前言
因為有 Juniper NSM(Network and Security Manager) 安裝在 CentOS 的需求,所以本文便產生了 。實作環境
- CentOS 6.5 (32bit)
- nsm2012.2R7-systemupdate-linux.zip
- nsm2012.2R7_servers_linux_x86.zip
- nsm2012.2R7_ui_win_x86.zip
安裝及設定
步驟 1. CentOS 初始化
安裝好 CentOS 6.5 之後,習慣性的進行相關的初始化動作如 關閉不必要的服務...等,相關資訊請參考站內文章 CentOS 5.x - 初始環境設定。步驟 2.安裝 nsm2012.2R7-systemupdate-linux.zip
利用指令解壓縮 nsm zip 檔。
# unzip nsm2012.2R7-systemupdate-linux.zip
Archive: nsm2012.2R7-systemupdate-linux.zip
inflating: nsm2012.2R7-systemupdate-linuxES_4.tar
inflating: nsm2012.2R7-systemupdate-linuxES_5.tar
inflating: nsm2012.2R7-systemupdate-linuxES_6.tar因為此次實作環境採用 CentOS 6.5,因此再度解壓縮「nsm2012.2R7-systemupdate-linuxES_6.tar」打包檔。
# tar -xvf nsm2012.2R7-systemupdate-linuxES_6.tar
es6/
es6/libstdc++-libc6.1-1.so.2
es6/xorg-x11-proto-devel-7.6-13.el6.noarch.rpm
es6/README.txt
es6/xorg-x11-xtrans-devel-1.2.7-2.el6.noarch.rpm
es6/xorg-x11-xfs-1.0.5-7.el6.i686.rpm
es6/xorg-x11-font-utils-7.2-10.el6.i686.rpm
es6/desktop-file-utils-0.15-9.el6.i686.rpm
es6/switchdesk-4.0.8-6.noarch.rpm
es6/xorg-x11-server-Xvfb-1.10.4-6.el6.i686.rpm
es6/selinux-policy-3.7.19-231.el6.noarch.rpm
es6/fontconfig-2.8.0-3.el6.i686.rpm
es6/ttmkfdir-3.0.9-32.1.el6.i686.rpm
es6/xorg-x11-server-Xnest-1.10.4-6.el6.i686.rpm
es6/chkfontpath-1.10.1-2.el6.i686.rpm
es6/zlib-devel-1.2.3-29.el6.i686.rpm
es6/xorg-x11-xinit-1.0.9-13.el6.i686.rpm
es6/libXdmcp-1.0.3-1.el6.i686.rpm
es6/postgresql84-devel-8.4.17-1PGDG.rhel6.i686.rpm
es6/compat-libstdc++-296-2.96-144.el6.i686.rpm
es6/sharutils-4.7-6.1.el6.i686.rpm
es6/postgresql84-libs-8.4.17-1PGDG.rhel6.i686.rpm
es6/gmp-4.3.1-7.el6.i686.rpm
es6/compat-libstdc++-33-3.2.3-69.el6.i686.rpm
es6/freetype-devel-2.3.11-14.el6_3.1.i686.rpm
es6/xorg-x11-server-Xdmx-1.10.4-6.el6.i686.rpm
es6/postgresql84-8.4.17-1PGDG.rhel6.i686.rpm
es6/xorg-x11-fonts-100dpi-7.2-9.1.el6.noarch.rpm
es6/selinux-policy-targeted-3.7.19-231.el6.noarch.rpm
es6/xorg-x11-xauth-1.0.2-7.1.el6.i686.rpm
es6/pkgconfig-0.23-9.1.el6.i686.rpm
es6/mesa-libGLU-8.0.4-1.el6.i686.rpm
es6/postgresql84-server-8.4.17-1PGDG.rhel6.i686.rpm
es6/rhes6.sh
es6/mesa-libGL-8.0.4-1.el6.i686.rpm
es6/xorg-x11-fonts-75dpi-7.2-9.1.el6.noarch.rpm
es6/xorg-x11-server-Xorg-1.10.4-6.el6.i686.rpm進入剛才解壓縮後的目錄「es6」後,執行「rhes6.sh」進行安裝程序。
# cd es6
#./rhes6.sh
WARNING: This system update comes with an updated ProstgreSql database
packages, which requires a PostgreSql Database backup to be taken.
Without backup and restore the postgreSql data (application profiler data) will be lost
Do you want to take backup of the existing NSM PostgreSql database : [Y]/N ?N
########## PERFORMING SYSTEM UPDATE TASKS ##########
CentOS release 6.5 (Final)
warning: chkfontpath-1.10.1-2.el6.i686.rpm: Header V4 DSA/SHA1 Signature, key ID 66534c2b: NOKEY
warning: compat-libstdc++-296-2.96-144.el6.i686.rpm: Header V4 DSA/SHA1 Signature, key ID 192a7d7d: NOKEY
warning: compat-libstdc++-33-3.2.3-69.el6.i686.rpm: Header V3 DSA/SHA1 Signature, key ID 1d1e034b: NOKEY
warning: desktop-file-utils-0.15-9.el6.i686.rpm: Header V3 RSA/SHA256 Signature, key ID c105b9de: NOKEY
warning: mesa-libGL-8.0.4-1.el6.i686.rpm: Header V4 DSA/SHA1 Signature, key ID 0b40f7fd: NOKEY
warning: postgresql84-8.4.17-1PGDG.rhel6.i686.rpm: Header V4 DSA/SHA1 Signature, key ID 442df0f8: NOKEY
warning: switchdesk-4.0.8-6.noarch.rpm: Header V3 DSA/SHA1 Signature, key ID 37017186: NOKEY
warning: xorg-x11-proto-devel-7.6-13.el6.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Preparing... ########################################### [100%]
1:pkgconfig ########################################### [ 3%]
2:libXdmcp ########################################### [ 6%]
3:xorg-x11-font-utils ########################################### [ 9%]
4:postgresql84-libs ########################################### [ 12%]
5:zlib-devel ########################################### [ 15%]
6:selinux-policy ########################################### [ 18%]
7:postgresql84 ########################################### [ 21%]
8:xorg-x11-xauth ########################################### [ 24%]
9:ttmkfdir ########################################### [ 27%]
10:mesa-libGL ########################################### [ 30%]
11:fontconfig ########################################### [ 33%]
12:selinux-policy-targeted########################################### [ 36%]
13:freetype-devel ########################################### [ 39%]
14:xorg-x11-fonts-100dpi ########################################### [ 42%]
15:xorg-x11-fonts-75dpi ########################################### [ 45%]
16:xorg-x11-proto-devel ########################################### [ 48%]
17:xorg-x11-xtrans-devel ########################################### [ 52%]
18:switchdesk ########################################### [ 55%]
19:xorg-x11-xfs ########################################### [ 58%]
20:chkfontpath ########################################### [ 61%]
21:mesa-libGLU ########################################### [ 64%]
22:xorg-x11-xinit ########################################### [ 67%]
23:postgresql84-devel ########################################### [ 70%]
24:postgresql84-server ########################################### [ 73%]
25:xorg-x11-server-Xdmx ########################################### [ 76%]
26:xorg-x11-server-Xnest ########################################### [ 79%]
27:xorg-x11-server-Xorg ########################################### [ 82%]
28:xorg-x11-server-Xvfb ########################################### [ 85%]
29:sharutils ########################################### [ 88%]
30:gmp ########################################### [ 91%]
31:desktop-file-utils ########################################### [ 94%]
32:compat-libstdc++-33 ########################################### [ 97%]
33:compat-libstdc++-296 ########################################### [100%]步驟 3. 安裝 nsm2012.2R7_servers_linux_x86.zip
同樣的動作,進行解壓縮及安裝程序。# unzip nsm2012.2R7_servers_linux_x86.zip
Archive: nsm2012.2R7_servers_linux_x86.zip
inflating: nsm2012.2R7_servers_linux_x86.sh
# chmod 755 nsm2012.2R7_servers_linux_x86.sh
# ./nsm2012.2R7_servers_linux_x86.sh
########## PERFORMING PRE-INSTALLATION TASKS ##########
Creating staging directory...ok
Running preinstallcheck...
Checking if platform is valid...............................ok
Checking for correct intended platform......................ok
Checking for CPU architecture...............................ok
Checking if all needed binaries are present.................ok
Checking for platform-specific binaries.....................ok
Checking for platform-specific packages.....................Failed
CentOS Version is not supported.
Removing staging directory..................................ok因為 Juniper NSM 原生是安裝於 RHEL 作業系統中,而此次實作環境所採用的是 CentOS 作業系統,因此將「/etc/redhat-release」檔案備份後,隨即將檔案內容改為 RHEL 資訊即可騙過 NSM 安裝程序。
# cat /etc/redhat-release //修改前
CentOS release 6.5 (Final)
# cat /etc/redhat-release //修改後
Red Hat Enterprise Linux Server release 6.5 (Santiago)修改完成後,再次執行安裝檔。
# ./nsm2012.2R7_servers_linux_x86.sh
########## PERFORMING PRE-INSTALLATION TASKS ##########
Creating staging directory...ok
Running preinstallcheck...
Checking if platform is valid...............................ok
Checking for correct intended platform......................ok
Checking for CPU architecture...............................ok
Checking if all needed binaries are present.................ok
Checking for platform-specific binaries.....................ok
Checking for platform-specific packages.....................ok
Checking in System File for PostgreSQL and XDB parameters...ok
WARNING:
Please make sure the following lines are present in the /etc/sysctl.conf file.
kernel.shmmax= 402653184
The install will exit if they aren't present. Please Reboot the system before continuing
Checking for PostgreSQL.....................................ok
Checking if user is root....................................ok
Checking if user nsm exists.................................Adding
Changing password for user nsm.
New password: //先 Ctrl + C 中斷
Removing staging directory..................................ok在安裝程序中,明確的提醒你應該要把「/etc/sysctl.conf」設定檔當中的「kernel.shmmax」參數值設定為「402653184」,因此便進行參數值修改的動作後,再次進行安裝程序。
# grep kernel.shmmax /etc/sysctl.conf //修改前
kernel.shmmax = 4294967295
# grep kernel.shmmax /etc/sysctl.conf //修改後
kernel.shmmax = 402653184接下來,大部份的回答都採預設值。
# ./nsm2012.2R7_servers_linux_x86.sh
########## PERFORMING PRE-INSTALLATION TASKS ##########
Creating staging directory...ok
Running preinstallcheck...
Checking if platform is valid...............................ok
Checking for correct intended platform......................ok
Checking for CPU architecture...............................ok
Checking if all needed binaries are present.................ok
Checking for platform-specific binaries.....................ok
Checking for platform-specific packages.....................ok
Checking in System File for PostgreSQL and XDB parameters...ok
WARNING:
Please make sure the following lines are present in the /etc/sysctl.conf file.
kernel.shmmax= 402653184
The install will exit if they aren't present. Please Reboot the system before continuing
Checking for PostgreSQL.....................................ok
Checking if user is root....................................ok
Checking if user nsm exists.................................ok
Checking if iptables is running.............................ok
Checking if system meets RAM requirement....................ok
Checking for sufficient disk space..........................ok
Noting OS name..............................................ok
Stopping any running servers
########## EXTRACTING PAYLOADS ##########
Extracting and decompressing payload........................ok
Extracting license manager package..........................ok
########## GATHERING INFORMATION ##########
1) Install Device Server only
2) Install GUI Server only
3) Install both Device Server and GUI Server
Enter selection (1-3) []> 3
Do you want to do NSM installation with base license? (y/n) [y]>
Enter base directory location for management servers [/usr/netscreen]>
Enable FIPS Support? (y/n) [n]>
Select Device Schema to be loaded in NSM
1) Load all Device Family Schemas
2) Load Screen OS Device Schema only (Screen OS)
3) Load Screen OS and J/SRX Devices Schema only (Screen OS + J/SRX Series)
Enter selection (1-3)[1]>
########## GENERAL SERVER SETUP DETAILS ##########
Will this machine participate in an HA cluster? (y/n) [n]>
########## DEVICE SERVER SETUP DETAILS ##########
The Device Server stores all of the user data under a single directory.
By default, this directory is /var/netscreen/DevSvr. Because
the user data (including logs and policies) can grow to be quite
large, it is sometimes desirable to place this data in another
partition.
Please enter an alternative location for this data if
so desired, or press ENTER for the location specified in the
brackets.
Enter data directory location [/var/netscreen/DevSvr]>
########## GUI SERVER SETUP DETAILS ##########
The GUI Server stores all of the user data under a single directory.
By default, this directory is /var/netscreen/GuiSvr. Because
the user data (including database data and policies) can grow to be quite
large, it is sometimes desirable to place this data in another
partition.
Please enter an alternative location for this data if
so desired, or press ENTER for the location specified in the
brackets.
Enter data directory location [/var/netscreen/GuiSvr]>
The GUI Server stores all of the database logs under a single directory.
By default, this directory is /var/netscreen/GuiSvr/xdb/log. Because
the database log can grow to be quite
large, it is sometimes desirable to place this log in another
partition.
Please enter an alternative location for this log if
so desired, or press ENTER for the location specified in the
brackets.
Enter database log directory location [/var/netscreen/GuiSvr/xdb/log]>
Enter the management IP address of this server [192.168.10.62]>
Enter the https port for NBI service [8443]>
Setting GUI Server address and port to 192.168.10.62:7801 for Device Server
Please enter a password for the 'super' user
Enter password (password will not display as you type)>
Please enter again for verification
Enter password (password will not display as you type)>
Enter the one-time password for this Gui Server
Enter password (password will not display as you type)>
Please enter again for verification
Enter password (password will not display as you type)>
Will a Statistical Report Server be used with this GUI Server? (y/n) [n]>
==> CFM user is set to 'cfmuser'
CFM password for user 'cfmuser'
Enter password (password will not display as you type)>
Please enter again for verification
Enter password (password will not display as you type)>
Enter the same password again for CFM user
Changing password for user cfmuser.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
########## HIGH AVAILABILITY (HA) SETUP DETAILS ##########
Will server processes need to be restarted automatically in case of a failure? (y/n) [y]>
########## BACKUP SETUP DETAILS ##########
Will this machine require local database backups? (y/n) [y]>
Enter hour of day to start the database backup (00 = midnight, 02 = 2am, 14 = 2pm ...)[02]>
Will daily backups need to be sent to a remote machine? (y/n) [n]>
Enter number of database backups to keep [7]>
Enter the rsync backup timeout [3600]>
Enter database backup directory [/var/netscreen/dbbackup]>
########## DEVSVR DB SETUP DETAILS ##########
Enter Postgres DevSvr Db port [5432]>
Enter Postgres DevSvr Db super user [nsm]>
Enter Postgres DevSvr Db password for user 'nsm'
Enter password (password will not display as you type)>
Password is too short, minimum length is 8 characters.
Enter Postgres DevSvr Db password for user 'nsm'
Enter password (password will not display as you type)>
Please enter again for verification
Enter password (password will not display as you type)>
########## POST-INSTALLATION OPTIONS ##########
Start server(s) when finished? (y/n) []> y
########## CONFIRMATION ##########
About to proceed with the following actions:
- Install Device Server
- Install GUI Server
- Install High Availability Server
- This machine will have base license with maximum 25 devices
- Store base directory for management servers as /usr/netscreen
- All Device Families Schemas Load
- This machine does not participate in an HA cluster
- Store Device Server data in /var/netscreen/DevSvr
- Store GUI Server data in /var/netscreen/GuiSvr
- Store GUI Server database log in /var/netscreen/GuiSvr/xdb/log
- Use IP address 192.168.10.62 for management
- Use port 8443 for NBI Service
- Connect to GUI Server at 192.168.10.62:7801
- Set password for 'super' user
- CFM user: cfmuser
- CFM Password set for 'cfmuser'
- Servers will be restarted automatically in case of a failure
- Local database backups are enabled
- Start backups at 02
- Daily backups will not be sent to a remote machine
- Number of database backups to keep: 7
- HA rsync command backup timeout: 3600
- Create database backup in /var/netscreen/dbbackup
- Postgres DevSvr Db Server port: 5432
- Postgres DevSvr Db super user: nsm
- Postgres DevSvr Db password set for 'nsm'
- Start server(s) when finished: Yes
Are the above actions correct? (y/n)> y
########## PERFORMING INSTALLATION TASKS ##########
----- INSTALLING Device Server -----
Looking for existing RPM package............................ok
Removing DevSvr files from default location.................ok
Installing Device Server RPM................................ok
Installing JRE..............................................ok
Installing GCC..............................................ok
Creating var directory......................................ok
Creating /var/netscreen/dbbackup............................ok
Putting NSROOT into start scripts...........................ok
Filling in Device Server config file(s).....................ok
Setting permissions for Device Server.......................ok
----- Setting up PostgreSQL for DevSvr -----
Setting up PostgreSQL for DevSvr............................ok
Installation of Device Server complete.
----- INSTALLING GUI Server -----
Looking for existing RPM package............................ok
Removing GuiSvr files from default location.................ok
Installing GUI Server RPM...................................ok
Installing JRE..............................................ok
Installing GCC..............................................ok
Creating var directory......................................ok
Putting NSROOT into start scripts...........................ok
Filling in GUI Server config file(s)........................ok
Setting permissions for GUI Server..........................ok
Running generateMPK utility.................................ok
Running fingerprintMPK utility..............................ok
Installation of GUI Server complete.
----- INSTALLING HA Server -----
Looking for existing RPM package............................ok
Removing HaSvr files from default location..................ok
Installing HA Server RPM....................................ok
Creating var directory......................................ok
Putting NSROOT into start scripts...........................ok
Filling in HA Server config file(s).........................ok
Setting permissions for HA Server...........................ok
Installation of HA Server complete.
----- SETTING START SCRIPTS -----
Enabling Device Server start script.........................ok
Enabling GUI Server start script............................ok
Enabling HA Server start script.............................ok
########## PERFORMING POST-INSTALLATION TASKS ##########
Running nacnCertGeneration..................................ok
Running idpCertGeneration...................................ok
Converting GuiSvr SetDB to XDB .............................ok
Loading GuiSvr XDB data from init files ....................ok
Running webproxy Cert Generation............................ok
Removing staging directory..................................ok
Starting GUI Server.........................................ok
Starting Device Server......................................ok
Starting HA Server..........................................ok
NOTES:
- Installation log is stored in /usr/netscreen/DevSvr/var/errorLog/netmgtInstallLog.20140610145354
- Please note that TCP port 7808 is being used for server-UI communication
- This is the GUI Server fingerprint:
72:C3:95:C8:6E:F2:2C:9E:FB:F7:7F:3F:BB:C5:A1:D6:16:D6:2E:54
You will need this for verification purposes when logging into the GUI
Server. Please make a note of it.步驟 4. 檢查相關 Port 號
在安裝 Juniper NSM 之前,已經調整好 CentOS 主機 只 Listen Port 22,而安裝之後則多出相關 Listen Port 號。# netstat -tunpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:7808 0.0.0.0:* LISTEN 28605/.guiSvrManage
tcp 0 0 0.0.0.0:5005 0.0.0.0:* LISTEN 28605/.guiSvrManage
tcp 0 0 0.0.0.0:6991 0.0.0.0:* LISTEN 28503/Xvfb
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1740/sshd
tcp 0 0 0.0.0.0:7800 0.0.0.0:* LISTEN 30039/.devSvrManage
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 29843/postgres
tcp 0 0 0.0.0.0:7801 0.0.0.0:* LISTEN 28605/.guiSvrManage
tcp 0 0 0.0.0.0:7803 0.0.0.0:* LISTEN 30039/.devSvrManage
tcp 0 0 0.0.0.0:7804 0.0.0.0:* LISTEN 30039/.devSvrManage
tcp 0 0 ::ffff:127.0.0.1:8005 :::* LISTEN 29555/java
tcp 0 0 :::15400 :::* LISTEN 30371/java
tcp 0 0 ::ffff:127.0.0.1:8009 :::* LISTEN 29555/java
tcp 0 0 :::6991 :::* LISTEN 28503/Xvfb
tcp 0 0 :::22 :::* LISTEN 1740/sshd
tcp 0 0 ::ffff:192.168.10.62:8443 :::* LISTEN 29555/java
udp 0 0 0.0.0.0:631 0.0.0.0:* 1521/portreserve
udp 0 0 :::69 :::* 31231/java步驟 5. 使用 NSM Client 連接管理介面
完成了在 CentOS 主機上安裝 Juniper NSM Server 之後,接著在 Windows 端安裝 NSM Client (nsm2012.2R7_ui_win_x86.zip),安裝完成後開啟。預設的管理帳號為「Super」,而管理密碼為剛才在安裝程序中要求你設定的密碼,而此次的 CentOS 主機 IP 位址為「192.168.10.62」,鍵入相關資訊後便可以順利登入 NSM 管理介面。
