single Sign-on 18
client 19
enabling 19
server 19
System
administration 24
information 24
preferences 25
System resources
monitoring 64
System services 48
T
Timezone
TNMS client 13
Windows 13
U
User and Security management 16
alarming and logging 17
functional overview 16
main features 17
security management 17
user management 16
84 A50023-K4045-X030-01-7672
A50023-K4045-X030-01-7672 85
86 A50023-K4045-X030-01-7672

TNMS-V15 Administration Manual

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

TNMS-V15 Administration Manual

Uploaded by

Copyright:

Available Formats

TNMS NCT

Coriant TNMS NCT

Issue: 1 Issue date: November 2015

Coriant is continually striving to reduce the adverse environmental

f Important Notice on Product Safety

The same text in German:

f Wichtiger Hinweis zur Produktsicherheit

3.4.3 License log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

1.1 Intended audience

1.2 Structure of this document

Chapter Title Subject

Table 1 Structure of the manual

1.3 Symbols and conventions

f DANGER! A safety message indicates a dangerous situation where

w NOTICE: A property damage message indicates a hazard that may result

g A note provides important information related to the topic, for

t A tip provides additional information related to the topic which is

Table 2 List of symbols and conventions

Table 2 List of symbols and conventions (Cont.)

1.4 TNMS NCT documentation set

1.5 Other documents

1.6 History of changes

Issue Issue date Remarks

Table 3 History of changes

2.1 Power management options

2.2 Setting the date and time

2.2.2 Setting the time zone in TNMS NCT Client (Windows)

2.3 Getting started

2.3.1 TNMS NCT login

Figure 1 ASCII characters.

ವ Default domain - Global

If the Server is unavailable the following error message is displayed:

2.3.2 Terminating a client session

2.3.3 Changing the password

Password complexity rules

2.4 Internet Explorer configuration

2.5 User and security management

settings, including personal GUI preferences. Security management supports the

ವ Configure security settings

2.5.1 Single Sign-on configuration

Domain Controller configuration

Enable Single Sign-on authentication in TNMS NCT Server

Enable Single Sign-on authentication in TNMS NCT Clients

g By checking Single Sign-On no password is requested.

2.5.2 Domain management

2.5.3 Policy management

2.5.4 User management

2.5.5 User group management

2.5.6 Access rights

2.5.7 Security settings

3.1 Managing Services

3.2 TNMS NCT Administration

3.2.1 License Management

License management window

3.2.2 System Administration

3.2.3 System Information

Figure 2 System Information window

3.2.4 System Preferences

Map Automatic Position

To configure the SFTP server do as follows.

 Enter the following mandatory Upload Path:

g The upload path is relative to the SFTP root directory:

3.3 Importing and exporting data from TNMS NCT

3.3.1 Exporting configurations

Enter the following mandatory Upload Path:

On the Summary step:

On the Summary step:

Click Start to run the backup.

Under Backup Options, select the Start date.

Under Recurrence pattern, select the recurrence of the scheduling.

In the tree on the left navigate to Computer Configuration\Administrative Tem-