MKD 10 00430 01 03 EncodingOnDemand Standalone InstallationGuide - v12 - RA

Video Processing
Encoding On-demand mS v12
Standalone Deployment
PN: 10-00430-01-03
Encoding On-demand mS v12 ii
Contents
Chapter 1 1 Overview.................................................................................................................... 4
1.1 Deployment overview....................................................................................................................................5
Chapter 2 2 Prerequisites..............................................................................................................7
2.1 Browser Compatibility....................................................................................................................................8
2.2 Hosts prerequisites.......................................................................................................................................... 9
2.2.1 Minimal resources for MediaKind Controller server(s)........................................................9
2.2.2 Recommended resources for MediaKind applications servers........................................9
2.2.3 Minimal resources for MediaKind applications servers....................................................10
2.3 Operating System prerequisites...............................................................................................................11
2.3.1 Versions and compatibility......................................................................................................... 11
2.3.2 Linux update....................................................................................................................................11
2.3.3 Antivirus.............................................................................................................................................11
2.3.4 Security-Enhanced Linux.............................................................................................................11
2.3.5 Firewall............................................................................................................................................... 12
2.3.6 HTTP Proxy....................................................................................................................................... 12
2.3.7 Host Names...................................................................................................................................... 12
2.4 Network Configuration................................................................................................................................13
2.4.1 Improve network interfaces high availability (NIC teaming)..........................................13
2.5 MediaKind security model and zoning................................................................................................. 14
Chapter 3 3 Quick Deployment Procedures..............................................................................16

3.1 Quick Deployment Procedures.................................................................................................................17
3.1.1 Deploying MediaKind Controller..............................................................................................17
3.1.2 Deploying Log Manager..............................................................................................................17
3.1.3 Deploying MediaKind Encoding On-Demand.....................................................................18
Chapter 4 4 Deployment Procedures.........................................................................................19

4.1 Deploying MediaKind Controller on your standalone server........................................................20
4.1.1 Install MediaKind Controller on the standalone server................................................... 20
4.1.2 Synchronize NTP.............................................................................................................................21
4.1.3 Configure MediaKind Controller on the standalone server............................................22
4.1.4 Check the MediaKind Controller deployment on the standalone server.................. 23
4.2 Deploying Log Manager on your standalone server........................................................................24
4.2.1 Install Log Manager on the standalone server................................................................... 24
4.2.2 Configure Log Manager with custom certificates..............................................................25
4.2.3 Configure Log Manager with auto-generated certificates............................................. 26
Encoding On-demand mS v12 iii
4.2.4 Check the Log Manager deployment on the standalone server.................................. 28

4.3 Deploying MediaKind Encoding On-Demand on your standalone server............................... 29
4.3.1 Install MediaKind Encoding On-Demand on the standalone server........................... 29
4.3.2 Configure MediaKind Encoding On-Demand on your standalone server.................29
4.3.3 Check the MediaKind Encoding On-Demand deployment on the standalone
server........................................................................................................................................................30
Chapter 5 5 Post deployment procedures.................................................................................31

5.1 Configure mount points............................................................................................................................. 32
5.2 Allow LDAP users to access Controller user interface......................................................................35
5.3 Install Security Package...............................................................................................................................37
1 Overview
Chapter Encoding On-demand mS v12 5
1 Overview - 1.1 Deployment overview Standalone Deployment
1.1 Deployment overview

• One SINGLE server hosts Controller and Encoding On-Demand

• No redundancy
• Typical use: Lab functional tests
Compact deployment (from 3 to 15 servers)
• 2 redundant servers host Controller and Encoding On-Demand for HA.

• Up to 13 other servers dedicated for Encoding On-Demand Processing.
• Typical use: Production, medium sizing
Distributed Deployment (from 3 to 150 servers)
• 2 redundant servers host Controller for HA.

• Up to 150 Servers dedicated for Encoding On-Demand Processing
• Typical use: Production, large sizing
NOTE The distributed mode can also be deployed with 2 dedicated license management servers
(see Controller installation guide)
1 Overview - 1.1 Deployment overview Standalone Deployment
Available resources
Context Description
Deployment from An installation guide is available for the following deployment
scratch contexts:
• Standalone deployment Mode
• Compact deployment Mode
• Distributed Deployment Mode
Upgrade of existing An upgrade guide is available to upgrade from the version currently
deployed solution deployed to the latest version:
• Upgrade guide - all modes
2 Prerequisites
2 Prerequisites - 2.1 Browser Compatibility Standalone Deployment
2.1 Browser Compatibility

Certain browsers are recommended for optimal use.
MediaKind applications adapt to your screen. The display is optimized for a minimum 1366x768
resolution. The following browsers are recommended:
• Chrome from version 70.0.03538.102 and up
• FireFox from version 63.0.3 and up
IMPORTANT Internet Explorer version 11 is no longer supported.

2 Prerequisites - 2.2 Hosts prerequisites Standalone Deployment
2.2 Hosts prerequisites

Hardware references for MediaKind solutions include MediaKind G8 appliances, Cisco, Dell and HP
BladeSystem that exclusively run on Intel CPUs.
IMPORTANT If host is a MediaKind appliance, please execute a factory restore on first entry point before
executing the deployment procedure. This will erase the factory standalone deployment.
This deployment mode installs both the controller and the licensing management system on the same
host. The Licensing control is based on locking codes generated on Controller host(s).
A locking code relies on hardware specific criteria, such as Mac address, hostname, or UUID. Any post
deployment change of one of these criteria will result in invalid licenses.
IMPORTANT Please pay attention to keep constant hosts for Controller.

Particularly, in virtualized environments, Controller VM must not be re-located.
2.2.1 Minimal resources for MediaKind Controller server(s)

Recommended hardware configurations for optimal performance:
Application CPU RAM Disk Network Features

memory Interface
Controller server Intel Xeon 32GB 160GB Ethernet - 2 x Redundant hot-
HDD 10/100/1000 swappable power
supply on physical
servers
IMPORTANT In order to guarantee server high availability, we recommend you to dedicate and team two
physical network interfaces for the management network via one logical network interface.
Refer to: Improve network interfaces high availability (NIC teaming) on page 13.
2.2.2 Recommended resources for MediaKind applications servers

Recommended hardware configurations for optimal performance:
Application CPU RAM memory Disk

MediaKind Encoding Two Intel Xeon Gold 6140 (2.3GHz) 64GB 240GB SSD
On-Demand with memory interleaving and CPU
Hyper threading options enabled
2 Prerequisites - 2.2 Hosts prerequisites Standalone Deployment
2.2.3 Minimal resources for MediaKind applications servers

Minimal hardware configurations for optimal performance:
Application CPU RAM memory Disk

MediaKind Encoding Two Intel Xeon Gold 6140 (2.3GHz) 32GB 240GB SSD
On-Demand with memory interleaving and CPU
Hyper threading options enabled
2 Prerequisites - 2.3 Operating System prerequisites Standalone Deployment
2.3 Operating System prerequisites
2.3.1 Versions and compatibility

Recommended operating systems for MediaKind solutions:
Application Operating System

MediaKind Controller Recommended version:
Linux CentOS-7.7 minimal 64 bit*
Other supported version:
MediaKind Encoding On-Demand Recommended version:

Other supported versions:
* The version to use depends on the MediaKind applications that need to be supported.
IMPORTANT • In standalone mode, the CentOS version deployed on the server must be compatible
with the recommended (or supported) versions of both MediaKind Controller and
MediaKind application to install.
• In compact mode, the CentOS version deployed on both controllers must be compatible
with the recommended (or supported) versions of both MediaKind Controller and
MediaKind application to install.
2.3.2 Linux update

Disable automatic Linux updates to avoid unexpected reboot.
2.3.3 Antivirus
Uninstall all antivirus services from all the servers of the solution to avoid performance failures or
unexpected software behaviors.
2.3.4 Security-Enhanced Linux

Leave SELinux enforcing settings unchanged on all the servers of the solution to be able to run scripts
remotely (example: supportPackage request).
NOTE The product setup script automatically configures the Security-Enhanced Linux settings.
2 Prerequisites - 2.3 Operating System prerequisites Standalone Deployment
2.3.5 Firewall
Activate the Linux Server Firewall if disabled in order to access ports required during installation. Ports:
8080 for the UI, or 80 for light SOAP bridge and 8443 for https.
NOTE The product setup script automatically configures the firewall settings.
2.3.6 HTTP Proxy

Disable any HTTP proxy to avoid installation issues.
2.3.7 Host Names

Requirements
• All servers must have unique host names.
• If the servers are configured to get the controller host names from a DNS server: skip the /etc/hosts
configuration below.
NOTE The use of DNS is not covered in this configuration guide and would be a matter for a
local system administrator
• The host name should be configured in /etc/hostname on each server.

• For servers hosting the controller software: all controller host names must be written into the /etc/
hosts file on each controller server. The default entry for localhost must also remain in place.
IMPORTANT Host name of Controller nodes must not be changed, this would result in invalid
licenses. See host pre-requisites for details.
Example of the /etc/hosts file in compact and distributed modes:
• /etc/hosts file on both controller1 and controller2 servers
• 127.0.0.1 localhost
• 192.168.0.11 controller1
• 192.168.0.12 controller2
• /etc/hosts file on each processing server

• 127.0.0.1 localhost
• 192.168.0.13 procserver-n
2 Prerequisites - 2.4 Network Configuration Standalone Deployment
2.4 Network Configuration

Prerequisites:
The host network configuration is set-up including:
• IP configuration of network interfaces
• Network interface bonding when necessary
• Specific routes when necessary. Example: multicast, ip route add 239.2.3.202 via “ip_address”
ATTENTION During the deployment of the system, the last octet of the VIP is used as the Virtual Router
Redundancy Protocol (VRRP). Therefore the last octet used by the VIP MUST be unique,
and no other device in the network can use the same last octet.
For example, if VIP is 10.86.84.239, 239 must be excluded from the last digit of all the
devices in the network.
NOTE In case of distributed deployment, all the network interface names of all the servers must be
the same subnetwork.
2.4.1 Improve network interfaces high availability (NIC teaming)

Within your video headend, communication between application servers is done via the management
network.
In order to guarantee server high availability, we recommend you to dedicate and team two physical
network interfaces for the management network via one logical network interface. Doing so, if one
physical interface becomes inoperable, communication continues through the other interface, using the
same IP address (controllerIP).
2 Prerequisites - 2.5 MediaKind security model and zoning Standalone Deployment
2.5 MediaKind security model and zoning

In the industry security zoning is commonly categorized in four zone types, and a brief summary of each
zone is outlined below.
• Untrusted zone is a public zone entirely open and includes public network such as the public
Internet. Restrictions and requirements are difficult or impossible to place or enforce in this zone
because it is generally outside the control of the customer. The untrusted zone is considered to be
extremely hostile.
• Semi-trusted zone is public access zone that mediates between the customer’s trusted zone and the
untrusted zone. Typically, this zone implements corporate Web/Proxy servers, Domain Name Service,
external Mail servers, remote access, and extranet gateways. It is often referred to as a demilitarized
zone (DMZ). The semi- trusted zone is considered to be hostile.
• Trusted zone is an operational zone, a standard environment for routine customer operations, and
where most corporate user systems and work group servers are installed. In general, with appropriate
security controls, this zone may be suitable for processing some sensitive data; however, this zone is
customarily unsuitable for large repositories of sensitive data or critical applications without adequate
strong trustworthy security controls.
• Restricted zone is a controlled zone suitable for business-critical services or large repositories of
sensitive data. It supports access from systems in the semi-trusted zone.
Each security zone is delimited by a trust boundary:
• Trust boundaries provides network interface across a zone to adjacent zone. Trust boundaries are the
logical construct describing the controlled interfaces connecting zones. Trust boundaries enforce zone
data communication policy through perimeter security measures. Trust boundaries control inbound
data communication; implement security policy of their respective zone; and all data communication
must be through a trust boundary. Trust boundaries can be accomplished using a single component
2 Prerequisites - 2.5 MediaKind security model and zoning Standalone Deployment
or a combination of components such as load balancer, firewall, intrusion detection system (IDS),
intrusion prevention system (IPS), access control list (ACL) and routers.
3 Quick Deployment Procedures
3 Quick Deployment Procedures - 3.1 Quick Deployment Procedures Standalone Deployment
3.1 Quick Deployment Procedures

Prerequisites:
• Recommended Linux CentOS is installed on servers (refer to the release note for versions supported).
• Network Interfaces are configured (IP addresses, Mask, Gateways).
• Root access is required for installation.
• Following tar.gz files are available:
• Eri-xx-xxxxxx-xx-xx-MFVP-controller-v.x.y.z.el7.x86_64.tar.gz
• Eri-xx-xxxxxx-xx-xx-ericsson-log-manager-v.x.y.z.el7.x86_64.tar.gz
• Eri-xx-xxxxxx-xx-xx-ericsson-encoding-on-demand-v.x.y.z.el7.x86_64.tar.gz
3.1.1 Deploying MediaKind Controller

NOTE If Controller is installed on a MediaKind appliance, go directly to step #3.
1. Copy Eri-xx-xxxxxx-xx-xx-MFVP-controller-v.x.y.z.el7.x86_64.tar.gz to the standalone server.

2. Install MediaKind Controller:
# mkdir -p /tmp/<directory_name>
# tar -xvf Eri-xx-xxxxxx-xx-xx-MFVP-controller-v.x.y.z.el7.x86_64.tar.gz -C /tmp/<directory_name>
# cd /tmp/<directory_name>
# ./install.sh
3. Synchronize NTP.
4. Configure MediaKind Controller:
# /opt/ericsson/controller/setup/configure.sh --serverID standalone --controllerIP1 x.x.x.x
5. Optional: Delete the temporary Controller installation folder(s):
# rm -rf /tmp/<directory_name>
3.1.2 Deploying Log Manager

1. Copy Eri-xx-xxxxxx-xx-xx-ericsson-log-manager-v.x.y.z.el7.x86_64.tar.gz to the standalone server.
2. Install Log Manager:
# tar -xvf Eri-xx-xxxxxx-xx-xx-ericsson-log-manager-v.x.y.z.el7.x86_64.tar.gz

# cd ericsson-log-manager-v.x.y.z.el7.x86_64
# ./install.sh
3 Quick Deployment Procedures - 3.1 Quick Deployment Procedures Standalone Deployment
3. Manage certficate and configure Log Manager depending on your deployment context (with custom
certificates or auto-generated certificates).
• Deployment with custom certificates
a. Copy the trusted certificate files (.crt and .key) used available in your environment and generated
according to PEM (RFC 1421 to 1424) format standards, to the standalone server under /etc/ssl/
certs .
b. Configure Log Manager:
# /opt/ericsson/log-manager/setup/configure.sh --sslCertificate /etc/ssl/certs/<trustedCertificateName>.crt --

sslPrivateKey /etc/ssl/certs/<trustedCertificateName>.key
• Deployment with auto-generated certificates
a. Generate certificate on the standalone server:
# /opt/ericsson/log-manager/setup/generate_certificate.sh --caName <controller_VIP> --output /etc/ssl/certs
RESTRICTION Certificates generated with the provided script “generate_certificate.sh” are self-
signed and are created with an expiration date set to "current date + 10 years".
b. Configure Log Manager:
# /opt/ericsson/log-manager/setup/configure.sh --sslCertificate /etc/ssl/certs/<controllerIP1>.crt --

sslPrivateKey /etc/ssl/certs/<controllerIP1>.key
3.1.3 Deploying MediaKind Encoding On-Demand

1. Copy Eri-xx-xxxxxx-xx-xx-ericsson-encoding-on-demand-v.x.y.z.el7.x86_64.tar.gz to the standalone.
2. Install MediaKind Encoding On-Demand:
# tar -xvf Eri-xx-xxxxxx-xx-xx-ericsson-encoding-on-demand-v.x.y.z.el7.x86_64.tar.gz

# cd ericsson-encoding-on-demand-v.x.y.z.el7.x86_64
# ./install.sh --standalone
3. Configure MediaKind Encoding On-Demand:
# /opt/ericsson/encoding-on-demand-standalone/setup/configure.sh --logManagerCA /etc/ssl/certs/

<controllerIP1>.pem
4 Deployment Procedures
4 Deployment Procedures - 4.1 Deploying MediaKind Controller on your standalone Standalone Deployment
server
4.1 Deploying MediaKind Controller on your standalone server

NOTE Required tar.gz versions depend on the MediaKind applications to install.
This deployment mode installs both the controller and the licensing management system on the same
host. The Licensing control is based on locking codes generated on Controller host(s).
A locking code relies on hardware specific criteria, such as Mac address, hostname, or UUID. Any post
deployment change of one of these criteria will result in invalid licenses.
IMPORTANT Please pay attention to keep constant hosts for Controller.

Particularly, in virtualized environments, Controller VM must not be re-located.
4.1.1 Install MediaKind Controller on the standalone server

NOTE If Controller is installed on a MediaKind appliance, go directly to Synchronize NTP on
page 21.
1. Open an SSH session as a root user.
2. Copy the tar.gz to the standalone server:
• Eri-xx-xxxxxx-xx-xx-MFVP-controller-v.x.y.z.el7.x86_64.tar.gz
3. Enter the following commands:
# mkdir -p /tmp/<directory_name>
# tar -xvf Eri-xx-xxxxxx-xx-xx-MFVP-controller-v.x.y.z.el7.x86_64.tar.gz -C /tmp/<directory_name>
# cd /tmp/<directory_name>
# ./install.sh
Result:
The installation completes and the following message displays:
Complete!
server
4.1.2 Synchronize NTP

The server where the operating system is installed determines the date and time settings for your
MediaKind solution. The servers in the headend must be synchronized on the same NTP server. If the
software is running is a Virtual Machine (VM), the VM's host server must also be synchronized on the
NTP server. In a MediaKind solution, all the logs, alarms and status are written and timestamped by all
the different servers that cooperate for control.
1. Carry out the following steps only if running CentOS versions 7.3 and above.
NOTE Disable and stop chronyd to prevent unexpected behaviour (upon a reboot for example).
a. Enter to following command to disable chronyd.
# systemctl disable chronyd
b. Enter to following command to stop chronyd.
# systemctl stop chronyd
2. Update the NTP configuration file on the first server with the NTP IP address:
# vi /etc/ntp.conf
# server [ntp_ip_address]
3. Restart the NTP service on each server with the following commands:
# systemctl restart ntpd
4. Enable the NTP to automatically restart (upon a reboot for example).
# systemctl enable ntpd
5. Check the server synchronization with the NTP server with the following commands:
# ntpstat
6. Edit time zone Only if time is not currently set to the expected timezone, otherwise, skip to the
next step in this procedure.
NOTE Editing the time zone depends on your geographic location.
# cd /etc
# rm localtime
# ls /usr/share/zoneinfo/
# ln -s /usr/share/zoneinfo/[expected_time_zone] localtime
# date
Result: The servers are synchronized with NTP.

server
4.1.3 Configure MediaKind Controller on the standalone server

Enter one of the following commands depending on your configuration:
• Standard UI and API configuration
# /opt/ericsson/controller/setup/configure.sh --serverID standalone --controllerIP1 x.x.x.x
# /opt/ericsson/controller/setup/configure.sh --serverID xx --controllerIP1 x.x.x.x
• Secured UI and API configuration
# /opt/ericsson/controller/setup/configure.sh --serverID standalone --controllerIP1 x.x.x.x --sslPort xx --

sslCertificate /etc/ssl/certs/<controllerIP1>.crt --sslPrivateKey /etc/ssl/certs/<controllerIP1>.key --
authenticationCertificate xx --authenticationPrivateKey xx
# /opt/ericsson/controller/setup/configure.sh --serverID xx --controllerIP1 x.x.x.x --sslPort xx --sslCertificate /etc/

ssl/certs/<controllerIP1>.crt --sslPrivateKey /etc/ssl/certs/<controllerIP1>.key --authenticationCertificate xx --
authenticationPrivateKey xx
Mandatory parameters
--serverID standalone In a standalone mode, server ID must be standalone.

--serverID xx xx corresponds to your Server ID for this server
(example: Server_01). The server ID must be unique
and is used as the server name in the controller user
interface.
--controllerIP1 x.x.x.x corresponds to the management IP address for this
server.
UI and API secure access parameters (optional)
--sslPort xx xx corresponds to the port used for

HTTPS access. Valid values: 8443 |
443 (default is 8443).
--sslCertificate /etc/ssl/certs/<controllerIP1>.crt corresponds to the file path to SSL
certificate file to import.
--sslPrivateKey /etc/ssl/certs/<controllerIP1>.key corresponds to the file path to SSL
private key file to import.
--authenticationCertificate xx xx corresponds to the PEM formatted
file containing the SSL certificate
used to validate signed authentication
tokens. If using this parameter
then you must also provide --
authenticationPrivateKey.
server
--authenticationPrivateKey xx xx corresponds to the PEM formatted

file containing the private key used to
sign authentication tokens. If using
this parameter then you must also
provide --authenticationCertificate.
Result:
The configuration completes and the following message displays:
ntp is synchronized
4.1.4 Check the MediaKind Controller deployment on the standalone

server
1. Open a Web browser from a computer that has a network access to your Controller.
2. Enter the access URL, then press Enter.
NOTE Your access is either HTTP or HTTPS depending on your security settings.
• http://[controllerIP1]:8080
• https://[controllerIP1]:8443/ui/home or https://[controllerIP1]/ui/home
3. When the Login page displays: Enter your username and password.
NOTE Default admin user log in information:

• Username: admin
• Password: admin
Result: The Home page displays

4. Display servers.
Result: The following processing types display: Controller and Licensing
5. Optional: Delete the temporary Controller installation folder(s):
# rm -rf /tmp/<directory_name>
4 Deployment Procedures - 4.2 Deploying Log Manager on your standalone server Standalone Deployment
4.2 Deploying Log Manager on your standalone server

Prerequisites: MediaKind Controller is installed on the standalone server.
4.2.1 Install Log Manager on the standalone server

1. Copy the Eri-xx-xxxxxx-xx-xx-ericsson-log-manager-v.x.y.z.el7.x86_64.tar.gz to the standalone server.
2. Enter the following commands:
# tar -xvf Eri-xx-xxxxxx-xx-xx-ericsson-log-manager-v.x.y.z.el7.x86_64.tar.gz

# cd ericsson-log-manager-v.x.y.z.el7.x86_64
# ./install.sh
Optional
--bridgeIP [Optional] Defines the network range used by elasticSearch

and logstash (default: 172.17.0.1/16). To avoid IP conflicts
when the network already uses the default range then it is
required to assign an alternative range using bridgeIP.
Result: The configuration completes and the following message displays:
Installation log-manager successful
3. Enter the following command to check that the installation is completed and the docker service is
enabled:
# systemctl is-enabled docker
Result: The following message displays when complete:
enabled
4. Go to Log Manager configuration depending on your deployment environment:

• Configure Log Manager with custom certificates
• Configure Log Manager with auto-generated certificates
4.2.2 Configure Log Manager with custom certificates

Copy certificates on standalone server
Log Manager requires certificates to secure network traffic between your processing server and the Log
Manager. Certificates must be generated according to PEM (RFC 1421 to 1424) format standards and
can be either self-signed or signed by a trusted 3rd party Authority.
• Usage of self-signed certificates from your environment will allow the log-manager to work normally
and collect logs from the encoding workers and other components.
• Usage of certificates signed by a 3rd party Authority must be considered accordingly to the company's
own security policy.
To install a certificate, you must copy your certificate files (.crt and .key) under /etc/ssl/certs/) then run
the configure.sh command with your certificate file name.MediaKind is not responsible for misuse of
certificates.
IMPORTANT Expiration of the validity date of a certificate will not block the encoding processes but will
prevent jobs logs to be collected and displayed in the UI.
Configure Log Manager on the standalone server

1. Copy the trusted certificate files (.crt and .key) used available in your environment to the standalone
server under /etc/ssl/certs .
2. Enter the following command:
# /opt/ericsson/log-manager/setup/configure.sh --sslCertificate /etc/ssl/certs/<trustedCertificateName>.crt --

sslPrivateKey /etc/ssl/certs/<trustedCertificateName>.key
Mandatory Parameters
--sslCertificate /etc/ssl/certs/ corresponds to the file path to SSL

<trustedCertificateName>.crt certificate file to import.
--sslPrivateKey /etc/ssl/certs/ corresponds to the file path to SSL
<trustedCertificateName>.key private key file to import.
Optional Parameters
--elasticsearchPassword xx xx corresponds to the password to use to request

elasticsearch. Must be at least 6 characters
--controllerPort xx [Optional] xx corresponds to the port where the
API of the Controller is callable (default to 8080)
--syslogPort xx [Optional] xx corresponds to the IP port number
for TCP server (default to 5140)
--elasticsearchPort xx [Optional] xx corresponds to the IP port number
for elasticsearch REST API (default to 9200)
--elasticsearchClusterPort xx [Optional] xx corresponds to the IP port number

for elasticsearch internal cluster communication
(default to 9300)
--elasticsearchDatabase xx [Optional] xx corresponds to the absolute file path
to the elasticsearch database directory (default: /
var/lib/ericsson/log-manager/elasticsearch).
Result: The installation completes and the following message displays:
Log Manager configuration successful
4.2.3 Configure Log Manager with auto-generated certificates

Generate Certificate on the standalone server
Log Manager requires certificates to secure network traffic between your processing server and the
Log Manager. Certificates can be generated with the provided script generate_certificate.sh (see below).
MediaKind is not responsible for misuse of self-signed certificates on customers installations.
RESTRICTION Certificates generated with the provided script “generate_certificate.sh” are self-signed and
are created with an expiration date set to "current date + 10 years".
IMPORTANT Expiration of the validity date of a certificate will not block the encoding processes but will
prevent jobs logs to be collected and displayed in the UI.
1. Enter the following command to generated Log Manager self-signed certificates:
# /opt/ericsson/log-manager/setup/generate_certificate.sh --caName <controllerIP1> --output /etc/ssl/certs
Mandatory Parameters
--caName <controllerIP1> Value must be controller 1 IP address.

--output /etc/ssl/certs corresponds to the directory to store certificates. The default
directory is /etc/pki/tls/certs. Use --output /etc/ssl/certs in a
standalone deployment mode.
2. Check that the certificates are generated.
Result: Certificates are generated in the folder defined for --output. In this example, /etc/ssl/certs.
Configure Log Manager on the standalone server

Enter the following command:
# /opt/ericsson/log-manager/setup/configure.sh --sslCertificate /etc/ssl/certs/<controllerIP1>.crt --sslPrivateKey /etc/

ssl/certs/<controllerIP1>.key
Mandatory
--sslCertificate /etc/ssl/certs/ corresponds to the file path to SSL certificate file

<controllerIP1>.crt to import. Example:/etc/ssl/certs/127.0.0.1.crt
--sslPrivateKey /etc/ssl/certs/ corresponds to the file path to SSL private key file
<controllerIP1>.key to import. Example:/etc/ssl/certs/127.0.0.1.key
Optional
--serverID xx xx corresponds to your Server ID for this server (example:

Server_01). The server ID must be unique and is used as the
server name in the controller user interface.
Value must be --serverID standalone in a standalone deployment
mode
--controllerIP x.x.x.x IP address of the controller (the controller vip address in case
of redundant Controller mode, or the controller's management
address for non-redundant controller mode).
--controllerPort xx [Optional] xx corresponds to the port where the API of the
Controller is callable (default to 8080)
--controllerPort xx [Optional] xx corresponds to the port where the API of the
Controller is callable (default to 8080)
--syslogPort xx [Optional] xx corresponds to the IP port number for TCP server
(default to 5140)
--elasticsearchPort xx [Optional] xx corresponds to the IP port number for elasticsearch
REST API (default to 9200)
--elasticsearchClusterPort xx [Optional] xx corresponds to the IP port number for elasticsearch
internal cluster communication (default to 9300)
--elasticsearchPassword xx xx corresponds to the password to use to request elasticsearch.
Must be at least 6 characters
--elasticsearchDatabase xx [Optional] xx corresponds to the absolute file path to the
elasticsearch database directory (default: /var/lib/ericsson/log-
manager/elasticsearch).
--localLogManagerIP x.x.x.x x.x.x.x corresponds to the IP address of this server.

--remoteLogManagerIP x.x.x.x x.x.x.x corresponds to the IP address of the other server where the
log manager is installed.
--elasticsearchPassword xx xx corresponds to the password to use to request elasticsearch.
Must be at least 6 characters
log-manager configuration successful

4.2.4 Check the Log Manager deployment on the standalone server

Prerequisites:
You are connected to the MediaKind user interface.
1. Display servers.
2. Check that the following processing types display: Controller, Licensing and Log Manager.
4 Deployment Procedures - 4.3 Deploying MediaKind Encoding On-Demand on your Standalone Deployment
standalone server
4.3 Deploying MediaKind Encoding On-Demand on your

standalone server
Prerequisites: MediaKind Controller is installed on your standalone server.
4.3.1 Install MediaKind Encoding On-Demand on the standalone server

1. Copy Eri-xx-xxxxxx-xx-xx-ericsson-encoding-on-demand-v.x.y.z.el7.x86_64.tar.gz to the standalone
server.
2. Enter the following commands using the parameter --standalone:
IMPORTANT Use ––noSoap80 option if no SOAP interface on port 80
# tar -xvf Eri-xx-xxxxxx-xx-xx-ericsson-encoding-on-demand-v.x.y.z.el7.x86_64.tar.gz

# cd ericsson-encoding-on-demand-v.x.y.z.el7.x86_64
# ./install.sh --standalone
Result: The installation completes and the following message displays:
Installation standalone successful
4.3.2 Configure MediaKind Encoding On-Demand on your standalone

server
Enter the following command:
# /opt/ericsson/encoding-on-demand-standalone/setup/configure.sh --logManagerCA /etc/ssl/certs/

<controllerIP1>.pem
--logManagerCA /etc/ssl/certs/<controllerIP1>.pem corresponds to the absolute file path to SSL CA

file used to encrypt communications with log-
management (.pem file).
4 Deployment Procedures - 4.3 Deploying MediaKind Encoding On-Demand on your Standalone Deployment
standalone server
ericsson-encoding-on-demand-standalone-configuration Successful
4.3.3 Check the MediaKind Encoding On-Demand deployment on the

standalone server
Prerequisites:
You are connected to the MediaKind user interface.
1. Display servers.
Result: The following processing types display: Controller, Licensing, On-Demand Encoding and
Log Manager
2. Display Services > Add Service > OD Encoding
Result: You are able to create an OD Encoding service. The installation is complete.
3. Display Services and assign the server the service.
5 Post deployment procedures
5 Post deployment procedures - 5.1 Configure mount points Standalone Deployment
5.1 Configure mount points

Configure mount points to create access to remote content storage locations. Mount points must be
configured on each Encoding On-Demand processing server.
Mount points must comply to the following criteria:
• They are available at boot time
• MediaKind Encoding On-Demand access input files and output directories with user
ericsson:ericsson, this user must have at least rights for read rights for storage and read write execute
rights for output mount points.
• The default group ID is ericsson:ericsson.
For CIFS, authentication is required to access the Remote Server. Use the credentials below:
user=RemoteServerUsername
password=RemoteServerPassword
For NFS shares, the user ericsson should have rights to the share. In some cases, the user ericsson needs to
be added to a specific group to enable access rights on the share.
For example, when MediaKind Encoding On-Demand is driven by the MediaKind CMS, input files and
directories are created by the CMS with the user nobody:nobody. In this case, the user ericsson needs
to be added in the nobody group to grant access to MediaKind Encoding On-Demand. On each server,
execute the following command:
# sudo usermod -aG nobody ericsson

# systemctl restart ericsson-encoding-on-demand-job-daemon
The last command allows user change to take effect for MediaKind Encoding On-Demand.
2. Enter the following command to create the directory where the remote server location is to be
mounted.
# mkdir -p /opt/mfvp/mnt/LocalDirectory/Storage
3. Set the following user rights:
# chown -R ericsson:ericsson /opt/mfvp/mnt/LocalDirectory/Storage
4. Retrieve the [uid_value] and [gid_value] of the Ericsson user with the following commands:
# id ericsson
5. Mount the remote server on the newly created local directory by editing the file /etc/fstab
# vi /etc/fstab
6. Append the line as seen below in the fstab file.

Example context using CIFS mount points: //RemoteServer/Storage /opt/mfvp/mnt/LocalDirectory/Storage
cifs sec=ntlm,
defaults,rw,uid=[uid_value],gid=[gid_value],user=RemoteServerUsername,password=RemoteServerPassword 0 0
TIP We use CIFS in this example. If you are using a different protocol see linux mount
manuals (online resources) for fstab.
To mount a cifs directory located on //RemoteServer/Storage. RemoteServer can either be
the IP address, or the name of the server used for the remote storage.
Example context using NFS mount points: RemoteServer:/Storage /opt/mfvp/mnt/LocalDirectory/Storage

nfs defaults,user,auto,intr 0 0
Codes and commands Description

//RemoteServer/Storage Remote server to mount to a local directory
/opt/mfvp/mnt/LocalDirectory/ Local location where access to the remote server is mounted
Storage
defaults a common option including the auto mount at boot time
rw gives read write access
ro gives read only access
uid specifies that this mount point is owned by ericsson user
gid specifies that this mount point is owned by ericsson group
user specifies the user credential user needed to access the Remote
Server
password specifies the password credentials needed for the user to access
the Remote Server
7. Manually mount the Remote Server to the local directory:

# mount -a
8. Use the command lines (#) below to test the mount point by creating a mount.test file in /opt/mfvp/
mnt/LocalDirectory/Storage.
# cd /opt/mfvp/mnt/LocalDirectory/Storage
# su -c 'touch mount.test' ericsson
# ls /opt/mfvp/mnt/LocalDirectory/Storage
9. Return to the application and create a job using settings for either option 1 or option 2.
Option 1: using remote location (URL beginning with file://)
a. Input: file://RemoteServer/Storage/CustomInputFileName.ts
b. Output: file://RemoteServer/Storage
Option 2: Using local directory (URL beginning with file:///)
a. Input: file:///opt/mfvp/mnt//LocalDirectory/Storage/CustomInputFileName.ts
b. Output: file:///opt/mfvp/mnt/LocalDirectory/Storage
5 Post deployment procedures - 5.2 Allow LDAP users to access Controller user Standalone Deployment
interface
5.2 Allow LDAP users to access Controller user interface

By default, accessing the Controller user interface is restricted to people that have a user account
defined through the MediaKind system center. You can also configure the user access by retrieving user
credentials from an existing LDAP server directory.
To allow LDAP users to access Controller, follow these steps:
2. Open the /opt/ericsson/unified-ui/etc/unified-ui.ini file on Controller1.
3. In the LDAP section, edit the LDAP information:
[ldap]
server_uri = ldap://fr-my.companydomain.com:389
bind_dn = CN=apache,OU=COM,OU=Sites,DC=companydomain,DC=com
bind_pwd = ********
search_dn = OU=COM,OU=Sites,DC=companydomain,DC=com
username_field = sAMAccountName
firstname_field = givenName
lastname_field = sn
start_tls = False
ca_certificate_file = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
cipher_suite = kEECDH+aECDSA+AES:kEECDH+AES+aRSA:kEDH+aRSA+AES:-SSLv2:-SSLv3:-TLSv1:-TLSv1.1
server_uri Address of the LDAP server to communicate with

bind_dn Distinguished name to use when binding to the LDAP server; leave
empty (default) for an anonymous bind
bind_pwd Password to use for binding with protected binding; leave empty
(default) for anonymous binding
search_dn DN to use when binding to the server in order to perform searches.
leave empty for anonymous binding
username_field Name of the field to use in the LDAP search, for username matching
(against LDAP attributes)
firstname_field Name of the field (from LDAP attributes) holding the user’s first name
lastname_field Name of the field (from LDAP attributes) holding the user’s last name
NOTE: firstname_field & lastname_field shall be used together, or

they will be ignored.
firstname_field & lastname_field can be used to retrieve the
user’s full name. This will then be displayed instead of the
username once the user is logged in.
start_tls Set to True to enable encrypted communication by sending a “Start

TLS” command to the LDAP server
5 Post deployment procedures - 5.2 Allow LDAP users to access Controller user Standalone Deployment
interface
ca_certificate_file Location of the CA certificate file used to verify the LDAP server’s
certificate when using TLS or LDAPS
cipher_suite Open SSL-format string defining the list of ciphers to use for TLS
communication
Specific recommendations if using secure LDAP:

• The address/hostname specified in server_uri must match the one present in the LDAP server’s
SSL certificate.
• ca_certificate_file should normally be the central OS trust store at /etc/pki/ca-trust/extracted/pem/tls-
ca-bundle.pem
• Use of the ldaps://<ip address>:636 URI format for an old-style SSL connection is supported, but
deprecated and not recommended.
• Instead, it is preferred to combine an ldap://<ip address>:389 format URI with the start_tls flag set
to True for modern TLS communication.
• start_tls must not be enabled if using a legacy ldaps://<ip address>:636 URI, or the LDAP server will
return an error when you attempt to authenticate.
4. Install a CA certificate on the controller.

NOTE This procedure is mandatory if your LDAP server’s certificate is not signed by a well-
known CA that can be trusted by the controller.
a. Copy the CA certificate to /etc/pki/ca-trust/source/anchors/

b. Run the following command:
# update-ca-trust extract
5. Repeat on Controller2 (in high availability deployment modes).

6. Restart Controller user interface:
# systemctl restart ericsson-unified-ui

5 Post deployment procedures - 5.3 Install Security Package Standalone Deployment
5.3 Install Security Package

To improve the security level of your equipment, we provide a security update package. To install it, refer
to the Centos/Security update package Installation Guide.
NOTE Security update package is already installed on MediaKind appliances.

MKD 10 00430 01 03 EncodingOnDemand Standalone InstallationGuide - v12 - RA

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MKD 10 00430 01 03 EncodingOnDemand Standalone InstallationGuide - v12 - RA

Uploaded by

Copyright:

Available Formats

Video Processing

Encoding On-demand mS v12

Chapter 3 3 Quick Deployment Procedures..............................................................................16

Chapter 4 4 Deployment Procedures.........................................................................................19

4.2.4 Check the Log Manager deployment on the standalone server.................................. 28

Chapter 5 5 Post deployment procedures.................................................................................31

1.1 Deployment overview

• One SINGLE server hosts Controller and Encoding On-Demand

Compact deployment (from 3 to 15 servers)

• 2 redundant servers host Controller and Encoding On-Demand for HA.

Distributed Deployment (from 3 to 150 servers)

• 2 redundant servers host Controller for HA.

2.1 Browser Compatibility

IMPORTANT Internet Explorer version 11 is no longer supported.

2.2 Hosts prerequisites

IMPORTANT Please pay attention to keep constant hosts for Controller.

2.2.1 Minimal resources for MediaKind Controller server(s)

Application CPU RAM Disk Network Features

2.2.2 Recommended resources for MediaKind applications servers

Application CPU RAM memory Disk

2.2.3 Minimal resources for MediaKind applications servers

Application CPU RAM memory Disk

2.3 Operating System prerequisites

2.3.1 Versions and compatibility

Application Operating System

MediaKind Encoding On-Demand Recommended version:

2.3.2 Linux update

2.3.4 Security-Enhanced Linux

2.3.6 HTTP Proxy

2.3.7 Host Names

• The host name should be configured in /etc/hostname on each server.

• /etc/hosts file on each processing server

2.4 Network Configuration

2.4.1 Improve network interfaces high availability (NIC teaming)

2.5 MediaKind security model and zoning

3.1 Quick Deployment Procedures

3.1.1 Deploying MediaKind Controller

1. Copy Eri-xx-xxxxxx-xx-xx-MFVP-controller-v.x.y.z.el7.x86_64.tar.gz to the standalone server.

# /opt/ericsson/controller/setup/configure.sh --serverID standalone --controllerIP1 x.x.x.x

5. Optional: Delete the temporary Controller installation folder(s):

3.1.2 Deploying Log Manager

# tar -xvf Eri-xx-xxxxxx-xx-xx-ericsson-log-manager-v.x.y.z.el7.x86_64.tar.gz

# /opt/ericsson/log-manager/setup/configure.sh --sslCertificate /etc/ssl/certs/<trustedCertificateName>.crt --

• Deployment with auto-generated certificates

a. Generate certificate on the standalone server:

# /opt/ericsson/log-manager/setup/generate_certificate.sh --caName <controller_VIP> --output /etc/ssl/certs

b. Configure Log Manager:

# /opt/ericsson/log-manager/setup/configure.sh --sslCertificate /etc/ssl/certs/<controllerIP1>.crt --

3.1.3 Deploying MediaKind Encoding On-Demand

# tar -xvf Eri-xx-xxxxxx-xx-xx-ericsson-encoding-on-demand-v.x.y.z.el7.x86_64.tar.gz

3. Configure MediaKind Encoding On-Demand:

# /opt/ericsson/encoding-on-demand-standalone/setup/configure.sh --logManagerCA /etc/ssl/certs/

4.1 Deploying MediaKind Controller on your standalone server

IMPORTANT Please pay attention to keep constant hosts for Controller.

4.1.1 Install MediaKind Controller on the standalone server

3. Enter the following commands:

4.1.2 Synchronize NTP

a. Enter to following command to disable chronyd.

# systemctl disable chronyd

b. Enter to following command to stop chronyd.

# systemctl stop chronyd

# systemctl restart ntpd

4. Enable the NTP to automatically restart (upon a reboot for example).