0% found this document useful (0 votes)

96 views572 pages

ENC Administrator Manual

Uploaded by

Slimani Azzeddine

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

96 views572 pages

ENC Administrator Manual

Uploaded by

Slimani Azzeddine

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 572

Administrator Manual

Ensemble Controller

Product Release: 15.3

Document Issue: A
Document Number: 80000075300
Product Release: 20.1.1
Product Release: 20.1.1
Document Issue: ADocument Issue: A
Document Number: 80000065616
Document Number: 80000065616
Copyright © 2001-2024 Adtran Networks SE. All rights reserved.
Adtran Holdings, Inc.
901 Explorer Blvd.
Huntsville, AL 35806
USA
Adtran Networks SE, formerly known as ADVA Optical Networking SE (an Adtran company)
Campus Martinsried
Fraunhoferstrasse 9a
82152 Martinsried/Munich
Germany
Terms of Use (“Terms”):
Acceptance of Terms
By using this content, including without limitation any services, portals, webpages, manuals, documentation and
any other information provided herein (hereinafter referred to as “Content” and/or “Service”), you assent to the
following terms of use. If you do not agree to these terms, please do not use this Content.
If you are using this Content on behalf of your employer/hirer/contractor, you represent and warrant that you are
authorized to accept these Terms on your employer's/hirer’s/contractor’s behalf.
Use of the Content and Service
You agree not to access the Content by any means other than through the interface that is provided by Adtran
Networks SE. Adtran Networks SE, formerly known as ADVA Optical Networking SE, includes its affiliates and
successors (“Adtran”). You will not use the Service for any purpose that is unlawful or prohibited by these Terms.
You may not use the Service in any manner that could damage, disable, overburden, impair, or otherwise result in
unauthorized access to or interference with, the proper functioning of any Content, accounts, systems, networks
of Adtran or its licensor(s).
If parts of the Content (including without limitation service) require you to open an account, to choose a password
and/or a user name, you are entirely responsible for maintaining the confidentiality of your password and account,
and for any and all activities that occur under your account. You will maintain and promptly update your account
and any information you provide to Adtran to keep it accurate, current and complete.
You will notify Adtran immediately of any unauthorized use of your account or any other breach of security.
Adtran will not be liable for any losses you incur as a result of someone else using your password or account,
either with or without your knowledge. However, you could be held liable for losses incurred by Adtran due to
someone else using your account at any time, without the permission of the account hold.
You may obtain direct access via the Content (including without limitation portal or system) to certain confidential
information of Adtran and its suppliers and contractors, including without limitation technical, contractual,
product, delivery, pricing, marketing and other valuable information that should reasonably be understood as
confidential ("Confidential Information"). You must hold Confidential Information in strict confidence. Title to
Confidential Information remains with Adtran or its respective suppliers and contractors.
No Warranties
ALL CONTENT IS PROVIDED ON AN ''AS IS AVAILABLE'' BASIS WITHOUT ANY WARRANTY OF ANY KIND EITHER
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. ADTRAN MAKES NO
WARRANTY AS TO THE ACCURACY, COMPLETENESS, OR RELIABILITY OF ANY CONTENT AVAILABLE HEREIN. USE
OF THE CONTENT IS AT YOUR SOLE RISK. YOU ARE RESPONSIBLE FOR VERIFYING ANY INFORMATION BEFORE
RELYING ON IT AND FOR TAKING ALL NECESSARY PRECAUTIONS TO ENSURE THAT CONTENT IS FREE OF

Ensemble Controller R15.3 -Administrator Manual - Issue: A 2

Adtran

VIRUSES. The content of this document may include technical inaccuracies or typographical errors. Adtran
may make changes at any time to the Content (including without limitation portals, systems, products or
specifications) without notice and makes no commitment to update Content.
Adtran may provide economic projections and forward-looking statements on this Content (including
without limitation on portals or systems) that relate to future facts. Such projections and forward-looking
statements are subject to risks which cannot be foreseen and which are beyond the control of Adtran.
Adtran is therefore not in a position to make any representation as to the accuracy of economic projections
and forward-looking statements or their impact on the financial situation of Adtran or the market in the
shares of Adtran.
Limitation of Liability
IN NO EVENT SHALL ADTRAN NETWORKS SE OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR RELATED TO
THE ACCESS OR USE OF THE CONTENT (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND BASED ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE), EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE. THE SAME APPLIES FOR ANY HARDWARE OR SOFTWARE INCLUDED IN THE CONTENT,
UNLESS A SIGNED AGREEMENT WITH ADTRAN NETWORKS SE OR ITS AFFILIATE(S) OR THE APPLICABLE
PRODUCT LIABILITY LAW EXPRESSLY STATES OTHERWISE.
Trademarks and Copyright
Documents and information, including text, images, graphics, sound files, animation files, video files and
their arrangement made available in the Content (including without limitation the portal or system) are
subject to copyright and other intellectual property protection. They may not be copied for commercial use
or distribution and may not be modified or reposted to other internet sites.
Unless otherwise indicated, all marks displayed on the Content (including without limitation portals) are
subject to the trademark rights of Adtran Networks SE or the respective trademark owner. Adtran Networks
SE and the Adtran Networks SE Logo are trademarks or registered trademarks of Adtran Networks SE in
Germany and other countries.
Any software that is made available for download from the Content ("Software") is a copyrighted work of
Adtran or the respective copyright owner.
The furnishing of this content does not give you any license or rights with respect any content, patents
and/or trademarks herein, unless the Content (including without limitation software) is governed by the
terms of your signed agreement with Adtran. Any reproduction or redistribution of the Content (including
without limitation Software) not in accordance with the foregoing is expressly prohibited.
Third Party Content
Third-party content is the property of their respective owners and does not imply a partnership between
Adtran and any other company. Any references to content that is not from Adtran are provided for
convenience only and do not in any manner serve as an endorsement of that content.
Software generally known as “open source software” is licensed pursuant to the applicable license terms.
The copyright owners of such software disclaim all warranties and conditions, express and implied,
including warranties or conditions of title and non-infringement, and implied warranties or conditions of
merchantability and fitness for a particular purpose, and all liability for damages, including direct, indirect,
special, incidental and consequential damages, such as lost profits.
Export Controls

Ensemble Controller R15.3 Administrator Manual - Issue: A 3

Adtran

The Content (including without limitation service, Software, or technology derived or obtained from the
portals) may be subject to the export control laws and/or the import laws of various country (“Controlled
Items”). This includes without limitation the export control laws and regulations of Germany, the European
Union, and the United States. You agree to comply strictly with all such laws. In particular, you will not use,
distribute, transfer or transmit the Controlled Items (even if incorporated into other products) except in
compliance with such laws. You are also responsible for complying with all applicable legal regulations of
the country where you are registered, and any foreign countries with respect to the use of the Controlled
Items by you, your affiliates, subsidiaries, directors, employees, authorized users and permitted third
parties, including end-users. Adtran will support you in obtaining any necessary export or import license for
Controlled Items. You agree that none of the Controlled Items will be sold or otherwise transferred to, or
made available for use by or for, any entity that is (a) named on the EU, U.S. or other government-issued
Sanctioned Party Lists (Denied Party List, Restricted Party, etc.) or (b) engaged, directly or indirectly, in the
design, development, production, stockpiling, or use of chemical or biological weapons, nuclear programs
(including activities related to nuclear devices, nuclear reactors, and nuclear fuel-cycle activities), missiles
and maritime nuclear propulsion projects, except as authorized under applicable laws and regulations.
You agree that, in the event you are notified by Adtran, a third party or a governmental agency about a
license requirement for Controlled Items or particular transactions, you will not export or re-export the
Controlled Items or pursue the transactions, directly or indirectly, until the required licenses are obtained,
and work with Adtran, the third party or the governmental agency to procure the required licenses.
You agree to indemnify and hold harmless Adtran in the event of your non-compliance with any applicable
German, EU, and U.S. export control laws and the export controls or import laws of other countries.
Governing Law and Place of Jurisdiction
The Content and any dispute arising out of or in connection with this Content is governed by German Law,
without its choice of law provisions and the United Nations Convention on Contracts for the International
Sale of Goods is hereby excluded. The District Court of Munich has exclusive jurisdiction for any dispute
arising out of or in connection with this Content.
Privacy Statement
All terms related to our privacy information are available at: https://www.adva.com/en/about-
us/legal/privacy-statement
All terms related to our privacy information for Customer Portal users are available at: https://advaoptical-
communities.force.com/customerportal/CustomerPortalTCs

Ensemble Controller R15.3 Administrator Manual - Issue: A 4

Adtran Contents

Contents
Contents 5
Preface 31
Safety Symbol and Message Conventions 31
Documentation 31
Rebranding 32
Ensemble Controller Documentation Suite 33
Accessing Documentation 33
Within Ensemble Controller 33
World Wide Web 33
Documentation Feedback 34
Obtaining Ensemble Controller Information 34
Support Info 34
Ribbon Menu 35
Creating a System Health Report 35
Requirement to Create a System Health Report 36
Procedure to Create a System Health Report 36
About Information 36
Obtaining Technical Assistance 37
Customer Portal 37
Technical Services 37
Call Adtran 37
Document Revision History 39
Installing and Logging into Ensemble Controller 46
Overview 46
Communication 47
Graphical User Interface 47
Subnetworks 47
Events 47
User Management 48
Performance 48

Ensemble Controller R15.3 Administrator Manual - Issue: A 5

Adtran Contents

Security 48
Pro-Vision Support 48
Installation Requirements 48
Required Minimum Server Hardware 48
General Information 49
Network Element Equivalents 49
Performance Management Object Count 52
Installing the Server Hardware 53
High-Availability Solution with a Redundant Server 53
Upgrading the Server Hardware 53
Supported Operating Systems (Server) 53
Minimum Requirements for Windows Test Servers 54
Recommended Windows Server Hardware 54
Recommended Linux Server Hardware 56
Required Minimum Client Hardware 58
Supported Operating Systems (Client) 59
Minimum Requirements for Test Systems 60
Recommendations for the User Environment 60
Client Server Requirements 60
The Embedded License Server 61
Supported Operating Systems 61
Installation Options 61
Required License Server Hardware for the Local Installation 62
Interaction of Ensemble Controller and Embedded License Servers in High
Availability 62
Antivirus Software 62
Server Environment 62
Client Environment 63
Local Area Network 63
Network Element-to-Server Connections 64
Server-to-Server Connections 64
Server-to-Client Connections 64
Server-to-Northbound Interface Connections 64
Network Elements 65

Ensemble Controller R15.3 Administrator Manual - Issue: A 6

Adtran Contents

Ensemble Controller Server Filter 65

Trapsink Table 65
SNMP Access 65
FTP Access 65
General Aspects 66
Using RADIUS, TACACS+, or LDAP 66
Third-Party Software 66
Using FTP or SSH Servers 66
Additional Software 67
Optional Hardware 67
Optional Applications 68
Ensemble Optical Director with Centralized Control Plane 68
Ensemble Sync Director Assurance Extension 68
Ensemble Fiber Director 69
Streaming High Availability 69
Transport API North Bound Interface 69
Installing Ensemble Controller 70
Installing Ensemble Controller in Windows 70
Requirements for Installing Ensemble Controller in Windows 71
Steps to Installing Ensemble Controller in Windows 71
Silent Installation of the Ensemble Controller Client 79
Verifying Services in Windows 80
Changing the Memory Settings of the Mediation Server in Windows (64 Bit) 82
Installing Ensemble Controller Client Only 82
Installing Ensemble Controller in Linux 86
Requirements for Installing Ensemble Controller in Linux 87
Steps to Installing Ensemble Controller in Linux 88
For Red Hat Enterprise Linux 7.x and 8.x 90
Verifying Services in Linux 92
Changing the Memory Settings of the Mediation Server in Linux 93
Troubleshooting Client Download Errors 93
"Cannot write to download directory" 94
"Cannot create installation directory" 94
"Error while updating or uncompressing" 95

Ensemble Controller R15.3 Administrator Manual - Issue: A 7

Adtran Contents

Viewing and Deleting Installed Clients 95

Preparing and Enabling the Embedded License Server 97
Importing Ensemble Controller Server Certificates to the Client 98
(Optional) Installing Additional Programs 99
Installing FileZilla 99
Installing PuTTY 103
Requirements 103
Procedure 103
Installing CopSSH 108
Starting the Ensemble Controller Server 113
Procedure to Start the Server in Windows 113
Using the Windows Start Menu 114
Using the Windows Command Prompt 114
Procedure to Start the Server in Linux 114
Stopping the Ensemble Controller Server 115
Procedure for Stopping the Server in Windows 115
Using the Windows Start Menu 115
Using the Windows Command Prompt 115
Procedure for Stopping the Server in Linux 116
Logging Into the Ensemble Controller Client 116
Requirements to Log Into the Ensemble Controller Client 116
Supported Encryption Protocols and Ciphers 117
HTTPS and JMS 117
Public/Private Keys x.509 (HTTP, JMS) 118
SSH: server-server, server-ftp server 118
Ensemble Controller User Passwords 118
Persistent Sensitive Data Encryption 118
Server-NE Communication (SNMP, HTTP) 118
Procedure to Log Into the Ensemble Controller Client 119
Taking Remedial Action for Failed Login Attempts 123
Installing Ensemble Controller for Pro-Vision 125
Installation Procedure for Linux 125
Installation Procedure for Windows 126
Enabling User Permissions 126

Ensemble Controller R15.3 Administrator Manual - Issue: A 8

Adtran Contents

Ensemble Controller R15.3 Administrator Manual - Issue: A 9

Adtran Contents

Editing Roles 140

Deleting Roles 140
Table 140
Details Pane 140
Identity 140
Permissions 141
Action Log Tab 141
Changing Event Severities 142
Table 142
Details Pane 142
Sessions Tab 142
Ribbon Menu 143
Table 143
Details Pane 143
Changing Passwords on Network Elements Using SNMP 143
Requirements to Change Passwords Using SNMP 144
Procedure to Change Passwords Using SNMP 145
Activating a Log File 146
Enabling a Connection of One Ensemble Controller Client to Multiple Servers 147
Enabling Two-Man Approval for Actions 148
Applying the Two-Man Rule Permission to User Actions 149
Assigning a User for Approver 149
About the Request Phase 150
About the Decision Phase 150
Opening the Approval Requests Dialog Box 150
Viewing the Approval Requests Dialog Box 150
Deciding on the Requests in the Approval Requests Dialog Box 151
About the Response Phase 151
Granting Temporary Admin User Rights on Network Elements 152
Viewing or Revoking Approved Requests 153
Requirement to Revoke Approved Requests 153
Opening the Approved Temporary Privileges Dialog Box 154
Revoking an Approved Request 154
Fallback Solution if the Network Element Connection Fails 154

Ensemble Controller R15.3 Administrator Manual - Issue: A 10

Adtran Contents

Requirement to Use the Fallback Solution 154

Enabling the Network-Element Fallback User-Password Management Tool 155
Effect of Enabling the Management Tool 155
Opening the Management Tool 156
Sorting Table Content 156
Filtering Table Content 156
Revealing a Fallback User Password 157
Requirements to Reveal a Fallback User Password 157
Procedure to Reveal a Fallback User Password 157
SSH Settings 158
SFTP Settings 159
High Availability 159
Standard High Availability 161
General Information 161
The Two-Node Cluster Concept 161
Server-Mode Switchover Behavior for Standard High Availability 162
Implications if Primary Servers Stop Working 162
Implications After Restoring Primary Servers 163
Manually Changing the Server Mode 163
Configuring Server Shell Scripts 164
Server Status 164
Comparing the Primary-to-Secondary Server Activity 165
Preparing to Configure Standard High Availability 167
Configuring Standard High Availability in Windows 168
Configuring Standard High Availability in Linux Systems 173
Configuring High Availability with the SSH Password 174
Configuring High Availability with the SSH Key 174
Applying and Testing the New Standard High-Availability Configuration 175
Maintaining Standard High Availability 179
Upgrading Ensemble Controller Servers that Use Standard High Availability 179
Changing an Existing Standard High-Availability Configuration 180
Requirements to Change a Standard High-Availability Configuration 180
Procedure to Change a Standard High-Availability Configuration 181
Changing the Ensemble Controller Server Work Mode 182

Ensemble Controller R15.3 Administrator Manual - Issue: A 11

Adtran Contents

Enabling or Disabling Automatic Switchover for Standard High Availability 183

Disabling a Standard High-Availability Configuration 184
Streaming Replication High Availability 184
General Information 184
The Three-Node Cluster Concept 185
Primary and Standby Server Coordination 185
Resilience to Outages 186
Server Outages 186
Network Outages 186
Dividing a Cluster in Availability Zones 186
Server-Mode Switchover Behavior for the Streaming Replication High Availability 187
Comparing the Primary-to-Standby Server Activity 187
Effects of nmsadmin Operations on the Primary and Standby Server 189
Installation Requirements 191
Installation Software 194
Installation Overview 194
Installing and Configuring the Intended Primary Ensemble Controller Server 196
Requirements to Install and Configure the Intended Primary Ensemble
Controller Server 196
Procedure to Install and Configure the Intended Primary Ensemble Controller
Server 196
Installing and Configuring the Intended DCS Quorum Server 197
Requirements to Install and Configure the Intended DCS Quorum Server 197
Procedure to Install and Configure the Intended DCS Quorum Server 197
Installing and Configuring the Intended Standby Ensemble Controller Server 197
Requirements to Install and Configure the Intended Standby Ensemble
Controller Server 197
Procedure to Install and Configure the Intended Standby Ensemble Controller
Server 198
Maintaining Streaming Replication High Availability 198
Checking the Cluster Status 198
Pausing or Resuming the Streaming Replication High-Availability Control 199
Changing an Existing Streaming Replication High-Availability Configuration 200
Enabling the Single-Server Mode 200
Upgrading Streaming Replication High Availability 201
Updating High Availability Stream Package 203
Ensemble Controller R15.3 Administrator Manual - Issue: A 12
Adtran Contents

Enhancing the Database Password Encryption Security 204

Any 13.x Version Upgraded to 13.3 or Later 204
Any Supported Version Before 13.1 Upgraded to 13.3 or Later 207
Initiating a Server Work Mode Switchover 207
Enabling or Disabling Automatic Switchover for Streaming Replication High
Availability 208
Reverting to a Non-Resilient Configuration or Disabling Streaming Replication
High Availability 208
Requirement to Revert to a Non-Resilient Configuration 209
Procedure to Revert to a Non-Resilient Configuration 209
Migrating from Standard to Streaming Replication High Availability 210
Requirement to Migrate from Standard to Streaming Replication High Availability 210
Procedure to Migrate from Standard to Streaming Replication High Availability 210
System Settings 211
Suppressing Noisy Events 212
Overview of Noisy Events Per Network Element 213
Broadcasting Messages to Ensemble Controller Clients 216
Requirement to Broadcast Messages 216
Procedure to Broadcast Messages 216
Server Preferences 218
Event Log Settings 219
Opening the Event Log Page 219
Event Log Parameters 221
Log Size Details of Live Events 223
Anonymization Details 223
Editing Security Parameters 224
Opening the Security Page 224
Setting Auto Lock and Auto Logout 225
Setting User Account Policies 226
Setting Authentication Parameters 228
Verifying Certificates of other Servers 230
Changing the FNM Property 231
Setting SMTP Properties 231
Setting the Default NE Identity Type 232
Changing the Network Element Icon Labeling 233

Ensemble Controller R15.3 Administrator Manual - Issue: A 13

Adtran Contents

Setting the Client Time Zone 235

Configuring the NBI Trap Transmitter Settings 236
Requirement to Configure the NBI Trap Transmitter Settings 237
Procedure to Configure the NBI Trap Transmitter Settings 237
Configuring ENC-ELS Single Sign-On Connection 240
Requirement to Configure ENC-ELS Single Sign-On Connection 240
Procedure to Configure ENC-ELS Single Sign-On Connection 241
Configuring Operations from the fnm.properties File 242
Editing the fnm.properties File 242
Enabling the Login or Post-Login Dialog Box Message 244
Login Dialog Box Message 244
Post-Login Dialog Box Message 245
Setting Up RADIUS Authentication 246
Configuring an External RADIUS Server 246
Configuring the RADIUS Server Access in Ensemble Controller 247
Configuring the RADIUS Server Timeout 247
RADIUS Access-Challenge 248
Logging In Through One-Time-Password 248
Setting Up TACACS+ Authentication 249
Configuring an External TACACS+ Server 249
Configuring the TACACS+ Server Access in Ensemble Controller 250
Configuring the TACACS+ Server Timeout 251
Setting Up LDAP Authentication 252
Configuring Access to the LDAP Server 252
Configuring the LDAP Server Timeout 253
Changing the Default Security Protocol 254
Using Multiple Network Interfaces for Communication 255
Prerequisites to Use Multiple Network Interfaces 255
Configuring Multiple Network Interfaces 256
Script or Command-based Operations 258
Enabling IPv6 258
Setting the Server Time Zone 259
In a Windows Operating System 259
In a Linux Operating System 260

Ensemble Controller R15.3 Administrator Manual - Issue: A 14

Adtran Contents

Setting the Shared Buffer Size 261

Using Customer Certificates 261
Creating a Keystore and a Self-Signed Certificate 261
Generating a Certificate Signing Request and Signing the Certificate Externally 262
Creating the Key, Signing it Externally, and Bundling it as p12 Container 263
Adapting the jms.properties File to the New Password 264
Adapting the Ensemble Controller Server to the New Password 264
Keystore and Private Key Password Encryption 265
Encrypting Passwords or <text> 265
Adapting the jms.properties File to the Newly Encrypted Password 266
Adapting the Ensemble Controller Server to the Newly Encrypted Password 266
Updating the Keystore and Defining a New Passphrase 267
Command Definition 267
Procedure to Update the Keystore and Define a New Passphrase for the Private Key 267
Procedure to Define a New Passphrase for the Keystore 268
Changing the Maximum User Processes Property in Linux 268
Creating Configuration File Templates for Ethernet Devices 269
Design Objectives 269
Tag Set 270
Supported <default> Keywords 276
Rules 280
Configuring Sync Assurance and the Ensemble Fiber Director Server 282
Installing the Map Library in Linux 282
Requirement to Install the Map Library 283
Procedure to Install the Map Library 283
Version 14.1 or Earlier 283
Version 14.2 or Later 283
Installing and Configuring the Sync Assurance Application in Linux 284
Requirements to Install the Sync Assurance Application 285
Procedure to Install the Sync Assurance Application 286
Command Output Example for a GNSS Service 289
Stopping the Sync Assurance Application 290
Starting the Sync Assurance Application 290
Health Check and Database Backup for Sync Assurance Applications 291

Ensemble Controller R15.3 Administrator Manual - Issue: A 15

Adtran Contents

Automatic Database Backups 292

Restoring the Database from a Backup File 292
Command Output Examples for GNSS Service Replicas 296
Connecting the Sync-Assurance Applications with the Ensemble Controller 298
Enabling Machine-Learning Based Alarms for GNSS 298
Creating Custom GNSS Scripts 298
Supported Files and Script Formats 298
System-Provided Custom GNSS Help Files 301
Custom Script Business Logic 302
Post-Creation Steps 307
Changing the Database Password of the Sync Assurance Applications 307
Configuring Streaming Network Telemetry Service 308
Installing the Ensemble Fiber Director Server in Linux 308
Requirements to Install the Ensemble Fiber Director Server 309
Procedure to Install the Ensemble Fiber Director Server 310
Installing Ensemble Fiber Editor 310
Installing the Local Geographical Map-Tile Server in Linux 311
Chrome Security Concern 312
Ensemble Fiber Director Mobile Application 313
Prerequisites for Running the EFD Mobile Application 313
Installing the EFD Mobile Application 313
Running, Stopping, or Uninstalling the EFD Mobile Application 314
Consolidating Ensemble Controller Servers 314
Terminology 315
Requirements to Consolidate Servers 315
Prerequisite Steps for the Servers 315
Starting the ENC Migration Tool 316
Command Content Description 317
Included Attributes for Network Exports 320
Included Attributes for Link Exports 321
Included Attributes for Service Tree Exports 321
Included Attributes for Tracked Service Exports 321
Overview of the Command Sequence 322
Summarized Command Sequence 323

Ensemble Controller R15.3 Administrator Manual - Issue: A 16

Adtran Contents

Exporting Database Content from the Source Server 323

Importing Database Content to the Destination Server 324
Requirements to Import Database Content 324
Procedure to Import Database Content 324
Post-Migration Steps After the Import 326
Requirement for the Post-Migration Steps 326
Procedure for the Post-Migration Steps 326
Accessing Management Tools 327
Command Line Interface 327
Using a Secure Protocol 327
Using an Insecure Protocol 328
Configuring CLI Launch Commands 328
WEB Manager 329
Single Sign-On Support (SSO) 330
Scenarios That Support SSO 330
Establishing a Single Sign-On Connection 331
Establishing an SSO Connection Using Fallback Passwords 333
Requirements to Use SSO With Fallback Passwords 334
Procedural Description 335
Establishing an SSO Connection Using an Ad-Hoc Local Network Element
Account 335
Requirements to Use SSO With Ad-Hoc Accounts 336
Procedural Description 336
Disabling a Single Sign-On Connection 338
HTTP or HTTPS Communication 338
Configuring the Ensemble Controller-Internal HTTP Proxy 338
Editing the Property in the fnm.properties File 339
Configuring the Service in the Services Window 339
Configuring a Standard HTTP or HTTPS Proxy Server 339
Element Manager 341
Installing the Element Manager 341
Enabling the SNMP Forwarder Service 342
Enabling the SNMP Forwarder Service in Windows 342
Running the Script File 342

Ensemble Controller R15.3 Administrator Manual - Issue: A 17

Adtran Contents

Configuring the Service in the Services Window 342

Enabling the SNMP Forwarder Service in Linux 342
Fault Management 343
Enabling Logging of Service Affected Alarms in the Ensemble Controller Database 343
Enabling and Configuring Event Logging to External CSV File 343
Installing the OSA WinSTS Tool 345
Maintaining Ensemble Controller 349
Adding or Removing Ensemble Controller Features 349
Adding Features to the Ensemble Controller 350
Removing Features from the Ensemble Controller 353
Changing the Database Password 356
Verifying the Ensemble Controller Server by Using the Healthcheck Script 358
For Windows 358
For Linux 358
Considerations When Replacing FSP 3000R7 Network Elements 359
Locking Client Upgrades or Downgrades 359
Customizing Network Element Icons 359
Updating Ensemble Controller Database Information 360
Database Update Actions 361
Status Check 361
Configuration Check 361
Inventory Check 361
Discovery Polling 362
Immediate Database Backup 362
Backing Up or Restoring the Ensemble Controller Database 362
Immediate Database Backup 363
Restoring the Ensemble Controller Database 363
General Requirements 363
Requirements When Upgrading to a Newer Ensemble Controller Version 364
Procedure to Restore the Database in Linux 364
Procedure to Restore the Database in Windows 364
Setting the Number of Database Backup Files Allowed to be Created 365
Upgrading Ensemble Controller 365
Successfully Upgrading Ensemble Controller 365

Ensemble Controller R15.3 Administrator Manual - Issue: A 18

Adtran Contents

Requirements to Upgrade Ensemble Controller 367

Reconfiguring Properties for RADIUS or TACACS+ Configurations 368
Enhancing the Database Password Encryption Security 368
Any 13.x Version Upgraded to 13.3 or Later 368
Any Supported Version Before 13.1 Upgraded to 13.3 or Later 369
Upgrading High Availability Servers 369
Retaining a Customized fnm.properties File 370
Upgrading an Existing Ensemble Controller Version 370
Upgrading by Installing a New Ensemble Controller Version 370
Overview of the Upgrade Procedure Steps 371
Upgrading Ensemble Controller in Windows 371
Requirements 372
Restriction 372
Procedure to Upgrade in Windows 372
Upgrading Ensemble Controller in Linux 377
Requirements to Upgrade in Linux 377
Restriction to Upgrade in Linux 377
Procedure to Upgrade in Linux 378
Enhancing the User Password Encryption After an Upgrade to Version 14.1 or Later 379
Upgrading Sync Assurance in Linux 380
Requirements to Upgrade Sync Assurance 380
Procedure to Upgrade Sync Assurance 381
Procedure to Upgrade Sync Assurance 15.1 to 15.2 including GNSS and TPA Raw Data
Migration 382
Upgrading Ensemble Fiber Director in Linux 387
Uninstalling Ensemble Controller 387
Uninstalling Linux Applications 390
Uninstalling the Sync Assurance Application 390
Managing the Centralized Control Plane 391
Minimum Hardware Requirements 392
Setting Up the Centralized Control Plane 393
Configuring a Connection Between Ensemble Controller and the Centralized Control
Plane 393
Configuring Centralized Control Plane High Availability 395
Opening and Viewing the CPc Manager 396

Ensemble Controller R15.3 Administrator Manual - Issue: A 19

Adtran Contents

Requirements to View the CPc Manager 396

Procedure to View the CPc Manager 396
Legacy Links Page 399
Links Page 400
Migrating Links to the Centralized Control Plane or Deleting Them 402
Requirements to Migrate Links 402
Procedure to Migrate Links 402
NEs Configuration Page 402
Table Description 403
Action Controls 404
TE Links From CPc Page 405
NEs From CPc Page 407
Managing the Centralized Control Plane Server in Linux 407
Upgrading the Centralized Control Plane Server 408
Backing Up the Control Plane Database 408
Backup File Storage 409
Backup Operation Notifications 409
Restoring the Centralized Control Plane Database 409
Requirements to Restore the CPc Database 410
Procedure to Restore the CPc Database 410
Centralized Control Plane Server Health Check 410
Health Check Using Scripts 410
Health Check Using the Ensemble Controller GUI 411
Troubleshooting 412
Purpose 412
Assumptions 412
Terms 413
Preparation 413
Discussing the Management-Software Products Ensemble Controller and FSP
Element Manager 414
Discussing the Network Configuration 414
Clearly Defining the Issue That You Try to Resolve 414
Tools of the Trade 415
Troubleshooting Steps 415

Ensemble Controller R15.3 Administrator Manual - Issue: A 20

Adtran Contents

Resolving Installation Issues 415

Cannot install Ensemble Controller. 416
The Ensemble Controller installation fails with an error message. 416
Updating the Ensemble Controller Client Launcher 417
Requirement to Update the Client Launcher 417
Procedure to Update the Client Launcher 417
Obtaining a Client-Only Installation 417
Updating the Client Launcher 418
Resolving Start-up Issues 421
Ensemble Controller does not start without an error message. 421
The Ensemble Controller Server SNMP Forwarder does not start. 422
The Ensemble Controller Server Mediation Server does not start. 422
Cannot launch the Element Manager Using Ensemble Controller. 423
External event logging does not start. 423
Ensemble Controller Server Connectivity 424
Cannot find the specified host name 424
Ensemble Controller Server could be down or is not responding 424
Cannot connect to the Ensemble Controller Server: xyz 424
SNMP Connectivity Test 425
Unable to start or stop the Ensemble Controller Server without an error message. 426
Ensemble Controller Server processes do not start after server restart or crash. 427
The Ensemble Controller Server does not start after Linux restarts. 427
Linux stops with the error message: "No buffer space available." 427
Open-file limit is too low for the Ensemble Controller Server process in Linux 428
Cannot launch the Ensemble Controller Client. 428
Problem to start the Ensemble Controller Client 428
Irrelevant error message that Mediation Server could not start 429
Unable to launch the Ensemble Controller Client after download and upgrade to 12.1.1 430
Resolving Access Issues 430
Cannot ping the network element 431
Cannot configure the network element through the Element Manager 431
SNMP timeout occurs while accessing the network element 432
Option 1 – IP Connectivity Bad 432
Option 2 – Improper Handling of Fragmented Packets or MTU Too Small 432

Ensemble Controller R15.3 Administrator Manual - Issue: A 21

Adtran Contents

The Ensemble Controller Client cannot connect to the Server 433

The Ensemble Controller Client cannot connect because of incorrect user name -
password pair 433
SNMPv3 communication fails after factory-default reset 434
Centralized Control Plane Cannot Connect to the Network Element on Server with
Two Network Interfaces 434
Centralized Control Plane Cannot Install and Use Signed Certificate 435
Resolving Normal Operations Issues 435
General Trouble 436
Ensemble Controller Menu displays in gray color. 437
Ensemble Controller does not receive traps. 437
Ensemble Controller displays the network-element inventory incorrectly. 438
Ensemble Controller does not detect a fiber break. 438
The Ensemble Controller Server detects a false fiber break. 438
Different alarm severities in Ensemble Controller and Element Manager. 439
Removed module displays in the Ensemble Controller inventory. 439
Connections from removed modules still display. 439
Alarms in the Alarm View display in gray color. 440
You cannot start the Element Manager for an FSP 3000R7 NE. 440
Configuration backup of FSP 3000R7 fails with the message “Download protocol …”. 440
After configuration, network element backup fails with the message “... Backup server
is not responding...” 441
You received the system event “Maximum amount of events, which are queued for
processing, has been reached (“500”), events are discarded.” 441
You receive the event “System time deviation high”. 442
The Notification Manager does not send emails although configured. 442
You receive the event “Authentication failure trap message”. 443
Ensemble Controller receives no traps for an FSP 3000R7 network element. 443
The system does not write the trap address to the FSP 150CM. 444
The Ensemble Controller Server crashes after a time or time zone change, scheduled
backup does not work, or status polling never ends. 444
“Unknown Entity” displays in alarm or event windows. 445
Security Manager permission "Write Access to Supported Connections" is not
blocked although disabled. 445
UDP Packet Loss on a Linux Server 446

Ensemble Controller R15.3 Administrator Manual - Issue: A 22

Adtran Contents

Hardware or Software Support and Compatibilities 447

Communication Ports 447
Port Connection Sequence 447
Configuring Server and Client Communication Ports 448
Effects on the GUI Using Secure Ports 449
Supported Communication Ports 449
Client Property Overview 456
Remote User Options 456
com.adva.common.workbench.dialog.login.force_system_user=false 457
Server Property Overview 457
Authentication Access Options 457
RADIUS 458
Properties for the Specific RADIUS Server 459
RADIUS Client Library 461
Specifying the RADIUS Authentication Type 461
TACACS+ 461
Properties for the Specific TACACS+ Server 462
Specifying the TACACS+ Authentication Type 464
LDAP 464
Basics About the LDAP Server Directory Structures 464
Using the Directory for Authentication 465
Using the Directory for Authorization 465
Specific LDAP Server Properties 468
Advanced Server Properties 469
Backup Options 472
com.adva.fnm.option.databasebackupfilesnumber 472
Heartbeat on Alarm NBI 472
Disk Space Monitoring Options 472
com.adva.fnm.option.diskSpaceLowThreshold 472
com.adva.fnm.option.diskSpaceCriticalThreshold 473
com.adva.fnm.option.diskSpacePollingFrequency 473
Ensemble Sync Director Options 473
com.adva.nlms.mediation.synchronization.discovery.SyncDiscoveryQueueSize 473
com.adva.nlms.mediation.synchronization.ncd.auto.align.with.subnet 474

Ensemble Controller R15.3 Administrator Manual - Issue: A 23

Adtran Contents

com.adva.nlms.mediation.synchronization.ncd.auto.align.with.subnet.separator 474
com.adva.nlms.mediation.synchronization.snt.telemetry.tls.option 474
com.adva.fnm.option.syncNetGraph.maxNEsForLayout 474
Health Center Properties 474
com.adva.fnm.option.HealthCenter.SampleRateInMinutes 475
com.adva.fnm.option.HealthCenter.ViewRefreshPeriodInSec 475
com.adva.fnm.option.HealthCenter.GaugeMonitoredHours 475
com.adva.fnm.option.HealthCenter.DBRetentionDays 475
CPU Thresholds 475
com.adva.fnm.option.HealthCenter.CpuUtilizationThreshold 475
com.adva.fnm.option.HealthCenter.CpuDegradedThreshold 475
com.adva.fnm.option.HealthCenter.CpuUnhealthyThreshold 475
Memory Thresholds 476
com.adva.fnm.option.HealthCenter.PhysicalMemoryUtilizationThreshold 476
com.adva.fnm.option.HealthCenter.SwapMemoryUtilizationThreshold 476
com.adva.fnm.option.HealthCenter.PageVsPhysicalMemoryThreshold 476
com.adva.fnm.option.HealthCenter.MemoryDegradedThreshold 476
com.adva.fnm.option.HealthCenter.MemoryUnhealthyThreshold 476
Disk Thresholds 477
com.adva.fnm.option.HealthCenter.WindowsMonitoredDiskPartitions 477
com.adva.fnm.option.HealthCenter.LinuxMonitoredDiskPartitions 477
com.adva.fnm.option.HealthCenter.DiskDegradedThreshold 477
com.adva.fnm.option.HealthCenter.DiskUnhealthyThreshold 477
Embedded License Server Options 477
com.adva.fnm.option.flexeraServer.ipaddress 477
com.adva.fnm.option.backupFlexeraServer.ipaddress 477
com.adva.fnm.option.elsgui.ipaddress 478
com.adva.fnm.option.backupElsgui.ipaddress 478
com.adva.fnm.option.flexeraServer.pollingInterval 478
com.adva.fnm.option.flexeraServer.timeout 478
com.adva.fnm.option.flexeraServer.hostidprefix 478
com.adva.opt.flexera.requestLicenses 479
Graphical User Interface Options 480
com.adva.fnm.option.server_welcome_text 480

Ensemble Controller R15.3 Administrator Manual - Issue: A 24

Adtran Contents

com.adva.fnm.option.server_postLogonText 480
com.adva.fnm.option.date_format 480
Browser-Related Properties 480
com.adva.fnm.security.CLI_[WINDOWS|LINUX] 481
com.adva.fnm.security.ssh.CLI_[WINDOWS|LINUX] 481
com.adva.fnm.option.useCLIOverTelnet 481
com.adva.fnm.security.browser_[WINDOWS|LINUX] 482
com.adva.fnm.security.pdf_[WINDOWS|LINUX] 482
com.adva.fnm.option.maxMapLabelLength 483
com.adva.fnm.security.auto_logout_user_disable 483
High Availability Options 483
com.adva.fnm.ssl.knownHosts 483
com.adva.fnm.option.automaticSwitchover 483
com.adva.nlms.mediation.ha-stream.automatic-switchover 484
com.adva.fnm.option.slavePolling 484
com.adva.fnm.ssl.keyfile 484
com.adva.fnm.ssl.passphrase 485
com.adva.fnm.option.afterSwitchoverSecondaryScript=/opt/usr/bin/secondary.sh485
Internal Options 485
com.adva.fnm.option.recalculateCounter 485
com.adva.nlms.mediation.evtProc.maxEventQueueSize 485
Properties for Handling Event Processing Suspension 485
Properties for Handling Trap Flood Detection 486
com.adva.nlms.mediation.event.maxEventLogSize 486
Properties for Setting NBI Alarm or Event Filters 487
com.adva.nlms.mediation.event.initCSVLogOnStartup 487
com.adva.nlms.mediation.event.CSVLogLineBreakAtEOL 488
com.adva.nlms.mediation.event.syncAlarmsListenerPort 488
com.adva.nlms.mediation.event.notification.allowExternalScripts 488
com.adva.fnm.option.hideFAMDetails 488
com.adva.fnm.option.trapsink.aging 488
com.adva.unsupported.ne.versions.check.enabled 490
Miscellaneous Options 490
com.adva.fnm.option.disableClientUpdates 490

Ensemble Controller R15.3 Administrator Manual - Issue: A 25

Adtran Contents

com.adva.fnm.option.iphostnameenabled 490
com.adva.nlms.mediation.report.NeCountInventoryThreshold 490
com.adva.nlms.mediation.report.AlarmCountThreshold 490
com.adva.fnm.option.CSVSeparator 491
com.adva.nlms.mediation.report.keptfilesnumber 491
com.adva.nlms.mediation.report.keptfilesnumber.manual 491
com.adva.nlms.mediation.report.performance.PmReportPagesLimit 491
com.adva.nlms.mediation.report.reportExternalStorage 491
com.adva.nlms.mediation.report.sync.performance.device.types 492
com.adva.nlms.mediation.report.suffix 493
com.adva.nlms.mediation.neResources.csv.NE_RESOURCES_REGULAR_REPORT_
FILE_PATTERN 493
com.adva.nlms.mediation.neResources.csv.NE_RESOURCES_REGULAR_REPORT_
DAYS_TO_RETAIN_FILES 493
com.adva.nlms.mediation.neResources.csv.NE_RESOURCES_REGULAR_REPORT_
MAX_FILE_SIZE 493
com.adva.nlms.mediation.CSV_FILE_TRANSFER 494
com.adva.nlms.mediation.sm.prov.cp.CP_POLICY_PROXY_NODES_IP 494
com.adva.nlms.mediation.sm.prov.cp.waitForMonitorEqualizationTimeInSecs 494
com.adva.nlms.mediation.sm.prov.cp.waitForEqualizationTimeInSecs 494
com.adva.nlms.mediation.sm.prov.cp.LOCKED_LINKS_ENABLED 494
com.adva.nlms.mediation.sm.prov.cp.UseCPRestForPrePathComputation 495
com.adva.nlms.mediation.sm.prov.cp.MaxNumberOfComputedPaths 495
com.adva.nlms.mediation.sm.DigitalSignalSuffix 495
com.adva.nlms.mediation.sm.EthernetDigitalSignalSuffix 495
com.adva.nlms.mediation.sm.ServiceNameTemplate 496
com.adva.nlms.common.visual.BANDWIDTH_USAGE_[LOW|HIGH] 496
com.adva.nlms.mediation.ethNEConfig.maxTemplateSizeInKB 496
com.adva.nlms.mediation.config.fsp_r7.useAdvaSpecificSerialNumbers 496
com.adva.nlms.mediation.config.shelfLocationInfoSettable 496
com.adva.nlms.mediation.sm.prov.ni.controller 496
Properties for Managing Pro-Vision 496
com.adva.fnm.option.UseSnmpForRest 497
com.adva.fnm.option.UseSFTPFileTransfer.device.types 497
Oscillating Events Suppression Options 497

Ensemble Controller R15.3 Administrator Manual - Issue: A 26

Adtran Contents

com.adva.fnm.option.disableLoggingPeriod 497
com.adva.fnm.option.enableLoggingPeriod 498
com.adva.nlms.medation.config.dyingGaspDisabled.device.types 498
Password Change Action Manager Options 498
com.adva.fnm.option.pcaLogReceiver=<email_address> 498
com.adva.fnm.option.pcaMaxThreadCount 498
Performance Monitoring Options 498
com.adva.nlms.mediation.performance.CSVvalidTime 498
com.adva.nlms.mediation.neComm.150ccSnmpDelay 499
Qualitiy Compliance Options 499
com.adva.nlms.mediation.performance.CSVvalidTime 499
com.adva.nlms.mediation.report.sync.quality.compliance.clock.ref 499
com.adva.nlms.mediation.report.sync.quality.compliance.threshold.degraded.ns 499
com.adva.nlms.mediation.report.sync.quality.compliance.threshold.failed.ns 499
Rapid Term Monitoring (RTM) 500
com.adva.fnm.mediation.monitoring.rapidTermInterval 500
com.adva.fnm.mediation.monitoring.rapidStartAtSystemStartUp 500
Deletion of Log Files 500
Retrieving Monitoring Data 500
Specifying Monitored Attributes 501
Triggering RTM 501
Windows CLI Interface 501
Linux CLI Interface 502
Ensemble Controller GUI 502
nmsadmin Script 502
Scaling Options 503
com.adva.fnm.option.threadPoolSize 503
com.adva.nlms.mediation.polling.MAX_RUNNING_POLLING_TASKS 503
com.adva.nlms.mediation.performance.watchdog.olp 503
Security Options 504
com.adva.fnm.option.FallbackNEUserID 504
com.adva.fnm.option.FallbackPasswordManagement 504
com.adva.fnm.option.SSOviaFBP 504
com.adva.fnm.option.SSOviaAHA 504

Ensemble Controller R15.3 Administrator Manual - Issue: A 27

Adtran Contents

com.adva.fnm.option.ssoDisabled.device.types 505
com.adva.fnm.option.maxFtpPasswordLength 505
com.adva.fnm.security.authorization.aspect 505
Self-Monitoring 505
Specifying Monitored Attributes 505
Triggering Self-Monitoring 506
Activating Short-Term or Long-Term Monitoring 506
On-Demand Monitoring Using Ensemble Controller 507
On-Demand Monitoring Using nmsadmin 507
Retrieving Monitoring Data 507
Deletion of Log Files 507
Server Access Options 508
Properties for Servers with Multiple IP Interfaces 508
com.adva.fnm.option.webserver.port 509
com.adva.fnm.option.rest.securePort 509
com.adva.fnm.option.rest.securePortWithMutualAuth 509
com.adva.nlms.mediation.server.proxy.startModule 510
com.adva.nlms.mediation.server.proxy.port 510
com.adva.nlms.mediation.http.client.certs.verification 510
Properties for Configuring the Java Messaging System (JMS) 510
com.adva.fnm.mediation.monitoring.commandLineInterfacePORT 511
com.adva.fnm.option.server_timeout 511
com.adva.fnm.option.maxClientConnectionAlarmThreshold 511
com.adva.fnm.option.maxClientConnectionAllowed 511
TCA Monitoring Option 512
com.adva.nlms.mediation.thresholdCrossingAlert.tcaClearDelay=30 512
com.adva.nlms.mediation.thresholdCrossingAlert.tcaDetectionByParamId 512
Error-free Output of Database Validation Verification 512
Entity Index or AID Values 514
FSP 150 516
GE11x/XG210 516
FSP 150CC 516
f825 517
GE20x/Txx04 517

Ensemble Controller R15.3 Administrator Manual - Issue: A 28

Adtran Contents

FSP 150CM 518

FSP 150CP 518
FSP 150EG-M[2|4|8] 519
FSP 150EG-X 519
FSP 1500 520
FSP 3000 C 520
FSP 3000R7 521
FSP 3000R7 - SH1PCS 521
Hatteras HN[400|4000] 521
Roles and Allocated Actions 523
Pro-Vision – Service Provisioning and Management Platform 544
Discovering Your Network 544
Discovery Configuration 544
Discovery Configuration 545
Viewing Discovery Networks 547
Running Discovery Manually 548
Viewing Discovery Information through the Task Manager 548
Setting Discovery Threads 549
Setting the Display Name to the System Name 549
Avoiding Devices with Duplicate Display Names 549
Zero Touch Configuration 550
DNS Update 550
DHCP 550
Image Download Software/FPGA 551
Startup Config 551
Zero Touch Offline Sync/NTU Replacement 551
Fault Management 551
Configuring Alarm Filters 552
Event Log Parameters 552
Opening the Event/Alarm Filter Configuration Tool 553
Configuring Actions 554
Configuring Email Servers 554
Configuring Email Profiles 555
Configuring SNMP Trap Profiles 556

Ensemble Controller R15.3 Administrator Manual - Issue: A 29

Adtran Contents

Configuring Suppress Profiles 558

Configuring System Command Profiles 559
Configuring Remark Action Profiles 560
Adding Alarm Filters 560
Configuring SNMP Trap Forwarding Profiles 562
Configuring Custom SNMP Traps 563
Viewing Events 565
Viewing Alarms 565
Performing Alarm Operations 566
Clearing Alarms 566
Configuring Alarm Severity 567
Auditing and Authorization 567
Configuring the Auditing Feature 567
Viewing Audit Information through the Task Manager 568
Sylsog Server Filters 569
Viewing the Audit Log 569
Configuring Authorization 569
Modifying an ENC User 571
Deleting an ENC User 571
Viewing Authentication Type LDAP Users 572

Ensemble Controller R15.3 Administrator Manual - Issue: A 30

Adtran Preface

Preface
Safety Symbol and Message Conventions 31
Documentation 31
Obtaining Ensemble Controller Information 34
Obtaining Technical Assistance 37
Document Revision History 39

The pictures or graphics shown in this document are for reference only. They
are based on the latest hardware revision available at the time of publication.
The equipment you received might look different than pictures or graphics
shown in this document.

Safety Symbol and Message

Conventions
You will see these symbols throughout the documentation. All personnel should correctly follow
and not ignore any safety instructions.

Icon Meaning Description

Notice Indicates the risk of equipment damage, malfunction,

process interruption, or negative impacts on surroundings.

Note Indicates supplemental information or helpful

recommendations.

Documentation
Rebranding 32
Ensemble Controller Documentation Suite 33
Accessing Documentation 33
Documentation Feedback 34

Ensemble Controller R15.3 Administrator Manual - Issue: A 31

Adtran Preface

Rebranding
In the context of changing marketing requirements, we rename Ensemble Controller
applications. This table shows the release when names changed, and the new names for the
applications.

Release Old Name / New Name New Remark

Abbreviation Abbreviation

11.1.1 Network Ensemble ENC

Manager / NM Controller

Network Ensemble ENC Server

Manager Server Controller Server

Network Ensemble ENC Client

Manager Client Controller Client

Service Manager Ensemble Optical EOD

Director

Sync Manager Ensemble Sync ESD

Director

Ethernet Ensemble ECBM

Configuration Command-
Manager Based Manager

Encryption Ensemble ECGD

Manager ConnectGuard
Director

Bandwidth Ensemble EBM

Manager Bandwidth
Manager

12.3.1 Ensemble CryptoManager

ConnectGuard
Director / ECGD

Ensemble Controller R15.3 Administrator Manual - Issue: A 32

Adtran Preface

Release Old Name / New Name New Remark

Abbreviation Abbreviation

13.1.1 Control Plane Centralized CPc Manager

Migration Tool / Control Plane
CP Migration Manager
Tool

Ensemble Controller Documentation Suite

Ensemble Controller includes these manuals:
l Ensemble Controller Administrator Manual
o Quickstart Administrator Guide
l Ensemble Controller Integration Manual
l Ensemble Controller User Manual

These manuals especially address licensed Ensemble Controller features:

l Packet Management Guide
l Synchronization Management Guide
l WDM Management Guide
l Ensemble Fiber Director User Manual

Accessing Documentation
Within Ensemble Controller
From the Ensemble Controller Help menu, you can view user documentation either in PDF or
web format.
The default Windows PDF viewer and web browser will normally be used to display the manual.
To use a different browser or viewer, change the Ensemble Controller preferences. These
preferences are stored per user. For more information about how to change preferences and
use a different application, see the User Manual.

World Wide Web

Documentation Portal https://advadocs.com/

Ensemble Controller R15.3 Administrator Manual - Issue: A 33

Adtran Preface

Documentation Feedback
We want our documentation to be as helpful as possible. Feedback is always welcome.

Email admin@advadocs.com

Mail Adtran
Technical Documentation
Märzenquelle 1-3
98617 Meiningen-Dreissigacker
Germany

Obtaining Ensemble Controller

Information
The Ensemble Controller Help menu includes these options to obtain Ensemble Controller
information.
If these options are not available, your user role might be subject to a view restriction. For more
information about view restrictions, see User Manual, Help.

Support Info 34
About Information 36

Support Info
The support Info dialog box displays information about your Ensemble Controller Client and
Server version, for example:
l Version and build number
l Java version
l Interfaces
l Ports in use
l Certificate and license
l Thread dump

This information is especially useful for Technical Services when you troubleshoot Ensemble
Controller issues.
To open the support Info dialog box, from the Ensemble Controller Help menu, select Support
Info.

Ribbon Menu 35

Ensemble Controller R15.3 Administrator Manual - Issue: A 34

Adtran Preface

Creating a System Health Report 35

Ribbon Menu
The support Info dialog box provides a ribbon menu as described in this table.
The table provides a short description of each menu option and a link to the section with more
information if available.

Table 1: Support Info Dialog Box – Ribbon Menu Description

Area Menu option Description Link to More
Information

Refresh Refresh Reload the dialog box with the

latest data from the server.

Operation Client Thread Dump Create a client thread dump.

Server Thread Dump Create a server thread dump.

System Health Report Create a system health report. Creating a

System Health
Report

Client Client error log folder Open the client error log folder.
Logging
Client error log file Open the client error log file.

Server mediation.err Open the server error log file.

Logging
mediation.log Open the server mediation log
file.

sm.log Open the server sm log file.

Export Export Export the information in the User Manual

dialog box to a JAR file, and
then send it to the Adtran
Technical Services
department.

Help Manual Open the Help for this dialog

(F1) box.

Creating a System Health Report

The Technical Services department uses system health reports to analyze and troubleshoot
Ensemble Controller problems.
Complete these steps to create a system health report.

Ensemble Controller R15.3 Administrator Manual - Issue: A 35

Adtran Preface

Requirement to Create a System Health Report 36

Procedure to Create a System Health Report 36

Requirement to Create a System Health Report

To create system health reports, you need to have the permission Create System Health Report.
The system grants this permission to use with an administrator role, as the default.
The administrator sets permissions and corresponding user roles in the Security Manager. To
open the Security Manager, in the Ensemble Controller application bar Settings menu, select
Security, and then Security Manager. For more information about user roles and allocated
privileges, see the Administrator Manual, Roles and Allocated Actions.

Procedure to Create a System Health Report

1. To open the support Info dialog box, from the Ensemble Controller Help menu, select Support
Info.
2. From the ribbon menu, Operation area, select System Health Report.
A confirmation dialog box opens.
3. Click Yes, to open the Save dialog box.
–or–
Click No to stop this action.
4. After you click Yes, in the Save dialog box, browse to an appropriate location where you want
the system to save the report.
5. If required, in the File name field, you can change the file name.
By default, the system names the file in the format healthReport_yyyymmdd-xxxx.zip.
If you change the file name, the system automatically adds the ZIP suffix if missing. This
applies if you use a Windows system. The same applies if you use a Linux system but with a
different suffix.
6. Click Save. A progress window appears.
It might take several minutes for the system to create the report, which depends on the
database size.
The system can create one report at a time. If you or users from other open Ensemble
Controller Clients attempt to create another report simultaneously, an error message
displays in the message pane. The system sends these messages to all available Ensemble
Controller Clients.
After the system finishes the report, the message pane displays respective messages.
The server stores the latest report, and overwrites the existing file that you created
previously. That is, always one report is kept on the server.

About Information
To open a brief summary about the current Ensemble Controller version, from the Help menu,
select About.

Ensemble Controller R15.3 Administrator Manual - Issue: A 36

Adtran Preface

Obtaining Technical Assistance

Product Maintenance Agreements and other customer assistance agreements are available
for Adtran products through your Adtran distribution channel. Our service options include:
l 24 x 7 telephone support
l Web-based support tools
l On-site support
l Technical training, both on-site and at Adtran facilities in Germany and the USA
l Expedited repair service
l Extended hardware warranty service

Customer Portal
You can use the customer portal to:
l Access company information and resources at any time.
l Find information specific to your requirements, such as networking solutions, services, and
programs.
l Resolve technical issues by using online support services.
l Download and test software packages.
l Order Adtran training materials.

Access https://www.adva.com/en/customer-portal

Questions customer-portal-admin@adva.com

Technical Services
Technical services are available to customers who need technical assistance with an Adtran
product that is under warranty or covered by a maintenance contract.

Online https://www.adva.com/en/about-us/contact

Email support@adva.com

Call Adtran
Corporate Headquarters
Huntsville, AL, USA
+1 800 923 8726

Ensemble Controller R15.3 Administrator Manual - Issue: A 37

Adtran Preface

Europe, Middle East and Africa

Martinsried/Munich, Germany
+49 (0)89 89 06 65 0

Ensemble Controller R15.3 Administrator Manual - Issue: A 38

Adtran Preface

Document Revision History

For detailed information about a specific product release, see the appropriate Release Notes.

Product Document Document Issue Date Description

Release Number Issue

9.6 80000041719 Issue A February 2017 Updated manual according to new features in this NM release.

Issue B March 2017 Updated these property descriptions:

l com.adva.nlms.mediation.
CSV_FILE_TRANSFER in the Miscellaneous Options section
l com.adva.nlms.mediation.
performance.CSVvalid
Time in the Performance Monitoring Options section

Added a new section and respective topics about Keystore and Private
Key Password Encryption.

10.1 80000043004 Issue A May 2017 Updated manual according to new features in this NM release.

Issue B July 2017 Updated manual version according to the new GUI and also added the
missing section Verifying the Ensemble Controller Server by Using the
Healthcheck Script.

Ensemble Controller R15.3 Administrator Manual - Issue: A 39

Adtran Preface

Product Document Document Issue Date Description

Release Number Issue

Issue C Added the property description "com.adva.fnm.option.serverIP".

Additionally, there have been general GUI changes in various places and
thus figures and text have been adapted accordingly.

10.2 80000044012 Issue A September Manual updated according to new features in this release.
2017

Issue B October 2017 Added operating systems supported by Ensemble Controller to the
relevant sections in Installation Requirements.

Updated the section Enabling and Configuring Event Logging to External

CSV File to cover the description of how to apply a time policy.

Added these properties to the section Miscellaneous Options:

l com.adva.nlms.mediation.
sm.prov.cp.UseCPRestFor
PrePathComputation
l com.adva.nlms.mediation.
sm.prov.cp.MaxNumberOf
ComputedPaths
l com.adva.fnm.option.NeTls
CertificateHandling

Issue C February 2018 Updated the table Supported Version-Upgrade Sequences.

Added the permission "Service Protection Swap" to the section Roles and
Allocated Actions.

Ensemble Controller R15.3 Administrator Manual - Issue: A 40

Adtran Preface

Product Document Document Issue Date Description

Release Number Issue

10.3 80000046842 Issue A February 2018 Manual updated according to new features in this release.

Issue B March 2018 Updated the table Supported Version-Upgrade Sequences.

10.4 80000048557 Issue A June 2018 Manual updated according to new features in this release.

Issue B July 2018 Updated the table Supported Version-Upgrade Sequences.

Added a note about FSP 3000 C to the property

com.adva.fnm.option.NeTlsCertificateHandling.

10.5 80000049796 Issue A September Manual updated according to new features in this release.
2018

11.1 80000052359 Issue A March 2019

Issue B April 2019 Added these sections supporting the fiber plant management feature:
l Installing the Ensemble Fiber Director Server in Linux
l Installing the Map Library in Linux

Added the Ensemble Fiber Director permissions.

Updated the table Supported Version-Upgrade Sequences.

Decreased the number of 10 cores to 8 for the network sizes M and L in

these tables:
l Windows Hardware Requirements for Ensemble Controller Servers
l Linux Hardware Requirements for Ensemble Controller Servers

Corrected the activemq.useJMX default value description from false to

true in Properties for Configuring the Java Messaging System (JMS).

Ensemble Controller R15.3 Administrator Manual - Issue: A 41

Adtran Preface

Product Document Document Issue Date Description

Release Number Issue

11.2 80000053554 Issue A July 2019 Manual updated according to new features in this release.

Issue B August 2019 Updated the Supported Version-Upgrade Sequences matrix.

Updated these sections about GNSS and the Geo Manager:

l Installing a GNSS Server on a Linux Operating System
o Requirements for Installing a GNSS Server
o Procedure for Installing a GNSS Server
o Restoring a Database-Backup File
o Added Enabling Machine-Learning Based Alarms for GNSS
l Installing the Ensemble Fiber Director Server in Linux

Added the section .

Increased the number of Ensemble Controller Clients that an Ensemble

Controller Server can manage on an extra-large system from 60 to 70.

Added FAS ALM information to the Network Element Equivalents table.

Issue C September Updated these sections:

2019 l Supported Version-Upgrade Sequences

11.3 80000056611 Issue A November Manual updated according to new features in this release.
2019

Issue B December Added these sections:

2019 l Installing the Local Geographical Map-Tile Server in Linux
l Specifying the RADIUS Authentication Type
l Supported Version-Upgrade Sequences

12.1 80000058300 Issue A March 2020 Manual updated according to new features in this release.

Ensemble Controller R15.3 Administrator Manual - Issue: A 42

Adtran Preface

Product Document Document Issue Date Description

Release Number Issue

Issue B Updated these sections:

l The existing feature Consolidating Ensemble Controller Servers that
now also covers the export and import of the Services tree and tracked
services.
l Supported Version-Upgrade Sequences

Added the new section Upgrading Sync Assurance in Linux.

12.2 80000059648 Issue A July 2020 Manual updated according to new features in this release.

12.3 80000061738 Issue A November

2020

Issue B Removed Linux 6 as supported operating system for the Ensemble

Controller Client in Supported Operating Systems (Client).

Removed the requirement about unblocking ports if you have more than
one node in Requirements to Install the Ensemble Fiber Director Server.

12.4 80000062654 Issue A January 2021 Manual updated according to new features in this release.

13.1 80000063282 Issue A April 2021

Issue B June 2021 Removed the Run nVision permission from the Overview of Roles and Their
Allowed Actions.

Updated these sections:

l Supported Version-Upgrade Sequences

l Entity Index or AID Values

l Upgrading Streaming Replication High Availability

Ensemble Controller R15.3 Administrator Manual - Issue: A 43

Adtran Preface

Product Document Document Issue Date Description

Release Number Issue

l Supported Files and Script Formats

Added the section Requirement for Using Standard and Embedded

License Server High Availability in Combination.

13.2 80000065827 Issue A September Manual updated according to new features in this release.
2021

13.3 80000066985 Issue A January 2022 Manual updated according to new features in this release. Added the
Quickstart Administrator Guide as new manual to the Ensemble Controller
documentation set.

Issue B July 2022 Updated and revised these sections:

l Supported Version-Upgrade Sequences
l Restoring the Centralized Control Plane Database
l Ensemble Optical Director with Centralized Control Plane
l Communication Ports

Issue C December Updated Successfully Upgrading Ensemble Controller.

2022

14.1 80000068787 Issue A May 2022 Manual updated according to new features in this release.

14.2 80000070104 Issue A September

2022

Issue B November Updated Successfully Upgrading Ensemble Controller.

2022

Ensemble Controller R15.3 Administrator Manual - Issue: A 44

Adtran Preface

Product Document Document Issue Date Description

Release Number Issue

14.3 80000071326 Issue A December Manual updated according to new features in this release.
2022

Issue B February 2023 Updated Successfully Upgrading Ensemble Controller.

15.1 80000072271 Issue A May 2023 Manual updated according to new features in this release.

Issue B July 2023 Updated these sections:

l Successfully Upgrading Ensemble Controller
l Applying and Testing the New Standard High-Availability Configuration

15.2 80000074000 Issue A September Manual updated according to new features in this release.
2023

15.3 80000075300 Issue A February 2024

Ensemble Controller R15.3 Administrator Manual - Issue: A 45

Adtran Installing and Logging into Ensemble Controller

Chapter 1
Installing and Logging into
Ensemble Controller
This chapter introduces Ensemble Controller with an overview of the product and its main
features. It also includes instructions for how to install and start Ensemble Controller.

Overview 46
Installation Requirements 48
Installing Ensemble Controller 70
Preparing and Enabling the Embedded License Server 97
Importing Ensemble Controller Server Certificates to the Client 98
(Optional) Installing Additional Programs 99
Starting the Ensemble Controller Server 113
Stopping the Ensemble Controller Server 115
Logging Into the Ensemble Controller Client 116

Overview
Ensemble Controller is the Adtran element management system (EMS). It enables to monitor
and to keep an overview of all nodes (network elements) in a network that we provide:
l Inventory
l Network interconnection
l Services
l Events
l Individual node status

Ensemble Controller also provides basic support for SNMP-capable third-party products, which
includes:
l Mapping network elements in the Topology Graph.
l Starting a local craft interface.

Ensemble Controller R15.3 Administrator Manual - Issue: A 46

Adtran Installing and Logging into Ensemble Controller

l Logging specific traps.

l Indicating network element level alarm states.

Use Ensemble Controller in network operation centers, where day-to-day monitoring and
troubleshooting is carried out. We recommend to use the available product-specific Element
Manager (EM) for on-site maintenance or the respective local craft interfaces. You can open
the product-specific EM or local craft interfaces directly from Ensemble Controller.

Communication 47
Graphical User Interface 47
Subnetworks 47
Events 47
User Management 48
Performance 48
Security 48
Pro-Vision Support 48

Communication
Ensemble Controller is based on a general server-client architecture. Several Ensemble
Controller Clients can simultaneously run, which allows different users with different roles and in
different physical locations to work at the same time. Ensemble Controller communicates with
the network elements through SNMP. Only run one Ensemble Controller Server instance on one
machine.

Graphical User Interface

To work with services and events is easy with the intuitive graphical user interface (GUI). The GUI
is designed as a standard Windows interface.

Subnetworks
Ensemble Controller automatically proposes the topology for the connected network elements
if you install new subnetworks or manually specify a subnetwork. You can manage multiple
subnetworks with one Ensemble Controller.

Events
The event tool provides full overview of events. You can specify user-specific event filters to
tailor event notification to your requirements. Also, sounds and beeps can be customized for
each event on a per-user basis. Ensemble Controller correlates, analyses, and re-assesses
event severities. It displays fault causes and their correlations are deduced.

Ensemble Controller R15.3 Administrator Manual - Issue: A 47

Adtran Installing and Logging into Ensemble Controller

User Management
Management of users is easy with the Security Manager. You define different user roles with
different user rights to Ensemble Controller. All passwords are encrypted.

Performance
Performance records are made available and also the facility to build up a record history for
each performance type.

Security
Ensemble Controller maintains the security level for each Client on the Server side. This makes
restricted network views possible and also centralized authentication through RADIUS, TACACS+,
or LDAP.

Pro-Vision Support
Pro-Vision standalone is superseded by Ensemble Controller. Ensemble Controller still supports
the Pro-Vision client using a web-based user interface.

Installation Requirements
Required Minimum Server Hardware 48
Required Minimum Client Hardware 58
The Embedded License Server 61
Antivirus Software 62
Local Area Network 63
Network Elements 65
Using RADIUS, TACACS+, or LDAP 66
Third-Party Software 66
Using FTP or SSH Servers 66
Additional Software 67
Optional Hardware 67
Optional Applications 68

Required Minimum Server Hardware

Several clients can simultaneously access the Ensemble Controller Server application:

Ensemble Controller R15.3 Administrator Manual - Issue: A 48

Adtran Installing and Logging into Ensemble Controller

l Up to 75 clients on extra-large (XL) servers.

l Up to 25 clients on large (L) servers.
l Up to 15 clients on medium (M) servers.
l Up to 10 clients on small (S) servers.

Connect the clients to the server using LAN or WAN connections.

Active northbound interface (NBI) sessions are also clients, for example, TAPI or MTOSI.
See these topics for information about the server hardware required for various operating
systems:

General Information 49
Supported Operating Systems (Server) 53
Minimum Requirements for Windows Test Servers 54
Recommended Windows Server Hardware 54
Recommended Linux Server Hardware 56

General Information
Network Element Equivalents 49
Performance Management Object Count 52
Installing the Server Hardware 53
High-Availability Solution with a Redundant Server 53
Upgrading the Server Hardware 53

Network Element Equivalents

Servers can manage a specific number of network element equivalents. This table outlines the
equivalent load that results with the use of various elements or shelves:

Table 2: Network Element Equivalents

Element Type Network Per Unit Remarks
Element
Equivalents

FAS ALM 16 Port 1 Device

FAS ALM 64 Port 4 Device

FSP 150CCf-825 1 Device Also 324 or 584.

FSP 150CC-GE20x 1 Device Includes all 201 and 206

variants.

FSP 150CC-T1804, 1 Device

FSP 150CC-3204

Ensemble Controller R15.3 Administrator Manual - Issue: A 49

Adtran Installing and Logging into Ensemble Controller

Element Type Network Per Unit Remarks

Element
Equivalents

FSP 150CM 6 Device Remote network terminals, for

example FSP 150CP, meet the
definition as additional
network-element equivalents,
according to the amounts
specified in this table.

FSP 150CP 1 Device

FSP 150EG-M2 1 Traffic Ethernet over Fiber (EoF).

FSP 150EG-M4 Module Ethernet over Copper (EoC).
FSP 150EG-M8 Ethernet over TDM (EoTDM).
1 x 10 Gbps or 10 x 10 Gbps
traffic module.

FSP 150EG-X 1 Traffic 1 x 10 Gbps or 10 x 10 Gbps

Module traffic module.

FSP 150-GE100Pro 1 Device

FSP 150-GE101Pro 1 Device Micro NID

FSP 150-GE102Pro 1 Device

FSP 150-GE104 1 Device

FSP 150-GE11x, FSP 1 Device

150-GE11xPro

FSP 150-GO102Pro 1 Device

FSP 150Mx 1 Device

FSP 150-XG100Pro 1 Device Remote network terminals, for

example FSP 150CP, meet the
definition as additional
network- element
equivalents, according to the
amounts specified in this
table.

FSP 150-XG108/XJ128 1 Device

Ensemble Controller R15.3 Administrator Manual - Issue: A 50

Adtran Installing and Logging into Ensemble Controller

Element Type Network Per Unit Remarks

Element
Equivalents

FSP 150-XG210 1 Device Remote network terminals, for

example FSP 150CP, meet the
definition as additional
network- element
equivalents, according to the
amounts specified in this
table.

FSP 150-XG210C 1 Device

FSP 150-XG300 1 Device

FSP 150-XG400 4 Device Maximum of 3000 FSP 150 XG

400 NEs are supported, up to
5000 without PM collection.

FSP 150-XO106 1 Device

FSP 1500 2 Device

FSP 3000 C 12 HU 8 Active Maximum of 3000 FSP 3000 C

Size Shelf NEs are supported, up to 5000
without PM collection.
FSP 3000 C Slimline 4 Active
and 3HU/4HU Shelf
Shelves

FSP 3000 C TeraFlex 2 Active

Shelves Shelf

FSP 3000-SH1PCS 1 Device

FSP 3000R7 7/9/12 4 Active Only shelves with a shelf

HU Size Shelf control unit.

FSP 3000R7 Slimline 2 Active Only shelves with a shelf

and ILA Shelf control unit.

Generic SNMP 1 Device l Generic integration of

Element other SNMP devices.
l Maximum of 1000 generic
SNMP NEs are supported.

Ensemble Controller R15.3 Administrator Manual - Issue: A 51

Adtran Installing and Logging into Ensemble Controller

Element Type Network Per Unit Remarks

Element
Equivalents

HN 400 1 Device
HN 4000

Juniper MX Routers

OSA 3230B

OSA 3300

OSA 3350

OSA 5331

OSA 5335 1 Device Only Ensemble Controller

OSA 5548C release versions 9.2 and later
support these elements. The
network-element equivalent
numbers are preliminary.

OSA 5401 1 Device

OSA 5405
OSA 5420
OSA 5421
OSA 5422

OSA 5410 1 Device Also FSP 150SP-100.

OSA 5411
OSA 5412

OSA 5430, OSA 5440 1 Device

with 1LC

OSA 5440 with more 2 Device

than 1LC

OSA SoftSync 1 SW bundle Maximum of 5000 SoftSync

devices are supported.

Symmetricom 1 Device
TP5000

Performance Management Object Count

A performance management object (PMO) is an entity within an element that provides a set of
up to 64 individual registers. The registers contain either a counter for errored seconds or
packets sent, or condensed measurement values such as the average receive power. The
system obtains these counters during a 1-minute, 15-minute or a 24-hour period. Some PMOs
contain more than 64 registers. You can specify a maximum of 64 for collection.

Ensemble Controller R15.3 Administrator Manual - Issue: A 52

Adtran Installing and Logging into Ensemble Controller

In addition to the per-element value of PMOs, you should also consider the number of probing
points for the performance monitoring values that the system collects. You can find these in the
table Windows Hardware Requirements for Ensemble Controller Servers.
Values for the 24-hour collections are less important to the system. Registers that collect 15-
minutes values are important for proper dimensioning. The system needs to poll the PMOs with
all their registers within a 15-minute period, or 900 seconds.
Physical ports usually represent PMOs. Related virtual entities such as VLAN TPs or VCHs are also
PMOs if the system collects data from them.
Typical PMO usage is on average 3 PMOs and sourced from elements such as a 150CC and
about 12 per FSP 3000 shelf. In systems that collect large amounts of PMOs, this factor can
overload a server that has still lots of capacity in relation to network element equivalents.

Installing the Server Hardware

Mount the servers in racks. Ensure that heat and airflow are within the site-per-rack limits.
Supply power to the servers from separate feeds into the equipment. In most cases, two
separate power supply units (PSUs) can power each server. The total power dissipation must be
within the site-limit-per rack. We highly recommend that you store your Ensemble Controller
backup files externally.

High-Availability Solution with a Redundant Server

You have the option to focus on high availability. To achieve this, use a second standby server
machine. Install this second server locally or remotely for situations such as fires, earthquakes,
or other catastrophic failures. If the primary server goes offline or loses power, the secondary
server automatically assumes control with full functionality.
Configure the standby server exactly as you configured the primary server.

Upgrading the Server Hardware

We recommend that you consider the growth of your network over the next two years when you
make decisions about your server hardware. At the end of two years, you can then evaluate any
new hardware requirements. You should consider the actual network size and the projections
for the next period.
Many hardware platforms allow you to upgrade or increase the number of CPUs or RAM, if you
require only a small increase in hardware power. You can add just one CPU to upgrade some of
the systems mentioned in Recommended Windows Server Hardware and Recommended Linux
Server Hardware.
If you use the high-availability solution with a redundant server, you can perform the upgrade
or exchange of the servers without interruption to network management.

Supported Operating Systems (Server)

You can install the Ensemble Controller Server on these 64-bit operating systems:

Ensemble Controller R15.3 Administrator Manual - Issue: A 53

Adtran Installing and Logging into Ensemble Controller

64-bit Operating System Version

Windows l Windows Server 2016

l Windows Server 2019
l Windows Server 2022

Red Hat Enterprise Linux l Linux 7.8 and 7.9

l Linux 8.6 and 8.8

You can use all supported Windows and Linux operating systems natively or on VMWare
vSphere 6.5, 6.7, or 7.0.

Starting with 16.1 version, ENC will no longer support MS Windows for the server
application. For new projects, we highly recommend to consider the Linux
operating system.

Minimum Requirements for Windows Test Servers

Table 3: Windows Server Hardware
Requirements for Test Systems
Processor 2 GHz

RAM 8 GB

HD 100 GB

LAN 100 Mbps

Recommended Windows Server Hardware

This table lists the recommended hardware requirements for different network sizes that are
characterized by the network equivalent counter. These examples use the HPE ProLiant server.

Ensemble Controller R15.3 Administrator Manual - Issue: A 54

Adtran Installing and Logging into Ensemble Controller

Table 4: Windows Hardware Requirements for Ensemble Controller Servers

Network Network PMO Clients Computer SPECint2
Size Element Server
Equivalent Example1

S 2,000 3,000 10 HPE ProLiant 41

DL360 Gen10
with 1x 4208 with
8 cores and 16
threads @ 2.1
GHz, 16 GB RAM,
GBE LAN, 1x PSU
500W, 1x HD

M 4,000 6,000 10 HPE ProLiant 55

DL360 Gen10
with 1x 4210 with
10 cores and 20
threads @ 2.2
GHz, 16 GB RAM,
GBE LAN,
redundant PSU
500W, 2x HD

L 10,000 12,000 25 HPE ProLiant 110

DL360 Gen10
with 2x 4210 with
2x 10 cores and
20 threads @
2.2 GHz, 16+16 GB
RAM, GBE LAN,
redundant PSU
500W, 2x HD

XL3 40,000 60,000 75 HPE ProLiant 222

DL360 Gen10
with 2x 6230
with 2x 20 cores
and 40 threads
@ 2.1 GHz, 64 GB
RAM, GBE LAN, 2x
PSU 800W, 2x HD

Ensemble Controller R15.3 Administrator Manual - Issue: A 55

Adtran Installing and Logging into Ensemble Controller

Network Network PMO Clients Computer SPECint2

Size Element Server
Equivalent Example1

XL3 80,000 100,000 75 HPE ProLiant 222

with 24h- DL360 Gen10
values with 2x 6230
only with 2x 20 cores
and 40 threads
@ 2.1 GHz, 64 GB
RAM, GBE LAN, 2x
PSU 800W, 2x HD

Footnotes:
1. You need to follow these requirements:
l Up to a 500-GB hard drive and GbE LAN connections for field deployment, bare metal, and
virtualized servers.
l To install Ensemble Controller on a Windows Server in general, you must first install the
Microsoft Visual C++ 2015 Redistributable Package on your 64-bit system.
l For new designs, we recommend the 64-bit version of Windows Server 2022, and for
upgrades also the 64-bit version of Windows Server 2016 or Windows Server 2019.
l We do not deliver the operating system. You must order Microsoft Windows and for
virtualized deployments VMWare vSphere 6.0, 6.7, or 7.0 when you order the hardware.
2. The SPECint value provides a performance number based on SPECint2017 (see
www.spec.org) containing a long list of recent computers. You can use this value to find
equivalent machines of different vendors or CPU types.

3. For XL systems, adjust the memory settings. See Changing the Memory Settings of the
Mediation Server in Linux and Setting the Shared Buffer Size for details.

If you plan to enhance your network in the future, we recommend that you use the next server
size.
Operating system patches that limit the CPU performance or virtual-machine overhead do not
affect performance of Ensemble Controller.

Depending on your unique requirements, you must adjust your system. For
information, see System Settings.

Recommended Linux Server Hardware

The number of network element equivalents characterize the network size. The Linux hardware
requirements for different network sizes based on their network element equivalents are shown
in this table. These examples use HPE ProLiant servers.

Ensemble Controller R15.3 Administrator Manual - Issue: A 56

Adtran Installing and Logging into Ensemble Controller

Table 5: Linux Hardware Requirements for Ensemble Controller Servers

Network Network PMO Clients Computer SPECint2
Size Element Server
Equivalents Example1

S 2,500 3,500 10 HPE ProLiant 41

DL360 Gen10
with 1x 4208
with 8 cores
and 16 threads
@ 2.1 GHz, 16 GB
RAM, GBE LAN,
1x PSU 500W, 1x
HD

M 6,000 8,000 10 HPE ProLiant 55

DL360 Gen10
with 1x 4210
with 10 cores
and 20
threads @ 2.2
GHz, 16 GB RAM,
GBE LAN,
redundant PSU
500W, 2x HD

L 15,000 20,000 25 HPE ProLiant 110

DL360 Gen10
with 2x 4210
with 2x 10 cores
and 20
threads @ 2.2
GHz, 16+16 GB
RAM, GBE LAN,
redundant PSU
500W, 2x HD

XL3 60,0004 90,000 75 HPE ProLiant 222

DL360 Gen10
with 2x 6230
with 2x 20
cores and 40
threads @ 2.1
GHz, 64 GB
RAM, GBE LAN,
2x PSU 800W,
2x HD

Ensemble Controller R15.3 Administrator Manual - Issue: A 57

Adtran Installing and Logging into Ensemble Controller

Network Network PMO Clients Computer SPECint2

Size Element Server
Equivalents Example1

XL3 120,000 150,000 75 HPE ProLiant 222

with 24h- DL360 Gen10
values with 2x 6230
only with 2x 20
cores and 40
threads @ 2.1
GHz, 64 GB
RAM, GBE LAN,
2x PSU 800W,
2x HD

Footnotes:
1. You need to follow these requirements:
l Up to a 500-GB hard drive and GbE LAN connections for field deployments, bare metal,
and virtualized servers.
l We do not deliver the operating system or virtualization software. You must order the
supported versions. For virtualized deployments you must order VMWare vSphere 6.5,
6.7, or 7.0 when you order the hardware.

2. The SPECint value provides a performance number based on SPECint2017 (see

www.spec.org) containing a long list of recent computers. You can use this value to find
equivalent machines of different vendors or CPU types.

3. For XL systems, adjust the memory settings and the maximum number of open file
descriptors. For details, see Changing the Memory Settings of the Mediation Server in
Windows (64 Bit), Setting the Shared Buffer Size and Installing Ensemble Controller in Linux.

4. NEE and PMO might be lower for customers with Sync Director Assurance extension.

If you plan to enhance your network in the future, we recommend that you use the next server
size. Operating system patches that limit the CPU performance or virtual-machine overhead do
not affect performance of Ensemble Controller.

Required Minimum Client Hardware

The Ensemble Controller Client can run as:
l A separate process on the same computer as the Ensemble Controller Server.
–or–
l A separate application on a different computer, and then you can also operate the GUI using
third-party applications such as Citrix® or GoGlobal™.

Ensemble Controller R15.3 Administrator Manual - Issue: A 58

Adtran Installing and Logging into Ensemble Controller

The computer where the Ensemble Controller Client runs can have a different operating system
than the computer that the Ensemble Controller Server uses. For example, the server can run on
a Linux workstation while the client runs on a Windows computer. However, the Ensemble
Controller Server does not support the use of sleep or standby modes on the computer. Always
close the Ensemble Controller Client or Ensemble Controller Server before you set the computer
in these modes.
Several clients can simultaneously access the Ensemble Controller Server application:
l Up to 75 clients on extra-large (XL) servers.
l Up to 25 clients on large (L) servers.
l Up to 15 clients on medium (M) servers.
l Up to 10 clients on small (S) servers.

Connect the clients to the server using LAN or WAN connections.

See these topics for information about the client hardware or software requirements for various
operating systems:

Supported Operating Systems (Client) 59

Minimum Requirements for Test Systems 60
Recommendations for the User Environment 60
Client Server Requirements 60

Supported Operating Systems (Client)

You can install the Ensemble Controller Client on these 64-bit operating systems:

64-bit Operating Version

System

Windows l Windows 10
l Windows 11
l Windows Server 2016
l Windows Server 2019
l Windows Server 2022

Red Hat Enterprise Use these versions with the GNOME 3 desktop manager and the X11
Linux protocol, which you must install on the same server as the Ensemble
Controller Client:
l Linux 7.8 and 7.9

l Linux 8.6 and 8.8

You can use all supported Windows and Linux operating systems natively or on VMWare
vSphere 6.5, 6.7, or 7.0.

Ensemble Controller R15.3 Administrator Manual - Issue: A 59

Adtran Installing and Logging into Ensemble Controller

Minimum Requirements for Test Systems

Table 6: Client Hardware Requirements for Windows and Linux Test
Systems
Processor 2 GHz minimum

RAM 8 GB minimum

HD 20 GB free space, and 20 GB for /opt in Linux

LAN 100 Mbps

DVD ROM Drive To install software (optional)

Screen l Size: 21 inches

l Minimum resolution: 1280 x 1024

Recommendations for the User Environment

Table 7: Recommended Client Hardware for the Windows and Linux User
Environment
Processor 2.5 GHz, 2 cores

RAM 16 GB

HD 50 GB free space

LAN 1000 Mbps

DVD ROM Drive To install software (optional)

Screen For network operations centers:

l Minimum Size: 31 inches
l High contrast, minimum resolution options:
o 3840 × 2160
–or–
o 4096 × 2160

Client Server Requirements

You can install the client application on a separate server. However, you must separately
purchase the hardware for this server and any third-party applications such as Citrix® or
GoGlobal™.

Ensemble Controller R15.3 Administrator Manual - Issue: A 60

Adtran Installing and Logging into Ensemble Controller

The Embedded License Server

The Embedded License Server stores the licenses that you purchased, and thus determines the
scope of system functions and features in Ensemble Controller, and also whether you have
unimpeded access to all network objects within a particular network. With the Ensemble
Controller version 12.1, the Embedded License Server is mandatory.

Supported Operating Systems 61

Installation Options 61
Required License Server Hardware for the Local Installation 62
Interaction of Ensemble Controller and Embedded License Servers in High Availability 62

Supported Operating Systems

You can install the Embedded License Server on these 64-bit operating systems:

64-bit Operating System Version

Windows l Windows 10
l Windows 11
l Windows Server 2016
l Windows Server 2019
l Windows Server 2022

Red Hat Enterprise Linux l Linux 7.8 and 7.9

l Linux 8.6 and 8.8

Installation Options
You have these options to install the Embedded License Server:
l (Recommended) Locally on the server where you will also install Ensemble Controller. This
option requires additional server hardware as described in Required License Server Hardware
for the Local Installation.
–or–
l Standalone on a separate server that is independent from the server where you will install
Ensemble Controller.
–or–
l Two Embedded License Servers installed locally or standalone that operate in a main-
backup configuration for high availability. For information, see Interaction of Ensemble
Controller and Embedded License Servers in High Availability.

To install the Embedded License Server, we recommend to use the Ensemble Controller
installation wizard described in Installing Ensemble Controller.
After you install the Embedded License Server, you must prepare and enable it for Ensemble
Controller as described in Preparing and Enabling the Embedded License Server.

Ensemble Controller R15.3 Administrator Manual - Issue: A 61

Adtran Installing and Logging into Ensemble Controller

Required License Server Hardware for the Local

Installation
If you locally install the Embedded License Server on the same server as Ensemble Controller,
meet these hardware requirements in addition to the Required Minimum Server Hardware for
Ensemble Controller.

Table 8: License Server Hardware Requirements

Processor 2 cores or reduction of the NEE size by 2000

RAM 4 GB

HD 10 GB

For information about the hardware requirements if you install the Embedded License Server
standalone on a separate server, see the Embedded License Server Administrator Manual.

Interaction of Ensemble Controller and Embedded

License Servers in High Availability
Two Embedded Licenses Servers can operate in a main-backup configuration for high
availability. Ensemble Controller will favor interacting with the main Embedded License Server
whenever it is available. If the main Embedded License Server is unreachable, then Ensemble
Controller will interact with the backup Embedded License Server, which also has information
about the available licenses. If Ensemble Controller cannot reach either of the main or backup
Embedded License Servers, then it continues to use any previously acquired licenses up until
the time when their lease or the license expires.
For information about how to configure high availability for two Embedded License Servers, see
the Embedded License Server Administrator Manual.

Antivirus Software
If your system uses antivirus software and a firewall, you need to set up the Ensemble Controller
Server folders, files and the firewall ports so that they can all access the server and the client
environment.

Server Environment 62
Client Environment 63

These sections provide information about how to set up antivirus software. See Communication
Ports for information about required firewall ports.

Server Environment
Exclude these Ensemble Controller default installation directories from antivirus protection:

Ensemble Controller R15.3 Administrator Manual - Issue: A 62

Adtran Installing and Logging into Ensemble Controller

l For a 32bit Windows OS, the default installation directory is

C:\Program Files\ADVA Optical Networking\FSP Network Manager
l For a 64bit Windows OS, the default installation directory is
C:\Program Files (x86)\ADVA Optical Networking\FSP Network Manager
l For a Linux OS, the default installation directory is
opt/adva/fsp_nm

Exclude these EXE application files from antivirus protection. Make sure these files can fully and
permanently access the network in relation to the Ensemble Controller installation directory:
l SNMP Forwarder
l Mediation Server
l JMS Server
l postgres\bin\pg_basebackup.exe
l postgres\bin\pg_ctl.exe

Client Environment
If you install Ensemble Controller on a PC or laptop that is running a Windows
operating system, problems can occur when virus scanners are also running
on the computer. To avoid any problems, configure the antivirus scanner to
use the settings that follow.

Exclude these directories from antivirus protection:

l Ensemble Controller installation directory
o For a 32bit Windows OS, the default installation directory is
C:\Program Files\ADVA Optical Networking\FSP Network Manager
o For a 64bit Windows OS, the default installation directory is
C:\Program Files (x86)\ADVA Optical Networking\FSP Network Manager
o For a Linux OS, the default installation directory is
opt/adva/fsp_nm
l Ensemble Controller user directory
C:\Users\<username>\FSP Network Manager

Local Area Network

You need local area network (LAN) connectivity for communication between:
l The network element and the Ensemble Controller Server.
l For a high-availability solution:
o The Ensemble Controller Server and the Ensemble Controller standby Server.
–and–
o The network element and the Ensemble Controller standby Server.

l The Ensemble Controller Server and Clients.

l The Ensemble Controller Server and an operating support system, if applicable.

Ensemble Controller R15.3 Administrator Manual - Issue: A 63

Adtran Installing and Logging into Ensemble Controller

For information about communication ports, see Supported Communication Ports.

Network Element-to-Server Connections 64

Server-to-Server Connections 64
Server-to-Client Connections 64
Server-to-Northbound Interface Connections 64

Network Element-to-Server Connections

Network element bandwidth requirements depend on the network size.
l On the server side, we recommend a 1-Gbps connection to the router.
l Farther downstream, for FSP 3000R7 equipment, we recommend 64 Kbps per lambda with a
minimum of 256 Kbps per network element.
l If you use the Network Element Director (NED), you will need a minimum of 2 Mbps. For
Ethernet and OSA equipment, we recommend a minimum of 200 Kbps per device.
l For FSP 3000 C, we recommend a 5-10 Mbps capacity per node on its DCN connection,
depending on the node size.
l For FSP 3000 C networks, we recommend a 1-Gbps connection as long as the number of
nodes does not exceed 500. For larger networks, we recommend interfaces with higher bit
rates to stay above 2 Mbps DCN capacity in average per node, considering statistical
multiplexing.

Server-to-Server Connections
The bandwidth between a primary and a secondary server strongly depends on the database
size, which is based on the network size. The minimum bandwidth is 100 Mbps. For larger
networks, we recommend a 1-Gbps connection.

Server-to-Client Connections
The minimum bandwidth requirement is 4 Mbps per client. For example, you need 200 Mbps if
50 clients run at the same time. If a client supports multiple windows, the minimum bandwidth
requirement when you run all clients at the same time is:
l 6 Mbps for one client
l 300 Mbps for 50 clients

Server-to-Northbound Interface Connections

The minimum bandwidth requirement for a northbound interface (NBI) connection is 1 Mbps
between a server and operating support systems (OSS).

Ensemble Controller R15.3 Administrator Manual - Issue: A 64

Adtran Installing and Logging into Ensemble Controller

Network Elements
Ensemble Controller Server Filter
For each network element that you want Ensemble Controller to manage, you must set the
server filter to allow write operations from Ensemble Controller.
See the related network element user documentation for instructions to manually add the
Ensemble Controller Server IP address to the trapsink table. When Ensemble Controller discovers
the network element, the system automatically adds the Ensemble Controller Server IP address
to the network element trapsink tables.

Trapsink Table
For all Adtran network elements that the Ensemble Controller Client discovers, the Ensemble
Controller Server automatically adds its IP address to the trapsink table of the discovered
network elements. Ensemble Controller can then receive SNMP traps, or event messages, from
these network elements.
If the network element trapsink table has reached the maximum number of 10 entries, the
Ensemble Controller Server cannot add its IP address, however, continues to try to register itself
until it succeeds.
For third-party devices such as Juniper, you must manually add the IP address of the Ensemble
Controller Server to the trapsink table through craft. See the associated product user manual
for information about how to add IP addresses to the trapsink table.
For more information about trapsink table registration, see the User Manual, Ensemble
Controller Architecture.

SNMP Access
You must enable the SNMP interface on managed network elements. On some network
elements, you can disable the SNMP interface. You must be familiar with the network element
SNMP settings such as user name and community strings. If the network element uses SNMPv3,
you must know the user name, security level, authentication and privacy protocol, and the
password.

FTP Access
If you use any new software features or use the network element configuration backup, you
must enable the FTP client on the network elements. On some network elements, you can
disable the FTP client. If you use secure FTP, you must enable the secure copy protocol (SCP) in
the network element, and you must know the network element settings. To transfer files, an FTP
server must be available, and you must know the FTP server account details.
See the network element manual for more information about how to enable FTP clients.

Ensemble Controller R15.3 Administrator Manual - Issue: A 65

Adtran Installing and Logging into Ensemble Controller

General Aspects
To stay in sync with the network elements and their time stamps, be sure to have access to a
network time protocol (NTP) server. You can use Red Hat Linux or VMWare to take advantage of
virtualized server environments. We have not tested other solutions and therefore cannot
support them.

Using RADIUS, TACACS+, or LDAP

See the appropriate topic to configure Ensemble Controller for remote authentication with one
of these protocols:
l Setting Up RADIUS Authentication
l Setting Up TACACS+ Authentication
l Setting Up LDAP Authentication

Remote authentication through these protocols is optional in Ensemble Controller.

Third-Party Software
The Ensemble Controller installation package includes these software applications to support
and complement Ensemble Controller features. However, you can install any software other
than these third-party products because Ensemble Controller uses standard protocols.

Application Supported Operating Description

Systems

FTP Server: Windows Use for software downloads and network-

FileZilla element backup or restore activities.

Database: SQL All Installs automatically and scales to the

maximum network size. No other database
instance can be active on the same server
instance.

For information about how to install third-party products, see (Optional) Installing Additional
Programs.

Using FTP or SSH Servers

We recommend that you use the FTP and SSH servers available with the Linux operating system.

Ensemble Controller R15.3 Administrator Manual - Issue: A 66

Adtran Installing and Logging into Ensemble Controller

Additional Software
The Ensemble Controller distribution set does not include these required, additional software
applications. You must provide them on all client machines.

Application Required to

A web browser, for Use the web GUI as craft.

example Firefox, Microsoft
Edge or Google Chrome

Adobe Acrobat Reader l Display reports.

–or–
l Read the Administrator Manual or User Manual.

Secure Shell (SSH) l Provide high availability.

–or–
l Provide encrypted communication through the ASCII craft
interface to network elements.

Docker containerization Use optional applications such as GNSS Assurance, TAPI, or

software Ensemble Fiber Director.

Tile server software Respresent expected offline tile servers for geographical map.

Python with minimum SW Use optional Streaming HA solution on Linux RedHat operation
version 3.6.8 system.

OpenSSL with minimum

SW version 1.0.2

Optional Hardware
For the FTP server application, the hardware can be:
l The Ensemble Controller Server.
–or–
l An existing shared FTP server.
–or–
l A dedicated FTP server.

We recommend that you routinely back up your server using tape-backup systems and that
you use firewalls to secure your management systems.

Ensemble Controller R15.3 Administrator Manual - Issue: A 67

Adtran Installing and Logging into Ensemble Controller

Optional Applications
These optional applications require additional resources.

Ensemble Optical Director with Centralized Control Plane 68

Ensemble Sync Director Assurance Extension 68
Ensemble Fiber Director 69
Streaming High Availability 69
Transport API North Bound Interface 69

Ensemble Optical Director with Centralized Control Plane

You can provide Ensemble Controller with the optional Ensemble Optical Director. This solution
provides end-to-end service provisioning for WDM services. The Ensemble Optical Director can
use the distributed Control Plane (CPd) for the network elements or the centralized Control
Plane (CPc) server instance for routing calculation and signaling.

CPc is the state-of-the-art version of Control Plane for ENC. Therefore, you
should use CPc for all green-field installations.

If you want to use the CPc, you typically install it on the same system as Ensemble Controller.
The additional load must be reflected by 2 additional network element equivalents for each
shelf that the CPc manages.
You can install the CPc on a 64-bit operating Linux system using these versions:
l 7.8 and 7.9
l 8.6 and 8.8

For more information, see Managing the Centralized Control Plane, or the associated Ensemble
Controller release notes.
The maximum number of network elements that the CPc can handle in Ensemble Controller 15.3
is 3,000.

Ensemble Sync Director Assurance Extension

The Ensemble Sync Director is part of the Ensemble Controller bundle and therefore does not
need extra resources.
GNSS Assurance and PTP (Time and Phase) Assurance are optional extension applications that
you build on top of a Docker container technology in Linux. You can install them either on the
same system as Ensemble Controller, or on a dedicated separate system without Ensemble
Controller. You need an online or offline tile server to use this application for the geographic
information system (GIS).
The system where you want to install GNSS Assurance or PTP Assurance must meet these
minimum requirements:

Ensemble Controller R15.3 Administrator Manual - Issue: A 68

Adtran Installing and Logging into Ensemble Controller

Disk Drive l 1 TB of dedicated disc space in /var/lib/docker. We recommend to use a

separate partition.
–or–
l 500 GB if you install only either one of the optional applications that is GNSS
Assurance or PTP Assurance.
l If you require enhanced performance, we recommend an SSD disk drive.

RAM l 64 GB if you install Ensemble Controller, GNSS Assurance, or PTP Assurance

on the same system. The number of supported devices and PMOs reduces
to 12,000 network element equivalents and 15,000 PMOs for XL systems.
l 32 GB if you install GNSS Assurance or PTP Assurance on a dedicated
separate system without Ensemble Controller.

For details about necessary software for Sync Assurance tools, see Configuring Sync Assurance
and the Ensemble Fiber Director Server.

Ensemble Fiber Director

For details about necessary hardware and software to operate Ensemble Fiber Director, see the
Ensemble Fiber Director User Manual and Installing the Ensemble Fiber Director Server in Linux.
The software runs on Docker containers in Linux systems. You need an online or offline tile server
to use this application for the geographic information system (GIS).

Streaming High Availability

In contrast to standard high availability, the streaming high-availability solution requires 3
servers in total that is, 2 identical ones as described in High-Availability Solution with a
Redundant Server, and an additional quorum server.
The quorum server must meet these requirements:

RAM 4 GB

HDD 20 GB

CPU 2 core, 2 GHz

OS Linux

Transport API North Bound Interface

To install the transport API north bound interface (TAPI NBI) on the same system as Ensemble
Controller, the system must meet these minimum requirements:

Ensemble Controller R15.3 Administrator Manual - Issue: A 69

Adtran Installing and Logging into Ensemble Controller

Processor 2 cores with 2 GHz

RAM l 4 GB for up to 500 network size S

l 8 GB for network size M
l 16 GB for network size L
l 32 GB for network size XL

HDD 20 GB

You can install the TAPI NBI on a 64-bit operating Linux system using these versions:
l 7.8 and 7.9
l 8.6 and 8.8

The TAPI NBI requires also the Docker Engine to be installed as a pre-requisite. For more
information, see the ONF TAPI Integration Manual.

Installing Ensemble Controller

This section describes how to install Ensemble Controller in Windows or Linux, and then to verify
afterwards whether all services started successfully.
If installation failures occur, for details about remedial action, see Resolving Installation Issues.
For information about how to uninstall Ensemble Controller, see Uninstalling Ensemble
Controller.

Installing Ensemble Controller in Windows 70

Installing Ensemble Controller in Linux 86
Troubleshooting Client Download Errors 93
Viewing and Deleting Installed Clients 95

Installing Ensemble Controller in Windows

Requirements for Installing Ensemble Controller in Windows 71
Steps to Installing Ensemble Controller in Windows 71
Silent Installation of the Ensemble Controller Client 79
Verifying Services in Windows 80
Changing the Memory Settings of the Mediation Server in Windows (64 Bit) 82
Installing Ensemble Controller Client Only 82

Ensemble Controller R15.3 Administrator Manual - Issue: A 70

Adtran Installing and Logging into Ensemble Controller

Requirements for Installing Ensemble Controller in

Windows

Area Requirement Description

Application In the Salesforce Customer Portal, make sure to download both of

Software these software installation files:
l Ensemble_Controller_for_Windows_v[xx.x.x]-B[xxxxx]-[xx]bit.zip.001
l Ensemble_Controller_for_Windows_v[xx.x.x]-B[xxxxx]-[xx]bit.zip.002

The system requires both of these files to completely install Ensemble

Controller.

Memory Settings Adjust the memory settings according to your system size. See
Changing the Memory Settings of the Mediation Server in Windows (64
Bit) and Setting the Shared Buffer Size.

Antivirus Software Familiarize yourself with Antivirus Software.

Administrative You have full administrative privileges on your local computer. Verify
Privileges and if required modify your user account control settings.

Virtual Memory On the computer where you want to install Ensemble Controller, ensure
Paging File that the system automatically manages the paging file for virtual
memory, or at least set it to the size of the physical memory in the
system.

Steps to Installing Ensemble Controller in Windows

1. After you download the required software installation files as described in the Application
Software requirement, unzip only the 001 ZIP file, for example:
Ensemble_Controller_for_Windows_v[xx.x.x]-B[xxxxx]-[xx]bit.zip.001

2. In the unzipped folder, select the EXE installation file, for example:
Ensemble_Controller_for_Windows_v[xx.x.x]-B[xxxxx]-[xx]bit.exe

Ensemble Controller R15.3 Administrator Manual - Issue: A 71

Adtran Installing and Logging into Ensemble Controller

The InstallAnywhere window appears with a status bar to show progress:

After the InstallAnywhere window, the Introduction window appears:

Ensemble Controller R15.3 Administrator Manual - Issue: A 72

Adtran Installing and Logging into Ensemble Controller

3. Click Next. The Choose Install Folder window appears:

4. To choose the installation folder, proceed with one of these options:

l Click Next to accept the default installation folder.
l Click Choose to browse and select an alternate folder.
We recommend that you install the Ensemble Controller in a default
folder. Do not install directly on system partition (just C:\, without any
folders), as Windows have restricted permissions for the files in C:\.

l Click Restore Default Folder to reset to the default folder.

Ensemble Controller R15.3 Administrator Manual - Issue: A 73

Adtran Installing and Logging into Ensemble Controller

5. Click Next. The Choose Install Set window appears:

6. In the Install Set field, select the appropriate installation set:

Option Description or Steps

Typical All required components install.

Custom Clear the components that you do NOT want to install.

l To view a brief description for one of the installation

components, select the relevant one, and then see the
Description area. For more information about the ENC
Server component, see the User Manual, Ensemble
Controller Architecture.

Ensemble Controller R15.3 Administrator Manual - Issue: A 74

Adtran Installing and Logging into Ensemble Controller

Option Description or Steps

l With the Ensemble Controller version 12.1, the Embedded

License Server is mandatory.
NOTE:
o If you use the Ensemble Controller wizard to install only
the Embedded License Server, clear ENC Server and ENC
Client but select Embedded License Server.
o If you already have the Embedded License Server
installed, or you prefer to use installation scripts instead,
clear Embedded License Server but select ENC Server
and ENC Client. For information about the supported
installation scripts, see the Embedded License Server
Administrator Manual.

l NOTE: If you select ENC Client without automatic updates,

make sure to clear ENC Client. Ensemble Controller
supports only either one of the clients.

7. Click Next. The Pre-Installation Summary window appears:

Ensemble Controller R15.3 Administrator Manual - Issue: A 75

Adtran Installing and Logging into Ensemble Controller

8. Review the installation details. If incorrect, click Previous to step back through the wizard
windows, and then change any details. After you correct the installation details, click Install.
The Installing Ensemble Controller window appears. A status bar indicates progress:

During installation, another Executing... window appears:

Ensemble Controller R15.3 Administrator Manual - Issue: A 76

Adtran Installing and Logging into Ensemble Controller

After the installation completes, the wizard starts the Ensemble Controller services. The Post
Install Process - ENC Server window appears:

9. Click Next. The Start ENC Server window appears:

Ensemble Controller R15.3 Administrator Manual - Issue: A 77

Adtran Installing and Logging into Ensemble Controller

10. If you selected the Embedded License Server in Step 6, clear Start ENC Server because you
must first configure the license-related properties in the fnm.properties file and make sure
that you have loaded a suitable set of licenses on the Embedded License Server before the
Ensemble Controller Server starts. Step 14 includes more information.
11. Click Next. If you selected the Embedded License Server in Step 6, it installs next.

12. Click Next. The Post Install Process - Embedded License Server appears.

Ensemble Controller R15.3 Administrator Manual - Issue: A 78

Adtran Installing and Logging into Ensemble Controller

13. Click Next. The Installation Complete window appears:

14. Click Done to finalize the installation.

15. If you selected the Embedded License Server in Step 6, before you proceed with this
procedure, first prepare and enable the Embedded License Server as described in Preparing
and Enabling the Embedded License Server.
16. If you completed this procedure because of an Ensemble Controller upgrade, restart your
computer. For more information about how to upgrade the Ensemble Controller, see
Upgrading Ensemble Controller. For clean installations, the restart is not necessary.
17. Start the Ensemble Controller Server as described in Starting the Ensemble Controller Server.
18. Verify that all services run as described in Verifying Services in Windows. These services
incorporate the Ensemble Controller Server.
19. Start the Ensemble Controller Client as described in Logging Into the Ensemble Controller
Client.

Silent Installation of the Ensemble Controller Client

Complete these steps to "silently" install the Ensemble Controller (ENC) client.
A silent installation is one which does not display any indication of its progress and does not
require any user intervention (unattended).
It is useful for automating the installation process by using a text file, which is supported only for
the client installation and on a Windows operating system (OS).
1. Keep the Ensemble Controller installation application <ENC-version>.exe and the text file
fnmclientinstall.properties in the same directory.
An example of the fnmclientinstall.properties file, which you can use to perform a silent

Ensemble Controller R15.3 Administrator Manual - Issue: A 79

Adtran Installing and Logging into Ensemble Controller

installation with default settings, is available in the directory of an already completed

Ensemble Controller installation:
l In Windows, the Ensemble Controller installation directory is C:\Program Files (x86)\ADVA
Optical Networking\FSP Network Manager.
l In Linux, you can pick up the file from /opt/adva/fsp_nm to use it then in Windows.
2. Launch a command prompt window as administrator.
3. Go to the directory where the files are located.
4. Type this command:
<ENC-version>.exe –i silent –f fnmclientinstall.properties

This example shows the command if the files are located in the Ensemble Controller
installation directory:
c:\FNM\ FSP_Network_Manager_for_Windows_v9.5.1-64bit.exe -i silent –f
c:\FNM\fnmclientinstall.properties

Verifying Services in Windows

Complete these steps to verify whether services that Ensemble Controller requires to work
properly, successfully started in a Windows operating system.
1. Go to Start > Control Panel > Administrative Tools > Services. The Services window opens:

2. In the Status column, verify that these mandatory services display Running, which means
that they started successfully:
l ADVA: JMS Server
l ADVA: Mediation Server
l ADVA: PostgreSQL Server

3. If you find any discrepancies that is, some services listed in Step 2 have not started, use one
of these options to enable them:

Ensemble Controller R15.3 Administrator Manual - Issue: A 80

Adtran Installing and Logging into Ensemble Controller

Option Description or Steps

Restarting Use either of these procedures:

the Ensemble
a. Stop the server as described in Procedure for Stopping the Server in
Controller
Windows.
Server.
b. Restart the server as described in Procedure to Start the Server in
Windows.
–or–

a. Run the nmsadmin script located in the Ensemble Controller bin

installation directory.

b. Type b to select Shutdown Server.

c. Type s to select Start Server.
After the server restarts, in the Services window, verify the service status
once more. If the required services still have not started, enable them
manually. See the next option Enabling Individual Services.

Enabling In the Services window:

Individual
l Right-click the service that you want to start, and then select Start.
Services
You must repeat this step every time you log into Ensemble
Controller if you want the service to run.
–or–
l To configure the service to automatically start every time you log in:

a. Right-click the service, and then select Properties.

b. In the Startup type field, select Automatic.
c. In the Service status field, verify the status. If required, select
Start to start the service. After you start the service, the status
changes to Running.
d. Select Apply, and then OK to confirm your settings, or Cancel.

Ensemble Controller by default disables the SNMP Forwarder and proxy server services
because they are irrelevant for its general operation. However, for the features that require
these services to run, you can enable them. See the relevant sections:
Ensemble Controller R15.3 Administrator Manual - Issue: A 81
Adtran Installing and Logging into Ensemble Controller

l You require the proxy server to access the WEB Manager using HTTP or HTTPS.
l You require the SNMP Forwarder to access the Element Manager to manage FSP 1500
devices.

Changing the Memory Settings of the Mediation Server

in Windows (64 Bit)
Xmx is the configuration parameter controlling the maximum amount of memory that Java
uses on a system.
Follow this procedure to set the FNM Mediation Server Xmx value to your Windows (64 bit)
operating system:

Change the Xmx value according to your system size:

l S – Xmx3000M
l M – Xmx6000M
l X – Xmx8000M
l XL – Xmx16000M

Requirement
You are informed about the installation requirements of the Required Minimum Server
Hardware.
Procedure
1. Shut down the Ensemble Controller Server.
2. Edit the fspnm.vmoptions file located in:
ENC Installation Directory/fspnm.vmoptions using Notepad or Wordpad.
3. Change the first line -Xmx3000M to a value appropriate to your system requirements (see
the note box in the beginning of this section).
4. Save the file.
5. Run the script SetVMOptions.bat as administrator.
6. Start the Ensemble Controller Server.

Installing Ensemble Controller Client Only

Complete these steps to install the client software only without the Ensemble Controller Server
and Embedded License Server:
1. Download the client installer file from the Salesforce Customer Portal: Ensemble_Controller_
for_Windows_v[xx.x.x]-B[xxxxx]-Client-[xx]bit.exe.
You can also download the client installer file from a web page
https://<servername>:8443/client. To make this action possible, complete these steps:

a. Copy the client installer file to these directories in the Ensemble Controller Server:
l For Windows: C:\Program Files (x86)\ADVA Optical Networking\FSP Network
Manager\ws\webapps\client

Ensemble Controller R15.3 Administrator Manual - Issue: A 82

Adtran Installing and Logging into Ensemble Controller

l For Linux: /opt/adva/fsp_nm/ws/webapps/client

b. Rename the client installer file to Ensemble_Controller_for_Windows-Client.exe.

2. Run the client installer file. The InstallAnywhere window appears with a status bar to show
progress:

3. Click Next. The Choose Install Folder window appears:

4. To choose the installation folder, proceed with one of these options:

l Click Next to accept the default installation folder.
l Click Choose to browse and select an alternate folder.
l Click Restore Default Folder to reset to the default folder.

Ensemble Controller R15.3 Administrator Manual - Issue: A 83

Adtran Installing and Logging into Ensemble Controller

5. Click Next. The Choose Install Set window appears:

Ensemble Controller R15.3 Administrator Manual - Issue: A 84

Adtran Installing and Logging into Ensemble Controller

6. Click Next. The Pre-Installation Summary window appears:

7. Review the installation details. If incorrect, click Previous to step back through the wizard
windows, and then change any details. After you correct the installation details, click Install.
After the installation completes, the Installation Complete window appears:

Ensemble Controller R15.3 Administrator Manual - Issue: A 85

Adtran Installing and Logging into Ensemble Controller

8. Click Done to finalize the installation.

9. If you completed this procedure because of the Ensemble Controller Client upgrade, restart
your computer. For clean installations, the restart is not necessary.
10. Start the Ensemble Controller Server on the computer that has the Ensemble Controller
Server installed as described in Starting the Ensemble Controller Server.
11. Verify that all services run on that computer as described in Verifying Services in Windows.
These services incorporate the Ensemble Controller Server.
12. Start the Ensemble Controller Client as described in Logging Into the Ensemble Controller
Client.

Installing Ensemble Controller in Linux

Complete these steps to install Ensemble Controller (ENC) in a Linux operating system (OS).

Requirements for Installing Ensemble Controller in Linux 87

Steps to Installing Ensemble Controller in Linux 88
Verifying Services in Linux 92
Changing the Memory Settings of the Mediation Server in Linux 93

Ensemble Controller R15.3 Administrator Manual - Issue: A 86

Adtran Installing and Logging into Ensemble Controller

Requirements for Installing Ensemble Controller in Linux

Area Requirement Description

Application l In the Salesforce Customer Portal, download both of these software

Software installation files:
o Ensemble_Controller_for_Linux_v[xx.x.x]-B[xxxxx].tar.aa
o Ensemble_Controller_for_Linux_v[xx.x.x]-B[xxxxx].tar.ab
The system requires both of these files to completely install Ensemble
Controller.
l The PostgreSQL database requires the libssl.so.10 library file. Make sure
that the file is located in the /usr/lib64 or /lib/64 directory. If this file is
not located in these directories, complete one of these steps:
o From Operating System packages, install compat-openssl10
library.
o If ENC server has internet access, use yum to install compat-
openssl10.

Memory Adjust the memory settings according to your system size. See Changing
Settings the Memory Settings of the Mediation Server in Linux and Setting the
Shared Buffer Size.

Partition Sizes If you use the suggested partition sizes, make sure that the partition for
the /var directory and /opt directory provides enough space to install
Ensemble Controller. We recommend the partition for /opt and /var to be
at least 50% in total of the hard disk space.

nmsadmin and For the nmsadmin and healthcheck scripts to run properly, install the
healthcheck sysstat package from Linux.
Scripts

XL Systems For XL systems, edit the /etc/pam.d/login file, and then add or modify the
session required pam_limits.so line.

Software Before you upgrade to software version 9.3.1, make sure that these two
Upgrade to 9.3.1 Linux libraries are available in the /lib/64/ directory. The PostgreSQL
database requires these libraries:
l libncurses.so.5
l libreadline.so.6
If these directories are not available in the /lib/64/directory, upload them
to the /lib/64/ directory.

Centralized Install Docker CE 20.10 on the destination system, and then create a
Control Plane Docker swarm. The system user account must belong to a docker group
or have permission to operate.

Ensemble Controller R15.3 Administrator Manual - Issue: A 87

Adtran Installing and Logging into Ensemble Controller

Save and close all files that you edit. Log off, then on. Or, restart the server for changes to take
effect.

Spaces are NOT permitted in the Ensemble Controller installation directory or in

the tar directory where you plan to copy and run the installation package.

Steps to Installing Ensemble Controller in Linux

1. Switch to the root user:
su -
2. If you installed an earlier version of Ensemble Controller:

a. Enter this command to uninstall your previous Ensemble Controller version:

cd /opt/adva
./uninstall-fsp_nm
b. Remove the Ensemble Controller installation folder, for example,
/opt/adva/fsp_nm

3. After you download the required software installation files as described in the Application
Software requirement, concatenate these files using this command:
cat Ensemble_Controller_for_Linux_v[xx.x.x]-B[xxxxx].tar.* > Ensemble_
Controller_for_Linux_v[xx.x.x]-B[xxxxx].tar
4. Unpack the concatenated TAR file:
tar xf <Ensemble_Controller_for_Linux_v[xx.x.x]-B[xxxxx].tar>
5. Start the installation process:
./install
After the installation process begins, complete the instructions that display.
6. To select one of these options, type the associated number:
1) ENC
2) CPc
3) Embedded License Server
4) ENC/CPc
5) ENC/Embedded License Server
6) ENC/CPc/Embedded License Server
7) Quit

l You can install the Centralized Control Plane (CPc) or the Embedded
License Server (ELS) only if Ensemble Controller (ENC) is already installed
in your system. You might want ELS to be on the same server. If so, we
recommend that you select the option to simultaneously install the
applications, which can be option number 5 or 6.

Ensemble Controller R15.3 Administrator Manual - Issue: A 88

Adtran Installing and Logging into Ensemble Controller

l You can separately install the ELS as a standalone application on a

natively-compatible Linux operating system. Select the standalone
option number 3. CPc cannot work as a standalone application.

l Starting with the ENC version 12.1, you must also install the ELS. Unless you
already installed the ELS, make sure that you select the option that
includes the Embedded License Server.

l If you installed a previous CPc version on your system, before you install
the newer version, first uninstall the old version. See Uninstalling Linux
Applications. Remove any installation folder remnants.

l For information about the ELS, see The Embedded License Server.
l For information about the CPc, see Managing the Centralized Control Plane.
After you select an option, this message displays:
You have selected option <number>. Do you want to continue (y/Y) or change option (C/c)?
7. Decide:
l To redisplay the menu in Step 6, select c/C.
l To continue the installation:

a. Select y/Y, and then type the user password.

b. Retype the password in the next field.
After a few command lines later, this message displays: Do you want to start the ENC
server application now?

c. Select n to NOT start the ENC server in any of these cases:

o You still must modify the fnm.properties file.
o The required ENC licenses are not yet available in the ELS.
o You will use a different account than root.
–or–
Select y to start the ENC server if the above cases do not apply.

8. If you select the option that includes the ELS in Step 6, before you proceed with this
procedure, first prepare and enable the ELS as described in Preparing and Enabling the
Embedded License Server.
9. Decide on the account you want to use:
l To use the root account, go to Step 12.
l To use an account other than root, proceed with the steps that follow.
To control Ensemble Controller services for non-root accounts, you must
have the sudo application available.

Ensemble Controller R15.3 Administrator Manual - Issue: A 89

Adtran Installing and Logging into Ensemble Controller

10. Make sure that no services are running and the Ensemble Controller Server is shut down. For
information, see the relevant topics:
l Verifying Services in Linux
l Procedure for Stopping the Server in Linux

11. Create a user account to use for remote communication:

a. Set the user password:

passwd username
b. Change to the current directory:
cd/opt/adva/fsp_nm
c. If you followed Step 6 to install both the ELS and ENC on the same computer, change the
owner and group of the ELS services. If not, continue with Step 11d.
To change the owner and group of the ELS services, run the elschangeuser.sh script:
/opt/adva/fsp_nm/els/elschangeuser.sh <username> <groupname>
d. Run the changeUser.sh script:
/opt/adva/fsp_nm/bin/changeUser.sh <username> <groupname>
Make sure that you use the same <username> and <groupname> for
both the changeUser.sh and elschangeuser.sh scripts. The names must
be identical.

e. Restart the server computer for the changes to take effect.

12. To start the ENC GUI, run fnm.
To run fnm, you must first install a graphical desktop environment, for
example the desktop managers GNOME or KDE. Otherwise, when you
execute fnm, a failure message displays.

For Red Hat Enterprise Linux 7.x and 8.x

Only for Red Hat Enterprise Linux 7.x and 8.x, configure the firewalld script as described here. The
command lines in these steps are examples. Your configuration settings might differ.
1. Verify that the firewalld script is running:
firewall-cmd --state
running
2. Make a note of the firewalld default zone, which you need later in this procedure:
firewall-cmd --get-default-zone
public

3. Verify which zones are active on the available Ethernet interfaces:

firewall-cmd --get-active-zones
4. Verify the open ports and services.
firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192
sources:

Ensemble Controller R15.3 Administrator Manual - Issue: A 90

Adtran Installing and Logging into Ensemble Controller

services: ssh dhcpv6-client

ports
protocols
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

5. In the firewalld script, open these ports and services:

Service ssh

Ports l 162/udp
l 8080/tcp
l 9090/tcp
l 8443/tcp
l 9543/tcp
l 33028/tcp

firewall-cmd --permanent --zone=public --add-service=snmptrap

firewall-cmd --permanent --zone=public --add-port=8080/tcp
firewall-cmd --permanent --zone=public --add-port=8443/tcp
firewall-cmd --permanent --zone=public --add-port=9543/tcp
firewall-cmd --permanent --zone=public --add-port=33028/tcp
firewall-cmd --permanent --zone=public --add-port=9090/tcp

If you use the ELS and you installed ELS on the same computer as ENC, also open these ports:
l 7071/tcp
l 8444/tcp
firewall-cmd --permanent --zone=public --add-port=7071/tcp
firewall-cmd --permanent --zone=public --add-port=8444/tcp
6. Reload the firewalld configuration:
firewall-cmd –-reload
7. Verify that all necessary ports and services are open:
firewall-cmd -- list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens 192
services: ssh dhcpv6-client snmptrap
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

Ensemble Controller R15.3 Administrator Manual - Issue: A 91

Adtran Installing and Logging into Ensemble Controller

Verifying Services in Linux

Complete these steps to verify whether services that Ensemble Controller requires to work
properly, successfully started in a Linux operating system.
1. To switch to the root account, at the command prompt, type:
su -

2. To verify the Ensemble Controller Server status, type:

./opt/adva/fsp_nm/bin/fnm.server status

The Ensemble Controller status displays as this example shows:

Ensemble Controller status:
NM Server running, PID = 12688
NM JMS Server running, PID = 12686
NM SNMP Forwarder NOT running
NM proxy server NOT running

Ensemble Controller by default disables the SNMP Forwarder and proxy server services
because they are irrelevant for its general operation. However, for the features that require
these services to run, you can enable them. See the relevant sections:
l You require the proxy server to access the WEB Manager using HTTP or HTTPS.
l You require the SNMP Forwarder to access the Element Managerto manage FSP 1500
devices.

3. If services are not listed as shown in the example in Step 2, use these commands to restart
the Ensemble Controller Server:
./opt/adva/fsp_nm/bin/fnm.server stop
./opt/adva/fsp_nm/bin/fnm.server start

4. The fnm.server script cannot process the PostgreSQL server. To verify it separately, type:
ps -ef|grep postgres

A long data list occurs:

5. If the data list does not appear, use this command to restart the PostgreSQL server:
./opt/adva/fsp_nm/postgres/support-files/postgres.server start

6. You can now log into Ensemble Controller as described in Logging Into the Ensemble
Controller Client.

Ensemble Controller R15.3 Administrator Manual - Issue: A 92

Adtran Installing and Logging into Ensemble Controller

Changing the Memory Settings of the Mediation Server

in Linux
Xmx is the configuration parameter controlling the maximum amount of memory that Java
uses on a system.
Follow this procedure to set the FNM Mediation Server Xmx value to your Linux operating system:

Change the Xmx value according to your system size:

l S – 4000M
l M – 6000M
l X – 8000M
l XL – 32000M

Requirement
You are informed about the installation requirements of the Required Minimum Server
Hardware.
Procedure
1. Shut down the Ensemble Controller Server.
2. Edit the customprop.sh file located in: /opt/adva/fsp_nm/bin/customprop.sh:

a. Remove # and change the memory to a value appropriate to your system requirements
(see the note box in the beginning of this section) in this line:
#NMS_XMX=4000M
b. Remove # in this line:
#export NMS_XMX
3. Save the file.
4. Start the Ensemble Controller Server.

Troubleshooting Client Download Errors

This section describes possible error messages, and their importance and remedial action,
which can display while you download the client version.

"Cannot write to download directory" 94

"Cannot create installation directory" 94
"Error while updating or uncompressing" 95

After you resolve the described issues but are still unable to connect to the server, send the error
logs created during the installation to the Adtran Technical Services.
The log files are stored in the user directory for both ClientUpdater and Ensemble Controller:
l C:\Users\<user>\ClientUpdater\log\ClientUpdater.error.log
l C:\Users\<user>\FSP Network Manager\log\frontend.error.log

Ensemble Controller R15.3 Administrator Manual - Issue: A 93

Adtran Installing and Logging into Ensemble Controller

"Cannot write to download directory"

After you install Ensemble Controller, a confirmation dialog box might open to ask you to
download a different client version. After the software confirms the download, it temporarily
stores the version file in the user directory: c:\users\<user>\clientupdater\downloads.
If you log in and have no write access to the respective folder, this dialog box opens:

Use the property launcher.download.directory=[...] defined in the launch.properties file to

specify the directory with write access. Make sure to use correct path separators for the
directory, which are slash "/" and double backslash "\\" only, for example:
l launcher.download.directory=d:/myFolder
l launcher.download.directory=d:\\myFolder

The launch.properties file is stored in the installation directory, for example:

C:\Program Files (x86)\ADVA Optical Networking\FSP Network
Manager\clientupdater

"Cannot create installation directory"

After you download the version file, the installation process installs the client at
C:\ProgramData\clientupdater\nmclients. If the user who is currently logged in has no write
access to the respective folder, this dialog box opens:

Use the property launcher.program.directory=[...] defined in the launch.properties file to specify

the directory with write access. Make sure to use correct path separators for the directory, which
are slash "/" and double backslash "\\" only, for example:
l launcher.program.directory=d:/myFolder
l launcher.program.directory=d:\\myFolder

The launch.properties file is stored in the installation directory, for example:

C:\Program Files (x86)\ADVA Optical Networking\FSP Network Manager\clientupdater

Ensemble Controller R15.3 Administrator Manual - Issue: A 94

Adtran Installing and Logging into Ensemble Controller

"Error while updating or uncompressing"

In some rare cases the downloaded file might become corrupted while you re downloading or
installing the client. If so, these dialog boxes will open (Windows operating systems only):

In these cases, repeat the action.

Viewing and Deleting Installed Clients

Complete these steps to view installed client versions and to delete certain clients by using the
Client Version Management Tool.
You delete clients in these types of situations:
l Clients are corrupted.
l You want to increase available space.
l You plan to uninstall the current Ensemble Controller Client and Server.
l You plan to install another or a new Ensemble Controller Client.

1. To open the Client Version Management Tool, click the Windows Start button, and then
select Ensemble Controller Client Cleanup Tool.
The Client Version Management Tool window opens:

Ensemble Controller R15.3 Administrator Manual - Issue: A 95

Adtran Installing and Logging into Ensemble Controller

The Client Version Management Tool window lists the clients that you installed up to now in
tabular form. The table provides this information:

Column Description

Version The release number with the relevant build number in the
format <release no.>-<build no.>.

Status The client is:

l Unused, Idle.
-or-
l currently in use, Last used.

Location The path where the client is located.

Last The date when you last modified the client.

Modified

2. Delete a client from your computer as follows:

a. From the list, select the relevant client, and then click Delete.
The Delete Client dialog box opens:

Ensemble Controller R15.3 Administrator Manual - Issue: A 96

Adtran Installing and Logging into Ensemble Controller

b. Click Yes to confirm.

The respective client is removed from the list.
-or-
Select No to stop the action.
c. Click Close to exit the window.

Preparing and Enabling the

Embedded License Server
1. After you installed the Embedded License Server, you must prepare it to provide the set of
licenses that your Ensemble Controller requires. For information about the installation
options for the Embedded License Server, see The Embedded License Server.
Figure 1: Schematic Representation of Step 1

a. Log in to the ADVA License Portal as described in the Customer License Portal Access
documentation available on the Customer Portal.
b. In the ADVA License Portal, generate the BIN file from your obtained license entitlements
to bind them to the Embedded License Server that your Ensemble Controller will connect
to. The ADVA License Portal automatically creates the license entitlements after you
placed your order with the ADVA Customer Focus Team.
For information about how to generate the BIN file in the ADVA License Portal, see the
ADVA license portal Training for Endcustomer documentation available on the Customer
Portal.
c. Log in the Embedded License Server as described in the User Manual.
d. In the Embedded License Server, activate the BIN file that you generated in Step 1b, as
described in the Embedded License Server Administrator Manual.
If you use a second Embedded License Server as backup server in a high-availability
configuration, you must also activate the BIN file on that backup server.

Ensemble Controller R15.3 Administrator Manual - Issue: A 97

Adtran Installing and Logging into Ensemble Controller

For information about how to configure high availability for two Embedded License
Servers, see the Embedded License Server Administrator Manual.

2. From the Ensemble Controller installation directory, open the fnm.properties file, and then
edit these license-server related properties to enable the Embedded License Server for
Ensemble Controller.
l If you installed the Embedded License Server standalone on a separate server, add the IP
and port of that server to com.adva.fnm.option.flexeraServer.ipaddress. If you installed
the Embedded License Server locally on the same server as the Ensemble Controller, you
do NOT need to change this property.
l If you use a second Embedded License Server as a backup server, add the IP and port of
that server to com.adva.fnm.option.backupFlexeraServer.ipaddress.
l To specify the feature licenses that you want Ensemble Controller to acquire, add the
feature license names to com.adva.opt.flexera.requestLicenses.
For general information about how to edit the fnm.properties file, see Editing the
fnm.properties File.
3. Start the Ensemble Controller Server as described in Starting the Ensemble Controller Server.
–or–
Proceed with the remaining installation steps in Installing Ensemble Controller.

Importing Ensemble Controller Server

Certificates to the Client
The Ensemble Controller Client displays the Ensemble Controller Server certificate when you first
log in. To prevent this certificate message from displaying, you can store the certificate in a
local Ensemble Controller-owned certificate storage during installation.
Complete the steps in this section to place the server certificate in the client truststore. You
need to place the certificate in a truststore for secure communications. A server always has one
certificate which ensures that the server is trustworthy.
When a client connects to this server, the client looks at the truststore and verifies whether it can
trust the server. If the client finds no corresponding certificate, Ensemble Controller displays the
received certificate and prompts you to trust this server and accept this certificate.
To avoid this prompt, install the certificate directly in the Ensemble Controller Client truststore
after you install the client.
1. After the server installation successfully completes, export the Ensemble Controller Server
certificate to a file.
a. Linux: keytool -exportcert
-alias nms-server-key
-file ~/nms-server-key.cert
-keystore /opt/adva/fsp_nm/certs/fnmserver.ks
b. Windows: keytool -exportcert
-alias nms-server-key
-file “%HOMEDRIVE%%HOMEPATH%\nms-server-key.cert

Ensemble Controller R15.3 Administrator Manual - Issue: A 98

Adtran Installing and Logging into Ensemble Controller

-keystore “%HOMEDRIVE%%HOMEPATH%\FSP Network Manager\certs\fnmserver.ks”

c. Enter the password NeverChange.

2. Transfer the certificate file to the client computer, if necessary.

3. After the client installation successfully completes, import the certificate to the client
truststore.
a. Linux: keytool -importcert
-alias <hostname of the server the certificate is from>
-file ~/nms-server-key.cert
-keystore /opt/adva/fsp_nm/certs/client.ts
b. Windows: keytool -importcert
-alias <hostname of the server the certificate is from>
-file “%HOMEDRIVE%%HOMEPATH%\nms-server-key.cert
-keystore “%HOMEDRIVE%%HOMEPATH%\FSP Network Manager\certs\client.ts”
c. Enter the password NeverChange.
d. At the prompt, type y [Yes] to confirm the import operation, or n [Enter] to stop the
operation.

(Optional) Installing Additional

Programs
This section describes how to install and configure additional programs or features that can be
useful in supporting your system with certain operations in terms of Ensemble Controller.

Installing FileZilla 99
Installing PuTTY 103
Installing CopSSH 108

Installing FileZilla
FileZilla is a free, open source, cross-platform FTP software that consists of a FileZilla client and a
FileZilla server. It is included in the Ensemble Controller installation package to be installed off
the directory at any time.
Complete this procedure to install FileZilla.
1. Find the FileZilla installation file at:
ENC Installation Directory\filezilla-install.
2. Right-click the FileZilla_Server-[...].exe (application) file and select Run as administrator.
The License Agreement window opens:

Ensemble Controller R15.3 Administrator Manual - Issue: A 99

Adtran Installing and Logging into Ensemble Controller

3. Click I Agree to continue.

The Choose Components window opens:

4. To choose the FileZilla features to be installed, follow either way:

l In the Select the type of install field, select the appropriate installation package.
Each package contains its set of features. If you select a package, the software selects
the corresponding feature components in the list and the Space required area displays
relevant information.
-or-
l From the list, select the feature components as appropriate.
If you hover over a component, the Description area displays corresponding information
about it.

Ensemble Controller R15.3 Administrator Manual - Issue: A 100

Adtran Installing and Logging into Ensemble Controller

5. Click Next.
The Choose Install Location window opens:

6. Select either way to proceed:

l In the Destination Folder field, type a relevant folder path.
-or-
To search for the appropriate folder, click Browse.
Then click Next.
-or-
l Click Next to use the default destination folder as stated in the Destination Folder field.
The Startup settings window opens:

7. From the list, select how you want the FileZilla server to start.

Ensemble Controller R15.3 Administrator Manual - Issue: A 101

Adtran Installing and Logging into Ensemble Controller

8. Verify the server listening port and change it if necessary.

9. If appropriate, select Start Server after setup completes.
10. Click Next.
This window opens:

11. From the list, select how you want the server interface to start:
12. If appropriate, select Start Interface after setup completes.
13. Click Install.
The Installation Complete window opens. A change bar indicates progress while the
application installs:

14. After the installation completes, click Close.

Ensemble Controller R15.3 Administrator Manual - Issue: A 102

Adtran Installing and Logging into Ensemble Controller

Installing PuTTY
Complete these steps to install the terminal emulation program PuTTY, and then to configure it
so as to use the SSH protocol to access network elements (NEs) through an Ethernet
connection.
To make PuTTY the default SSH client program that is automatically opened by the Ensemble
Controller (ENC) when needed, see the User Manual, Browsers for more information about how
to specify the appropriate browser to be used by the Ensemble Controller Client.

Requirements
l Have the IP address of the NE at hand to which you wish to connect.
l Generate SSH2 RSA and DSA keys prior to using PuTTY with the SSH protocol. These keys are
generated automatically the first time you access the NE with the craft interface over a serial
line.
To force the key generation on the NE, if prompted, type this command: /etc/init.d/sshd
force_keygen

Procedure
1. Access the website: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
The PuTTY Download Page opens.
2. Click the putty.exe file relevant for your operating system (OS) and save it.
By default, the file saves to the Downloads folder.
If you set the User Settings to use PuTTY by default, make sure that the PuTTY
installation path is correctly specified in the Browsers window.

3. Go to the installation folder and double-click the putty.exe file.

Should a security warning appear, accept it by clicking Run.
The PuTTY Configuration window displays:

Ensemble Controller R15.3 Administrator Manual - Issue: A 103

Adtran Installing and Logging into Ensemble Controller

4. Set these parameters to configure PuTTY for using the SSH protocol:
a. Select SSH from the 'Connection type' buttons.
Depending on the connection type selected, the Port value adapts accordingly.
b. Expand the 'Connection' tree pane option and select SSH.
The 'Options controlling SSH connections' pane displays:

Ensemble Controller R15.3 Administrator Manual - Issue: A 104

Adtran Installing and Logging into Ensemble Controller

c. Select 2 only from the 'Preferred SSH protocol version' buttons.

5. To optimize the menu appearance in the craft:
a. Select Data from the 'Connection' tree pane option.
The 'Data send to the server' pane displays:

Ensemble Controller R15.3 Administrator Manual - Issue: A 105

Adtran Installing and Logging into Ensemble Controller

b. Type vt100 in the 'Terminal-type string' box.

6. To save the settings made so they will automatically appear next time that PuTTY is started,
complete these steps:
a. In the Category tree pane, select Session.
You return to the Basic options for your PuTTY session pane:

Ensemble Controller R15.3 Administrator Manual - Issue: A 106

Adtran Installing and Logging into Ensemble Controller

b. Specify a name for this particular PuTTY configuration, and then type it in the Saved
Sessions field, for example SSH.
Alternatively, in the Saved Sessions list, select Default Settings for this configuration to
become the default session.
c. Click Save. The saved session is added to the list.
d. To remove a saved session from the list, select it, and then click Delete.
7. To assign a certain PuTTY configuration to an NE so that it opens in accordance with these
settings, create a saved session:
a. In the Category tree pane, select Session.
You return to the Basic options for your PuTTY session pane:

Ensemble Controller R15.3 Administrator Manual - Issue: A 107

Adtran Installing and Logging into Ensemble Controller

b. Type the IP address of the respective NE in the Host Name (or IP address) field.
c. Specify a name for this host and PuTTY configuration, and then type it in the Saved
Sessions field.
d. Click Save. The saved session is added to the list.

Installing CopSSH
For secure communication, the command line interface (CLI) client requires that you install and
configure a secure shell server. CopSSH is an OpenSSH server and client implementation for
Windows systems with an administration GUI.
Complete this procedure to install CopSSH.
For information about how to specify an appropriate SSH-client program that the Ensemble
Controller Client can use, see the User Manual.
1. In Control Panel > User Accounts, turn OFF the Windows User Account Control (UAC).
2. Restart your computer.
3. In the console, type lusrmgr.msc to create a new system user account for later use with the
SSH server.
4. Add a new user as shown here:

Ensemble Controller R15.3 Administrator Manual - Issue: A 108

Adtran Installing and Logging into Ensemble Controller

Figure 2: New User Window

5. Edit the New User window as follows:

Field Description

User name Type an appropriate user name, for example, advaremote.

Full name Type the full name of the user.

Description Type a user description.

Password Type a password, for example, secret123.

Confirm password Repeat the password from the Password field.

User cannot change Select this field so that the user cannot change his or her
password password.

Password never expires Select this field so that the password never expires.

6. Click Create to create the new user.

The process adds the new user as shown here.

Ensemble Controller R15.3 Administrator Manual - Issue: A 109

Adtran Installing and Logging into Ensemble Controller

Figure 3: New User Added and Selected

7. Grant the new user administrator rights:

Right-click Properties > Member Of > Add.
8. Add the user to the administrators group as shown here.
Figure 4: New User Added to Administrators Group

9. Install CopSSH:

a. Double-click the installer of copssh to install CopSSH. For example, the installer can be
copssh_server_7.10.1_x64_prod_installer.
b. During installation process, provide the license key and finish installation with default
settings.

Continue with these steps:

Ensemble Controller R15.3 Administrator Manual - Issue: A 110

Adtran Installing and Logging into Ensemble Controller

1. Open the COPSSH Control Panel.

2. Verify that the SSH service runs and no active connections exist.
3. Select Users to activate the user for who will use the SSH access.
4. Click Add.

5. From the User list, select the relevant user name.

Ensemble Controller R15.3 Administrator Manual - Issue: A 111

Adtran Installing and Logging into Ensemble Controller

6. Click Forward twice, and then Apply by using default values.

The CopSSH Control Panel window re-opens.

7. Click Apply to complete user activation.

8. Select Status.

9. To restart the SSH service, first stop it by clicking on the green ball icon.
10. Wait for the icon to turn red, and then reclick it to start the service again.

Ensemble Controller R15.3 Administrator Manual - Issue: A 112

Adtran Installing and Logging into Ensemble Controller

11. To verify that the connection uses CopSSH, start PuTTY by using the remote host IP and the
login and password of the user that you created. A typical PuTTY screen is shown here. If the
connection succeeds, the connection will operate correctly.
Figure 5: PuTTY Window

If you cannot connect to the remote server through PuTTY by using IPv4, try
to connect through PuTTY or another SSH client by using IPv6.
If you can connect to the remote server through PuTTY by using IPv6, repeat
the commands from Step 2 in this procedure. This action helps to connect
to the remote server through Ensemble Controller Server HA.

12. Verify that the created user for the SSH access has full security rights to the folder and the
sub folders of c:\Program Files\ADVA Optical Networking.
13. In Control Panel > User Accounts, turn ON the Windows User Account Control (UAC).

Starting the Ensemble Controller

Server
These procedures describe how to start the Ensemble Controller Server in a Windows or Linux
environment.

You must start the Ensemble Controller Server before the Ensemble Controller
Client.

Procedure to Start the Server in Windows 113

Procedure to Start the Server in Linux 114

Procedure to Start the Server in Windows

You can use either of these methods:

Ensemble Controller R15.3 Administrator Manual - Issue: A 113

Adtran Installing and Logging into Ensemble Controller

Using the Windows Start Menu 114

Using the Windows Command Prompt 114

Using the Windows Start Menu

Click Start, and then from your Windows environment, select Launch Ensemble Controller Server.

Using the Windows Command Prompt

1. Click Start, and then select Control Panel > User Accounts.
2. In the User Accounts window, verify whether your system deploys user account control
(UAC).
3. According to the UAC settings, continue with one of these options to start the Ensemble
Controller Server:
l If UAC is enabled, you can start the Ensemble Controller Server only as administrator as
described here:

a. Click Start.
b. Type CMD. Do NOT press Enter yet.
c. Right-click Command Prompt, and then select Run as administrator.
d. CD to the Ensemble Controller bin installation directory, for example: C:\Program
Files (x86)\ADVA Optical Networking\FSP Network Manager\bin
e. Type StartServer, and then press Enter.
f. Ignore the error message isAdmin.vbs not found.

l If UAC is disabled, complete these steps:

a. Click Start.
b. Type CMD, and then press Enter.
c. CD to the Ensemble Controller bin installation directory, for example: C:\Program
Files (x86)\ADVA Optical Networking\FSP Network Manager\bin.
d. Type StartServer, and then press Enter.

Procedure to Start the Server in Linux

1. To start the PostgreSQL server, at the command prompt, type:
/opt/adva/fsp_nm/postgres/support-files/postgres.server start
2. To start the Ensemble Controller Server, at the command prompt, type:
/opt/adva/fsp_nm/bin/fnm.server start

Ensemble Controller R15.3 Administrator Manual - Issue: A 114

Adtran Installing and Logging into Ensemble Controller

Stopping the Ensemble Controller

Server
These procedures describe how to stop the Ensemble Controller Server in a Windows or Linux
environment.

Procedure for Stopping the Server in Windows 115

Procedure for Stopping the Server in Linux 116

Procedure for Stopping the Server in Windows

You can use either of these methods:

Using the Windows Start Menu 115

Using the Windows Command Prompt 115

Using the Windows Start Menu

1. Click Start, and then from your Windows environment, select Shut down Ensemble Controller
Server.
A window opens to confirm the shutdown.
2. Type y to shut down the Server, or n to cancel.

Using the Windows Command Prompt

1. Click Start, and then select Control Panel > User Accounts.
2. In the User Accounts window, verify whether your system deploys user account control
(UAC).
3. According to the UAC settings, continue with one of these options to stop the Ensemble
Controller Server:
l If UAC is enabled, you can stop the Ensemble Controller Server only as administrator as
described here:

a. Click Start.
b. Type CMD. Do NOT press Enter yet.
c. Right-click Command Prompt, and then select Run as administrator.
d. CD to ENC Installation Directory\bin.
e. Type StopServer, and then press Enter.
f. Ignore the error message isAdmin.vbs not found

Ensemble Controller R15.3 Administrator Manual - Issue: A 115

Adtran Installing and Logging into Ensemble Controller

l If UAC is disabled, complete these steps:

a. Click Start.
b. Type CMD, and then press Enter.
c. CD to ENC Installation Directory\bin.
d. Type StopServer, and then press Enter.

Procedure for Stopping the Server in Linux

1. To stop the Ensemble Controller Server, at the command prompt, type:
/opt/adva/fsp_nm/bin/fnm.server stop

2. To stop the PostgreSQL server, at the command prompt, type:

/opt/adva/fsp_nm/postgres/support-files/postgres.server stop

Logging Into the Ensemble Controller

Client
Complete the steps in this procedure to log into the Ensemble Controller Client.

Requirements to Log Into the Ensemble Controller Client 116

Supported Encryption Protocols and Ciphers 117
Procedure to Log Into the Ensemble Controller Client 119
Taking Remedial Action for Failed Login Attempts 123

Requirements to Log Into the Ensemble

Controller Client
l To connect to the computer that has the Ensemble Controller Server installed, you must know
the host name or IP address of that computer, unless it is your own.
l For MTOSI, if you prefer to use a different web server port other than the default 8080, in the
fnm.properties file, add the relevant port to the property
com.adva.fnm.option.webserver.port=[...].
By default, the Ensemble Controller Client attempts to connect to the web
server ports 80, 8080, and 9000. If you configured the web server to use a
different port, in the Ensemble Controller installation directory, clientupdater
folder, you must adapt the launch.properties file accordingly. For example,
add the property launcher.webserver.port_4=9999, where 9999
represents the port that the server uses.

Ensemble Controller R15.3 Administrator Manual - Issue: A 116

Adtran Installing and Logging into Ensemble Controller

For more information about server and client communication ports, see Configuring Server
and Client Communication Ports.
l Make sure that you prepared and enabled the Embedded License Server as described in
Preparing and Enabling the Embedded License Server. The Embedded License Server stores
the licenses that you purchased, and thus determines the scope of system functions and
features in Ensemble Controller, and also whether you have unimpeded access to all network
objects within a particular network.

Supported Encryption Protocols and Ciphers

HTTPS and JMS 117
Public/Private Keys x.509 (HTTP, JMS) 118
SSH: server-server, server-ftp server 118
Ensemble Controller User Passwords 118
Persistent Sensitive Data Encryption 118
Server-NE Communication (SNMP, HTTP) 118

HTTPS and JMS

HTTPS
l GUI clients use TLSv1.3 by default.
l Clients that do not support TLSv1.3 can still communicate with the server with use of TLSv1.2.
l The server does not support protocols: SSLv2Hello, SSLv3, TLSv1, TLSv1.1.
l Supported Cipher Suites:

TLS 1.2 TLS 1.3

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_CCM TLS_AES_128_CCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_CCM TLS_AES_128_CCM_8_SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8

TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

JMS

Ensemble Controller R15.3 Administrator Manual - Issue: A 117

Adtran Installing and Logging into Ensemble Controller

l GUI clients use TLSv1.3 with TLS_AES_256_GCM_SHA384 cipher suite by default.

l Clients that do not support TLSv1.3 can still communicate with the server with use of TLSv1.2
with TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.
l You can configure the JMS server (ActiveMQ) via the activemq.xml file and the
"transportConnector" element.

These rules apply to all the clients that connect to Ensemble Controller, for
example ENC GUI, MTOSI, TAPI, GNSS.

Public/Private Keys x.509 (HTTP, JMS)

ENC uses certificates with "Elliptic Curve" public key algorithm of size 256 and signature
algorithm "ECDSA with SHA-256".

SSH: server-server, server-ftp server

server = ssh client (JCraft), dependent on SSH server, for example CopSSH5: AES128-CTR, HMAC-
SHA1

Ensemble Controller User Passwords

The system saves the passwords of ENC local users in the DB using SHA512 with 96 bits salt. Each
time a user logs in, Ensemble Controller compares the generated digest to the one saved in the
DB.

Persistent Sensitive Data Encryption

l Encryption algorithm: AES 256
l Mode: GCM (Authenticated Encryption with Associated Data)

Server-NE Communication (SNMP, HTTP)

server = http/snmp client
l (snmp Privacy) DES (F3), AES128 for backward compatibility, AES192, and AES256
l (snmp Authentication) MD5, SHA, SHA256, and SHA512
l (http) TLSv1.2

Ensemble Controller R15.3 Administrator Manual - Issue: A 118

Adtran Installing and Logging into Ensemble Controller

Procedure to Log Into the Ensemble Controller

Client
1. Log into the Ensemble Controller Client according to your operating system:
l If you use Windows, from your Windows environment, select Ensemble Controller Client.
Alternatively, if available in your Start menu or taskbar, click the Ensemble Controller
Client icon.
l If you use Linux, in the console, type fnm.
The login window opens:

2. In the login window, edit the fields as described here. The field name displays when you
focus or click the field.

Ensemble Controller R15.3 Administrator Manual - Issue: A 119

Adtran Installing and Logging into Ensemble Controller

Field Description or Steps

Host Proceed with one of these options:

l If you run the Ensemble Controller Server locally on your computer,
select localhost.
l If you run the Ensemble Controller Server on a different computer,

type the IP address or host name.

l If you run the Ensemble Controller Server with IPv6, type the defined

alias name. For information about how to define an alias name to

connect to the server using IPv6, see Enabling IPv6.
l If you run an Ensemble Controller Server pair in a high-availability

configuration, type the IP address of the computer that runs the

main Ensemble Controller Server. For more information, see High-
Availability Solution with a Redundant Server.
Ensemble Controller caches your selection for your next session.

Username Type your login account name. By default, this is admin.

If you log in remotely, for example, from a Citrix system, Ensemble
Controller retrieves the user name from that system and populates the
field accordingly. You cannot edit the field.
For more information, see Remote User Options.

Password Type your password. By default, this is ChgMeNOW.

If required, click the crossed-out eye to reveal the characters that
you type into the field.

Auto redirect Only select it if you want to use the High-Availability Solution with a
to Master Redundant Server.
server

3. Click LOG IN to start the Ensemble Controller Client. Wait for the process to complete.
l If you see an unexpected error message during startup, see Resolving Access Issues.
l If your attempt to start Ensemble Controller fails, see Taking Remedial Action for Failed
Login Attempts for information.
4. If your Ensemble Controller Client uses secure communication (HTTPS), a server certificate
appears asking for acceptance:
a. Proceed with one of these options:
l Click Accept to permanently accept the certificate. Ensemble Controller stores the file
with the accepted certificate locally to the //<localUser>/Ensemble Controller/certs
directory according to your operating system.
This certificate will not appear again unless somebody deletes the content of the
certs folder, then the certificate examination window displays again for you to take a
decision.
–or–

Ensemble Controller R15.3 Administrator Manual - Issue: A 120

Adtran Installing and Logging into Ensemble Controller

l Click Accept Temporary to temporarily accept the certificate that is, only for the
current client session. You will again be asked to accept this certificate when you log
in next time.
–or–
l Click Cancel to stop the action, or close the dialog box. A message confirms that you
have not accepted the certificate. Select OK, and then repeat this procedure from
Step 2 for another login attempt.
b. If your Ensemble Controller is connected to any other servers, which you can verify in the
Multi-server Management window after you log in, additional server certificates open
one by one for each of them. Proceed with them using the options described in the
previous step.
If you cancel the action of accepting the certificates, after you log in, a notification
displays in the message pane, which allows to accept the certificates of the servers in
the Multi-server Management window later.
c. To accept server certificates from the message pane, double-click the notification. The
Multi-server Management window appears. For further instructions about the Multi-
server Management window and how to accept the relevant server certificates, see the
User Manual, Refreshing Selected Servers.

5. After you take care of the server certificates, and you successfully log in, this Login
Successful dialog box displays if you logged in before. If you log in for the first time, proceed
with Step 7.

This dialog box shows your login status and other login details.
6. Click Continue to open Ensemble Controller, or Logout to cancel.
7. If you log in for the first time, consider these events, which show once with your first login.
Ensemble Controller remembers the settings next time you log in, and they do not show
again.

Ensemble Controller R15.3 Administrator Manual - Issue: A 121

Adtran Installing and Logging into Ensemble Controller

l The Change Password dialog box opens:

Edit the fields as required, and then click OK to log in. If you click Cancel, Ensemble
Controller aborts the login process and a respective message shows:

For details about how to change the password again in a later session, see the User
Manual.
l The Windows Security Alert window might appear if you use a firewall:

As recommended in the field description, do not select the Public networks, [...] field, and
then click Allow access. If you click Cancel, the firewall might block some features in
Ensemble Controller, and you can use the Client only to a limited extend, or not at all.

After the Ensemble Controller Client opens, you can view login-related notifications in the
message pane. To open the message pane, in the primary application bar, select Messages. If
you logged in using RADIUS or TACACS+ authentication, the message pane Security tab does
not appear.

Ensemble Controller R15.3 Administrator Manual - Issue: A 122

Adtran Installing and Logging into Ensemble Controller

Taking Remedial Action for Failed Login

Attempts
After you click Login in the Ensemble Controller Login dialog box, you might experience these
scenarios, which inform you about failed login attempts:
l This Message dialog box opens:

o Select OK, and then verify your login credentials. Re-enter them and try again to log in.
–or–
o Stop and start the Ensemble Controller Server, and then try again to log in. For information,
see Stopping the Ensemble Controller Server and Starting the Ensemble Controller Server.

l A warning message shows that Ensemble Controller is unable to acquire the basic license
from the Embedded License Server:

This message also shows if your license expired although it says that Ensemble Controller
cannot acquire the basic license. You can take these actions to troubleshoot:
o In the Ensemble Controller installation directory, fnm.properties file, verify the property
com.adva.fnm.option.flexeraServer.ipaddress whether you specified the correct
Embedded License Server IP address. For information about the license-related
properties, see Embedded License Server Options.
o Test whether you can reach the Embedded License Server with ping.

Ensemble Controller R15.3 Administrator Manual - Issue: A 123

Adtran Installing and Logging into Ensemble Controller

o Log in the Embedded License Server as described in the User Manual, Accessing the
Embedded License Server, and then verify whether you have an available basic license,
for example ENC-SERVER-R12.X.
l If your current Ensemble Controller Client version is older than or incompatible with the
Ensemble Controller Server, a message displays where we recommend or asks you to
upgrade or downgrade to a different software version. Click Yes.
If the download or upgrade is defective or fails, which error messages show, take these
options into account, and then try to log in again:
o The fnm.properties file contains a parameter that controls whether the server version is
verified against the client. If set to true, the system prevents the client from being
upgraded. For more information, see the parameter description
com.adva.fnm.option.disableClientUpdates.
o See Troubleshooting Client Download Errors or Resolving Installation Issues.
o To view and delete clients that you already installed, see Viewing and Deleting Installed
Clients.
After the download or upgrade completes, Ensemble Controller starts.
l Invalid authentication message displays. The second failed login attempt results in a 5
seconds login delay. Every next failed attempt doubles the previous login delay until it
reaches maximum of 15 minutes. In case of any login attempts during the temporary delay
period, the system will reject the attempt and display the invalid authentication message
along with the remaining delay time. The administrator account is not locked permanently at
any point.

Ensemble Controller R15.3 Administrator Manual - Issue: A 124

Adtran Installing Ensemble Controller for Pro-Vision

Chapter 2
Installing Ensemble Controller
for Pro-Vision
You can install Ensemble Controller for Pro-Vision to operate in Linux or Windows.

Installation Procedure for Linux 125

Installation Procedure for Windows 126

For information about how to operate and maintain Pro-Vision, see the Appendix C, Pro-Vision –
Service Provisioning and Management Platform.

Installation Procedure for Linux

1. In the CLI, untar the image into a directory of your choice.
tar xvf Ensemble_Controller_for_Linux_v11.3.1.tar
If you run an OS-installed postgres service, shut it down before you install the software. If you
leave the postgres service running, that can interfere with the installation. To stop the
service, enter sudo service postgresql stop or kill all postgres processes.
2. Navigate to the root directory, and then run the Ensemble installer script as root. Untar the
file to this directory.
3. Use the root issue:
./install, which installs the installer script in /opt/adva/fsp_nm
4. Select #1(ENC), and then enter answer y for yes to install it.
5. After the prompt, enter any valid password that you create, which is the Postgres database
password.
6. After the prompt, enter n for no to start the server because you need to complete other
steps first.
7. To edit the /opt/adva/fsp_nm/fnm.properties file, search for #
com.adva.nlms.mediation.pv.startModule=true.
Delete the # and the space after it.
8. You can increase the event log maximum size of 200,000 by changing the property
com.adva.nlms.mediation.event.maxEventLogSize located in the fnm.properties file.
See the appendix com.adva.nlms.mediation.event.maxEventLogSize for more
information.

Ensemble Controller R15.3 Administrator Manual - Issue: A 125

Adtran Installing Ensemble Controller for Pro-Vision

9. As root, start the server.

/opt/adva/fsp_nm/bin/fnm.server start
The pvlog file no longer exists. It is now named mediation.log and located in the
/opt/adva/fsp_nm/var/log.
10. In your browser, access Pro-Vision using this URL:
https://<ip-address>:8443/pv
11. Enter your license name and key.
12. Login with the administrator password.
ChgMeNOW

Installation Procedure for Windows

1. Download the Pro-Vision software to a local directory.
2. From your Windows desktop, open the folder where you downloaded the Pro-Vision
software.
3. From the folder:
a. Right-click the Ensemble_Controller_for_Windows-v.11.2.1-64bit.exe.
b. Select Run as administrator.
The InstallAnywhere window opens and shows the progress of the installation. After the
installation completes, the Introduction window opens.
4. In the Introduction window, click Next. The Choose Install Folder window opens. You can
install the file where you choose or accept the default.
5. Click Next. The Choose Install Set window opens.
6. Click Next. The Pre-Installation Summary window opens.
7. Review the Pre-Installation Summary, and then click Install. An Ensemble Controller window
opens and shows the progress of the installation. After the installation completes, the Post
Install Process - ENC Server window opens.
8. Click Next to open the Installation Complete window.
9. Click Done. ENC should now be successfully installed.
You must now perform the next step because the Windows installation process starts the
ENC server before you can edit the fnm.properties file (see Editing the fnm.properties File).
10. From the bin directory, right-click the StopServer application to stop the server, and then run
as administrator.
11. Proceed with these topics:

Enabling User Permissions 126

Configuring FSP Network Manager Files 127
Starting the Server 127

Enabling User Permissions

1. From the Program Files (x86) folder, double-click the ADVA Optical Networking folder to open
it.

Ensemble Controller R15.3 Administrator Manual - Issue: A 126

Adtran Installing Ensemble Controller for Pro-Vision

2. Right-click the FSP Network Manager folder, and then select Properties to open the FSP
Network Manage Properties window.
3. Select the Security tab.
4. Click Edit to open the Permissions for FSP Network Manager window.
5. From the Group or user names list, click Users to highlight it.
6. From the Permissions for Users list, make sure that Full control and Modify are enabled.
7. Click Apply to change all the file permissions.
8. After the software changes the file permissions, click OK to close the Permissions for FSP
Network Manager window.

Configuring FSP Network Manager Files

1. From the FSP Network Manager folder, open the fnm.properties file.
2. In the fnm.properties file, search for
# com.adva.nlms.mediation.pv.startModule=true
3. Delete the # and the space after it.

Starting the Server

1. From the ADVA Optical Networking folder, open the FSP Network Manager folder and then
double-click the bin directory.
2. From the bin directory, right-click the StartServer.bat file and select Run as administrator. The
server can take a few minutes to start.
3. After Pro-Vision completes loading, enter this URL.
https://ip-address or localhost:8443/pv
4. At the URL, you are prompted to enter your license information.
5. At the prompt, enter your License Name and Key, and then click Install. The License Installed
Successfully window opens.
6. Click Close. The Login window opens.
7. Enter your Username and Password, select Please select to confirm, and then click LOG IN.
The Pro-Vision map window opens.

Ensemble Controller R15.3 Administrator Manual - Issue: A 127

Adtran Configuring Ensemble Controller

Chapter 3
Configuring Ensemble
Controller
This chapter describes actions to manage security and administrate Ensemble Controller.

Security 128
High Availability 159
System Settings 211
Configuring Operations from the fnm.properties File 242
Script or Command-based Operations 258
Configuring Sync Assurance and the Ensemble Fiber Director Server 282
Consolidating Ensemble Controller Servers 314
Accessing Management Tools 327
Fault Management 343

Security
This chapter discusses operations that contribute to support security-relevant topics in
Ensemble Controller.

Hardening the Ensemble Controller Application 129

Security Manager 131
Changing Passwords on Network Elements Using SNMP 143
Enabling a Connection of One Ensemble Controller Client to Multiple Servers 147
Enabling Two-Man Approval for Actions 148
Granting Temporary Admin User Rights on Network Elements 152
SSH Settings 158
SFTP Settings 159

Ensemble Controller R15.3 Administrator Manual - Issue: A 128

Adtran Configuring Ensemble Controller

Hardening the Ensemble Controller

Application
Hardening a computer system is also known as defense in depth, and refers to providing
various means of protection on several layers, for example, on the host level, the application
level, the operating system level, the user level, the physical level, or any other sublevels. Each
level requires a unique method of security.
This table provides an overview of the supported options to enhance the security of Ensemble
Controller on the application level exclusively. Each option provides a link to the section for more
information.

Hardening Options More Information

Usage of SNMPv3 with encryption for a User Manual

secure communication to network
elements.

Changing the default password of the User Manual

Ensemble Controller admin user.

Configuring the password rules for users. Editing Security Parameters

Setting Auto Lock and Auto Logoff. Setting Auto Lock and Auto Logout

Enabling RADIUS. Setting Up RADIUS Authentication

Enabling the 4-eyes principle. Enabling Two-Man Approval for Actions

Displaying a message after the client login Post-Login Dialog Box Message
to show important notifications.

Usage of secure protocols to transfer files. User Manual

Enabling secure protocols if you use the CLI Using a Secure Protocol
interface as craft to manage network
elements.

Closing all ports not used for Communication Ports

communication on an external firewall.

Disabling unsecure HTTP communication com.adva.fnm.option.webserver.port=none

(client / server and MTOSI) and enforcing
transport layer security (TLS) (HTTPS).

Using customer-specific certificates for TLS Using Customer Certificates

(HTTPS).

Ensemble Controller R15.3 Administrator Manual - Issue: A 129

Adtran Configuring Ensemble Controller

Hardening Options More Information

Running Ensemble Controller services using Steps to Installing Ensemble Controller in

a non-root account. Linux, especially Step 8.

Disabling JMX for the ActiveMQ JMS server. Properties for Configuring the Java
Messaging System (JMS)

Changing the database password. This Changing the Database Password

operation causes the Ensemble Controller
Server to automatically restart.

The Diffie-Hellman Epheremal Key Agreement Protocol can be used for an attack on network
facing SSL / TLS / HTTPS / SSH services leading to excessive compute time usage. Therefore the
DHE cypher suite is deactivated by default for ENC mediation service. In case that the protocol
needs to be enabled, the following procedure shall be applied: Edit the jetty.xml, and delete all
the occurrences of the line (2 occurrences currently): <Item>(TLS_DHE)_.*</Item>

Increasing the Entropy of a Virtual Machine or Headless

Server
On a virtual machine or headless server, the available randomness is much lower than on a real
machine, due to for example: the lack of access to hardware, or lack of mouse and keyboard
activity. Information about the server low entropy can be obtained if the command "cat
/proc/sys/kernel/random/entropy_avail" returns a small number (lower than 1000).
Adequate randomness in virtual machines or headless servers is a general issue and there is
more than one solution to fix it. You may choose a solution of your preference. The goal for
hardening is to increase the entropy and keep it high at all times.
ENC has been tested using a service called “haveged” for increasing the entropy. The haveged
project provides an easy to use, unpredictable random number generator based upon an
adaptation of the HAVEGE algorithm and can be installed with the Linux package manager.
Follow these steps to install haveged:
1. Install EPEL for release 7 or 8:
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
or https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
yum install epel-release-latest-7.noarch.rpm or yum install epel-release-
latest-8.noarch.rpm
2. Install heveged:
yum install haveged
3. Start and enable the service:
systemctl start haveged
systemctl enable haveged

Ensemble Controller R15.3 Administrator Manual - Issue: A 130

Adtran Configuring Ensemble Controller

l A solution for the randomness/entropy is only required for the ENC servers
that run on Linux. There is no need to install haveged on the machines that
only run ENC GUI client.
l For more information about EPEL, see
https://www.redhat.com/en/blog/whats-epel-and-how-do-i-use-it.

Security Manager

User Authentication 131

Users Tab 132
Groups Tab 135
Roles Tab 139
Action Log Tab 141
Sessions Tab 142

User Authentication
To avoid unauthorized access to the system, users must log in to the Ensemble Controller. Each
user has a unique name for identification and a password for authentication.

Ensemble Controller R15.3 Administrator Manual - Issue: A 131

Adtran Configuring Ensemble Controller

Each user password including the administrator password, is valid for a specific length of time.
When that time has passed, the password has aged and the user or administrator is prompted
to change it.
Password blacklists regulate when an old password can be re-used. This enables
administrators to enhance security by ensuring that old passwords are not used continually.
After a certain time of in-activity, a logged in user is logged off by the system. Also, there is a
requirement to have a minimum length of both, user account names and passwords.
All these settings are stored on the Ensemble Controller Server and are valid for all users
connected to that Ensemble Controller Server. See the appendix > Security Options for
information about how to change these settings.
In addition, all users are members of one or more groups. A role and a view are assigned to
each group. The actions each user is allowed to perform, are deduced from the role and the
view defined for the groups of which the user is a member.

The user that will do network element backups or restoring needs to have full
user rights on the FTP or SFTP server - that is read, write, modify, or delete.

Users Tab
In the Users tab, you can manage the user accounts.
You cannot manage any remote user accounts (RADIUS, TACACS+, or LDAP) in Ensemble
Controller. However, if remote users log in at least once, the remote user account displays in the
Table.

Generic Information about Users 132

Ribbon Menu 133
Table 134
Details Pane 135

Generic Information about Users

By default, the Security Manager includes an administrator account with the user name admin
and the password ChgMeNOW.
An administrator can add user accounts as required. For each user account, you assign a
group to suit the user needs; see Groups Tab for information. Each user account can be a
member of several groups. The permissions that this user account has, is then the union of
these groups.

The user that will do network element backups or restoring needs to have full
user rights on the FTP or SFTP server - that is read, write, modify, or delete.

If error messages appear after you log in to a user account, this account might impose
restrictions towards permissions (roles). For example, you are not allowed to log in to an
account more than once. An administrator can set account permissions in the Roles tab. For
more information about how to configure roles, see Roles Tab.

Ensemble Controller R15.3 Administrator Manual - Issue: A 132

Adtran Configuring Ensemble Controller

For an overview of the default roles and allocated actions supported, see the appendix > Roles
and Allocated Actions.

Ribbon Menu
Use the ribbon menu in the Users tab to manage user accounts as described in these topics:

Adding Users 133

Editing Users 133
Deleting Users 134
Exporting the Users Table 134
Resetting to Factory Default 134

Adding Users
1. In the Users tab ribbon menu, Options area, select Add. The Identity accordion in the details
pane opens.
Mandatory attributes that you must specify, display in red and provide clear instructions
about how to enter the required text. If you enter text that does not comply to the
instructions, a respective error message displays.
l To verify the entered password, next to the Password field, click and hold the eye
button.
l To enable or disable these features, select its switch:
o User must change password at next logon
o Account is enabled

2. Select the Groups accordion to expand it, and then select the appropriate group for this
user.

3. Click Save changes to add the user.

The Security Manager adds the new user to the Users table.
–or–

Click Cancel to stop the operation.

Editing Users
1. In the Users Table, select the user account that you want to edit.
2. In the Users tab ribbon menu, Options area, select Edit.
You can now edit the Details Pane.
3. In the Details Pane, modify the relevant attributes as appropriate.

4. Click Save changes to apply your changes.

The Security Manager updates the user account in the Users table according to your
changes.
–or–

Click Cancel to stop the operation.

Ensemble Controller R15.3 Administrator Manual - Issue: A 133

Adtran Configuring Ensemble Controller

Deleting Users
1. In the Users Table, select the user account that you want to delete.
2. In the Users tab ribbon menu, Options area, select Delete.
A Confirmation dialog box displays.
3. Click Yes to confirm the deletion.
The Security Manager removes the user account from the Users table.
–or–
Click Cancel to stop the operation.

Exporting the Users Table

Complete these steps to export the Users table to a comma-separated value (CSV) file. Table
rearrangements such as sorting, filtering, or hidden columns are taken into account.
1. In the Users tab ribbon menu, Export area, select Table (CSV).
The Save dialog box displays:

2. As appropriate, change the file name and location of storage. The file name length must not
exceed 255 characters. If it does, an error occurs if you click Save.
3. Click Save to complete the export, or Cancel to stop the operation.
4. See the message pane for any result messages about this action.

Resetting to Factory Default

To reset the settings for users, groups, and roles to factory default, in the Users tab ribbon menu,
Other area, select Restore. After you select Restore, the Security Manager restores:
l The admin user password to ChgMeNOW.
l Groups and roles if you deleted them.

This operation does not affect group visibility settings for networks or services.

Table
The Users table contains these columns:

Ensemble Controller R15.3 Administrator Manual - Issue: A 134

Adtran Configuring Ensemble Controller

Column Description

Account is The user account status.

Enabled

User Name The login name of the user account.

Full Name The full name of the user. This is an optional field.

Description A description of the user account, if one had been added when the
user was created.

Group The group to which this user belongs.

Last Login The time when the user last logged on.

Authentication The type of authentication mechanism used:

Type l Local - authentication through Ensemble Controller (ENC) user
database
l External - authentication through RADIUS or TACACS+ for example

Details Pane
The Users tab includes these accordion containers in the details pane:

Identity 135
Groups 135

Identity
The Identity accordion container provides these attributes:
l User Name - text box
l Full Name - text box
l Description - multiline text box
l Email Address - text box
l Password - text box and mandatory in the course of creating a new user
l Change password flag - switch
l Account activation status (Account is enabled) - switch

Groups
The Groups accordion container shows a list of the available user groups that you can select.

Groups Tab
You can manage user groups in the Groups tab.

Ensemble Controller R15.3 Administrator Manual - Issue: A 135

Adtran Configuring Ensemble Controller

Ribbon Menu 136

Table 137
Details Pane 137

Ribbon Menu
Use the ribbon menu in the Groups tab to manage groups as described in these topics:

Adding Groups 136

Editing Groups 136
Deleting Groups 137

Adding Groups
1. In the Groups tab ribbon menu, Options area, select Add. The Identity accordion in the
details pane opens.
Mandatory attributes that you must specify, display in red and provide clear instructions
about how to enter the required text. If you enter text that does not comply to the
instructions, a respective error message displays.
2. Specify attributes for this group as required.
The Identity accordion, Role field shows a list of the roles that you create and maintain in the
Roles Tab.
3. Select the Members accordion to expand it, and then select the appropriate user for this
group. You can select several users for a group. The number of users that a group can have
is unlimited. You create and maintain these users in the Users Tab.
4. Select the Network accordion to expand it, and then give permission ( ) or restrict the
network view ( ). Select the appropriate symbol for subnetworks or parts of it. With each
click, the symbol changes.
5. Select the Services accordion to expand it, and then give permission or restrict the services
view for customers and also its services as described in the previous Step 4.

6. Click Save changes to add the group.

The Security Manager adds the new group to the Groups table.
–or–

Click Cancel to stop the operation.

Editing Groups
1. In the Groups Table, select the group that you want to edit.
2. In the Groups tab ribbon menu, Options area, select Edit.
You can now edit the Details Pane.
3. In the Details Pane, modify the relevant attributes as appropriate.

4. Click Save changes to apply your changes.

The Security Manager updates the group in the Groups table according to your changes.
–or–

Click Cancel to stop the operation.

Ensemble Controller R15.3 Administrator Manual - Issue: A 136

Adtran Configuring Ensemble Controller

Deleting Groups
1. In the Groups Table, select the group that you want to delete.
2. In the Groups tab ribbon menu, Options area, select Delete.
A Confirmation dialog box displays.
3. Click Yes to confirm the deletion.
The Security Manager removes the group from the Groups table.
–or–
Click Cancel to stop the operation.

Table
The Groups table contains these columns:

Column Description

Group name The name of the group. The groups Operator, Monitor,
Configurator, and Administrator are predefined.

Role The role that is assigned to the group. Roles are created
and maintained in the Roles Tab tab.

Description A description of the group provided that one was added

in the course of creating the group.

Details Pane
The Groups tab includes these accordion containers in the details pane:

Identity 137
Members 138
Network 138
Services 138

Identity
The Identity accordion container provides these attributes:
l Group name - text field
l Role - list
The role options in this list are according to the roles created and maintained in the Roles Tab
tab.
l Description - text field

Ensemble Controller R15.3 Administrator Manual - Issue: A 137

Adtran Configuring Ensemble Controller

Members
The Members accordion container shows a list of available group members (users). You create
users in the Users Tab. A group can have an unlimited number of members that is, you can
select several members.

Network
The Network accordion container allows to give or not to give permission for viewing all parts of
a network, just a selection, or nothing at all.
It is structured in a tree-like fashion as known from the tree pane.

A green icon (permission is given) is replaced by a red icon (permission is not given) when
clicked and the other way around.
If viewing is disabled at the network group, it is not possible to enable permissions for one or
more networks below it. However, if viewing is enabled at network group level, it is possible to
disable viewing for one or more networks below it.
Not only the visibility of the selected objects themselves such as networks is affected, but also
the visibility of all associated resources such as network elements, links, events, alarms, reports,
and so on, is affected.

If group view properties are changed, group users must log off, and then log in
again to synchronize with the new view settings.

Historical alarms or events might still be displayed for user groups with a restricted view. This is
because respective network elements had been created before the restricted view was
applied.

Services
The Services accordion container allows to give or not to give permission for viewing services.
It is structured in a tree-like fashion as known from the tree pane.

A green icon (permission is given) is replaced by a red icon (permission is not given) when
clicked and the other way around.

Ensemble Controller R15.3 Administrator Manual - Issue: A 138

Adtran Configuring Ensemble Controller

If viewing is disabled at the customer group, it is not possible to enable permissions for one or
more customer groups below it. However, if viewing is enabled at a customer group level, it is
possible to disable viewing for one or more customer groups underneath it.
Not only the visibility of the selected objects themselves such as services is affected, but also
the visibility of all associated resources such as network elements, links, events, alarms, reports,
and so on, is affected.

If group view properties are changed, group users must log off, and then log in
again to synchronize with the new view settings.

Historical alarms or events might still be displayed for user groups with a restricted view. This is
because respective services had been created before the restricted view was applied.

Roles Tab
You can manage roles in the Roles tab. For an overview of the default roles and allocated
actions that the Security Manager supports, see the appendix > Roles and Allocated Actions.

Ribbon Menu 139

Table 140
Details Pane 140

Ribbon Menu
Use the ribbon menu in the Roles tab to manage roles as described in these topics:

Adding Roles 139

Editing Roles 140
Deleting Roles 140

Adding Roles
1. In the Roles tab ribbon menu, Options area, select Add. The Identity accordion in the details
pane opens.
Mandatory attributes that you must specify, display in red and provide clear instructions
about how to enter the required text. If you enter text that does not comply to the
instructions, a respective error message displays.
2. Specify attributes for this role as required.
3. Select the Permissions accordion to expand it, and then allow ( ) or disallow ( ) certain
actions to be performed by this role. Select the appropriate symbols.
For some actions, a third symbol option (needs approval) is available. This action
requires approval from an authorized second person before it can be carried out. With each
click, the symbol changes.

4. Click Save changes to add the role.

The Security Manager adds the new role to the Roles table.

Ensemble Controller R15.3 Administrator Manual - Issue: A 139

Adtran Configuring Ensemble Controller

–or–

Click Cancel to stop the operation.

Editing Roles
1. In the Roles Table, select the role that you want to edit.
2. In the Roles tab ribbon menu, Options area, select Edit.
You can now edit the Details Pane.
3. In the Details Pane, modify the relevant attributes as appropriate.

4. Click Save changes to apply your changes.

The Security Manager updates the role in the Roles table according to your changes.
–or–

Click Cancel to stop the operation.

Deleting Roles
1. In the Roles Table, select the role that you want to delete.
2. In the Roles tab ribbon menu, Options area, select Delete.
A Confirmation dialog box displays.
3. Click Yes to confirm the deletion.
The Security Manager removes the role from the Roles table.
–or–
Click Cancel to stop the operation.

Table
The Roles table contains these columns:

Column Description

Role The role name.

Description A description of the role provided that one was added in the course of
creating the role.

Details Pane
The Roles tab includes these accordion containers in the details pane:

Identity 140
Permissions 141

Identity
The Identity accordion container provides these attributes:
l Role name - text box
l Description - text box that can contain multiple lines

Ensemble Controller R15.3 Administrator Manual - Issue: A 140

Adtran Configuring Ensemble Controller

Permissions
In the Permissions accordion container you can manage the permissions to perform certain
tasks.

To allow or disallow an action, click the icon for that action. The icon changes with each
click. Some actions show a 3rd needs-approval icon . If you select the needs-approval icon,
an authorized second person must first approve this action before the user can apply it.
If you disallow an action, Ensemble Controller disallows also its dependent actions. If you revert
the action back to be allowed, Ensemble Controller does not revert the dependent actions. If
required, you must change each of the dependent actions individually.
For an overview of the actions supporting the second-person or two-man approval permission,
see Roles and Allocated Actions.
For general information about the two-man approval feature including the authorization of a
second person, see Enabling Two-Man Approval for Actions.

Action Log Tab

You can manage the security event severities in the Action Log tab.

Changing Event Severities 142

Ensemble Controller R15.3 Administrator Manual - Issue: A 141

Adtran Configuring Ensemble Controller

Table 142
Details Pane 142

Changing Event Severities

Complete these steps to change event severities:
1. In the Action Log Table, select the event group that you want to edit.
2. In the Action Log ribbon menu, Options area, select Edit.
–or–
In the Details Pane, click the pen.
The Details Pane displays the events and its severities for the selected event group that you
now can edit.
3. In the Details Pane, use the slider to change the severity for a security event. The severity icon
and label changes while you move the slider. For keyboard navigation, use the Left or Right
Arrow keys to move the slider. To navigate in the details pane, use the Up or Down Arrow keys.

4. Click Save changes to apply your changes.

–or–

Click Cancel to stop the operation.

Table
The Action Log table displays the supported event groups and contains these columns:

Column Description

Event Group The event group containing the event-related actions.

Description A brief description of the event group content.

Details Pane
After you select an event group in the Action Log Table, the details pane displays the supported
security events and its severities. For information about how to change the severity for a
security event, see Changing Event Severities.

Sessions Tab
You can manage the user sessions in the Sessions tab.

Ribbon Menu 143

Table 143
Details Pane 143

Ensemble Controller R15.3 Administrator Manual - Issue: A 142

Adtran Configuring Ensemble Controller

Ribbon Menu
Select a session in the Sessions Table and then use the Sessions ribbon menu to:
l Terminate the session.
–or–
l Refresh the data in the Table.

Table
The Sessions table contains these columns:

Column Description

User name The login name of the user account.

Host The name of the host.

IP Address The IP address of the computer on which the client application runs.

Logged In At The time when the user logged in.

Details Pane
After you select a session in the Sessions Table, the details pane (read only) updates and
presents the session-related attributes:
l User Name - text box
l Host - text box
l IP Address - text box
l Logged In At - text box
l Last Action - text box - displays up to five security events with time and description. Should
there be more than five events, a scroll bar is made available.

Changing Passwords on Network Elements

Using SNMP
This feature uses SNMP to modify the non-SNMP password on a given network element. Network
elements use SNMPv3 to communicate, which must be enabled on the network element. For
more information about how to configure SNMP properties, see the User Manual.
The password-change action (PCA) manager also provides:
l Scheduling
l Fault update
l Overall PCA status
l PCA network element status

Ensemble Controller R15.3 Administrator Manual - Issue: A 143

Adtran Configuring Ensemble Controller

l Log information
l Log summary
l Email notification
l Background mode

These network elements support the password change through SNMP:

l FSP 150CM
l FSP 150CC-GE20x
l FSP 150CC-T
l FSP 150CP 2.7.01BT
l FSP 150EG-M2
l FSP 150EG-M4
l FSP 150EG-M8
l FSP 150EG-X
l FSP 150-GE11x
l FSP 150-XG116Pro
l FSP 150-XG120Pro
l FSP 150-XG120Pro-SH
l FSP 150-XG210
l FSP 3000R7
l Hatteras HN400, HN4000
l OSA 541x
l OSA 542x
l OSA 5430
l OSA 5440
l OSA 5548C
l OSA Softsync

Requirements to Change Passwords Using SNMP 144

Procedure to Change Passwords Using SNMP 145
Activating a Log File 146

Requirements to Change Passwords Using SNMP

l To change network element passwords through SNMP, you need to have the permission
Modify Network Element Password. This permission is by default granted only to the roles of
administrators.
The administrator sets permissions and corresponding user roles in the Security Manager. To
open the Security Manager, in the Ensemble Controller Settings, select Security, and then
Security Manager. For more information about user roles and allocated privileges, see Roles
and Allocated Actions.
l The Security Manager user group that relates to the permission Modify Network Element
Password must have a non-restricted view that is, the Network and Services are fully

Ensemble Controller R15.3 Administrator Manual - Issue: A 144

Adtran Configuring Ensemble Controller

available to that user group. For information about how to edit user groups in the Security
Manager, see Editing Groups.

Procedure to Change Passwords Using SNMP

Complete these steps to change the network element passwords through SNMPv3:
1. To verify that SNMPv3 is enabled on the relevant network elements, use either way:
l To verify the SNMP settings for individual network elements, in the Networks tree pane,
select the network element, and then in the tab pane, open the Overview tab, SNMP
Configuration area.
l To verify the SNMP settings that apply to your entire network, in the Networks tree pane,
select the network, and then in the tab pane, open the SNMP Profiles Tab. To verify the
configuration for a profile, in the ribbon menu Action area, select SNMP Profiles Manager.
For information about the SNMP Profiles Manager window, see the User Manual.
2. Verify these fields or areas and its values:

Field or Area Description or Steps

SNMP Version You set the value to v3.

SNMPv3 Settings You specified the relevant user settings.

For more information about how to configure SNMP, see the User Manual and the
appropriate topic:
l To configure SNMP settings for individual network elements, see Configuring SNMP for a
Network Element.
l To configure SNMP settings that apply to all network elements included in your network,
see Managing SNMP Profiles.
3. From the application bar Settings menu, select Security, and then Change Password on NEs.
The Password Change Action dialog box opens divided in two panes vertically aligned. The
left pane is set up as table summarizing existing configurations. The right pane is the
configuration pane.
4. In the Network Element table column, expand the relevant network tree to view its network
elements.
5. Proceed with the Select table column in either way:
l To change passwords for all network elements included in your network, select the option
for the root Network.
l To change passwords for all network elements in a network, select the option for that
network.
6. In the configuration pane, New Password area, type the User Name and the new Password
for the selected network.
7. In the Confirm field, re-enter the password.

Ensemble Controller R15.3 Administrator Manual - Issue: A 145

Adtran Configuring Ensemble Controller

8. In the Scheduled Change area, select one of these options:

l Immediate: To change the password now.
l Delayed: To change the password on the date and time that you specify.
9. Click Start to begin the password change.
The Password Change Status area shows the state of the command. These values are
supported: Idle, Scheduled, Running, or Completed.
The Execution Status table column shows one of these options:
l Idle: The PCA does not cover the network element.
l Pending: The PCA covers the network element, but the password is not changed yet.
l Complete: The PCA covers the network element, and the password was successfully
changed.
l Fail: The PCA covers the network element, but the password was not successfully
changed.
The Error Description table column provides a failure reason for each network element that
has a FAIL status as follows:
l Internal Ensemble Controller errors.
l SNMPv3 not supported - the network element does not support SNMPv3.
l SNMPv3 supported but not used - SNMPv3 is supported by the network element but
currently not used.
l SNMPv3 security level is incorrect - an incorrect SNMPv3 security level was used.
l SNMP communication timed out - no response from network element.

Activating a Log File

The user can activate a log file that will be stored in the LOG subdirectory and can be sent to a
specific email address. See Password Change Action Manager Options for activation details.
This log file is a plain ASCII file. It provides these attributes:
l <Date> <Time> <Category> - <Result>: <Description>
o Date - yyyy-mm-dd (yyyy - year, mm - month, dd - day)
o Time - hh:mm:ss,ms (hh - hour, mm - minute, ss - second, ms - millisecond)
o Category - always <INFO>
o Result
n empty
n <SUCCESS>
n <ERROR>

The log file consists of these blocks:

l Configuration section
o Start date and time
n Category - <INFO>
n Result - empty
n Description - “PCA started at <date and time>”

Ensemble Controller R15.3 Administrator Manual - Issue: A 146

Adtran Configuring Ensemble Controller

o Number of assigned NEs

n Category - INFO
n Result - empty
n Description - <number> of NEs assigned to the PCA

l Details section
o Change Result, given for each covered NE
o Category - <INFO>
o Result
n <SUCCESS> - if password change was successful
n <ERROR> - if password change failed
o Description
n <SUCCESS> - The password was successfully changed for <name> (<ip_address>)
n <ERROR> - The password change failed for <name> (<ip_address>)

l Summary section
o Number of covered NEs
n Category - <INFO>
n Result - empty
n Description - “<number> of NEs were covered by the PCA”
o Number of successful Password Changes
n Category - <INFO>
n Result - empty
n Description - “Password successfully changed for <number> NEs”
o Number of failed Password Changes
n Category - <INFO>
n Result - empty
n Description - “Password change failed for <number> of NEs.”
o End date and time
n Category -< INFO>
n Result - empty
n Description - “PCA finished at <date and time>”

Enabling a Connection of One Ensemble

Controller Client to Multiple Servers
To navigate between multiple Ensemble Controller Servers using a Client, you must adapt
security settings for the user to have permission to perform this action. This procedure
addresses setting these permissions.
After you completed this procedure, you can connect to different servers from your client. Meet
these requirements:

Ensemble Controller R15.3 Administrator Manual - Issue: A 147

Adtran Configuring Ensemble Controller

l The servers that you connect to must have the same software version.
l Log in with the same user account with equal or lower privileges.

If you disregard these requirements, you could experience unwanted effects and we cannot
guarantee proper operation anymore.
For information about how to connect to different servers, see the User Manual.

If you use RADIUS and RSA SecurID tokens to set up a one-time-password (OTP)
to log in, then you cannot connect to multiple Ensemble Controller Servers
anymore. For more information about how to log in through RSA SecureID
tokens, see RADIUS Access-Challenge.

Follow this procedure to connect to multiple servers.

1. Open the Security Manager, and then select the Roles Tab.
2. In the Roles Table, select the role of which you want to change action properties, and then in
the ribbon menu (Ctrl + F1) select Edit.
Alternatively to edit an existing role, you can add a new role as described in Adding Roles,
and then assign this role to a new group as described in Adding Groups.
The Role Details Pane is made editable.
3. In the Permissions accordion container, expand Application:

4. Navigate to Modify Connected Servers, and then click its red cross to the right, which turns
into a green checkmark indicating that the action is now permitted.

5. Select Save changes .

Enabling Two-Man Approval for Actions

When the two-man approval feature is enabled, then a respective action first has to be
approved by an authorized second person before it can be carried out.

Ensemble Controller R15.3 Administrator Manual - Issue: A 148

Adtran Configuring Ensemble Controller

For example: A user wants to modify a connectivity service. However, this action is subject to the
two-man approval (or rule) permission.
An approval request is automatically sent from the user, the "requester" to the person
authorized to approve such a task, the "approver".
The approver may now decide whether to reject or allow the user to carry out the respective
task.
The procedure to enable the two-man approval feature is carried out in the sequence as
follows. It is an overview of the overall approach for this procedure. For detailed information,
follow the referenced sections provided in each step:
1. Apply the two-man rule permission to user actions as described in Applying the Two-Man
Rule Permission to User Actions.
2. Assign a user for approver as described in Assigning a User for Approver.
Settings made in Step 1 and 2 result in these three phases when user actions are carried out
that are subject to the two-man rule permission:
l Request Phase - For details about this phase, see About the Request Phase.
l Decision Phase - for details about this phase, see About the Decision Phase.
l Response Phase - for details about this phase, see About the Response Phase.

Applying the Two-Man Rule Permission to User Actions

The two-man rule permission is applied to actions of a relevant user role as described in Editing
Roles.
Should there be no role available to be edited, a new role can be added as described in Adding
Roles and the actions list adapted accordingly.
For an overview of the actions supporting the two-man rule permission, see Roles and Allocated
Actions.
As a result, the user with this role edited has to ask for approval to carry out the actions that are
subject to the two-man rule permission.

Assigning a User for Approver

Follow this procedure to assign a user for approver who then has the privilege to approve
actions that are subject to the two-man rule permission.
For information about how to apply the two-man rule permission to user actions, see Applying
the Two-Man Rule Permission to User Actions.
1. For the user that is to be an approver, navigate to the role assigned to that user as described
in Editing Roles.
2. In the Actions column, expand the Application action group.

3. For the action Second Approval, change the permission symbol to (allowed).
4. Click OK to apply your settings or Cancel to stop the action.
After you click OK, this user is now authorized to approve requests for actions where the two-
man approval permission is set.

Ensemble Controller R15.3 Administrator Manual - Issue: A 149

Adtran Configuring Ensemble Controller

About the Request Phase

The requester initiates an action that is subject to the two-person approval permission, for
example Delete Service.
The ENC Client of the requester, which is referred to as the requester client, suspends the
corresponding action. The system sends an approval request to all ENC Clients that approvers
run, which are referred to as approver clients.
In the requester client, status bar progress indicator, this message indicates the approval
request: "Requesting approval to Delete Service."
Clicking the close button (X), a confirmation dialog box opens. In the dialog box, click Yes to
cancel the request.
An approver client must be logged in to the server for the software to process this request. If no
approver client is logged in, this message displays: "No other approvers are currently logged in."

About the Decision Phase

Opening the Approval Requests Dialog Box 150
Viewing the Approval Requests Dialog Box 150
Deciding on the Requests in the Approval Requests Dialog Box 151

Opening the Approval Requests Dialog Box

l Automatically: After the system successfully sends the approval request, the Ensemble
Controller approver Clients automatically display the Approval Requests dialog box.
l Manually: To open the Approval Requests dialog box again at a later time, from the
application bar Settings menu, select Security, and then Approval Requests.

Viewing the Approval Requests Dialog Box

The Approval Requests dialog box lists requests that users (or requesters) sent to you (or
approvers) for approval. The dialog box includes these columns:

Columns Description

Requester User Id The name or identification of the user who requests approval.

Permission Requested The operation that the user request permission for.

Time of Request The time when the user requested the approval.

Ensemble Controller adds incoming requests as a new row at the top of the list and orders them
by time. The number of requests is unlimited in the Approval Requests dialog box. You can
configure a sound for incoming requests as described in the User Manual.

Ensemble Controller R15.3 Administrator Manual - Issue: A 150

Adtran Configuring Ensemble Controller

Deciding on the Requests in the Approval Requests Dialog Box

Use the appropriate button to decide on the requests that display in the Approval Requests
dialog box:

Button Description

Approve Click to approve the selected requests.

Deny Click to deny the selected requests.

Ignore Click to ignore the selected requests.

After you click Ignore:
l Ensemble Controller removes the selected approval request from the
dialog box.
–or–
l The dialog box closes if the entry is the last one.

If the Approval Requests dialog box still contains requests and you close it, the dialog box hides
but remains active in the background as long as there are open requests. The requests remain
valid for two minutes, which a Progress dialog box indicates. If the approver takes no decision or
the requester does not abort the request within these two minutes, the Progress dialog box
displays the message TIMEOUT request to Delete Service, for example.
If the timeout message displays, or you aborted, approved, or denied requests, the system
removes the respective rows from the Approval Requests dialog box for all eligible Ensemble
Controller approver Clients. The dialog box closes after the system removed the last request.
Progress results display in the message pane.

About the Response Phase

This table describes the approval requests. See the user manual for information about the
message pane.

Approval Description
Request

Approved The user action is enabled, resumed, and executed.

For this type of action, no new approval is required within the two-
minute validity period. This message displays in the message pane:
"Request for approval to Delete Service: APPROVED."

Ensemble Controller R15.3 Administrator Manual - Issue: A 151

Adtran Configuring Ensemble Controller

Approval Description
Request

Denied The user action remains disabled for the two-minute validity period and
does not execute. This message displays in the message pane: "Request
for approval to Delete Service: DENIED."
Wait 10 minutes to start another approval request for the same action. A
window displays with this message to the requester: "An approval
request to Delete Service was recently DENIED. Please wait before
retrying."

Not approved, The request by the requester is not approved, denied, or aborted within
denied, or the validity period of two minutes. This message displays in the message
aborted pane: "Request for approval to Delete Service: TIMEOUT." The process is
unable to execute the user action.

Not started Implies that no approver client who can approve the user action is
logged in to the server. This message displays in the message pane:
"Request for approval to Delete Service: NO_APPROVERS." The process is
unable to execute the user action.

If multiple Ensemble Controller approver Clients are logged in the server, the process first
approves the approver who responds first.

Granting Temporary Admin User Rights on

Network Elements
This section describes how to obtain administrative user rights (privileges) on network elements
(NEs) temporarily. That is, the temporary administrative privilege is requested and granted for
the current user session on the network element.
These network elements are supported:
l WDM:
FSP 3000R7
l Ethernet:
FSP 150-XG210
FSP 150-XG210C
FSP 150CC-GE201
FSP 150CC-GE201SE
FSP 150CC-GE206V
FSP 150-XG116Pro
FSP 150-XG120Pro
FSP 150-XG120Pro-SH

This action involves these three phases:

Ensemble Controller R15.3 Administrator Manual - Issue: A 152
Adtran Configuring Ensemble Controller

l Requesting approval through SNMP trap from the NE to the Ensemble Controller (ENC).
An operator with lower privileges requests an upgrade from the Network Element Director
(NED) client. That is, these privilege upgrade requests originate from a particular device
externally and not from the Ensemble Controller.
This phase corresponds to the general processing of a request phase as described in About
the Request Phase.
l Taking a decision by an authorized person (administrator) through Approval Request
window.
This phase corresponds to the general processing of a decision phase as described in About
the Decision Phase.
l Responding through SNMP set request from the Ensemble Controller to the network element.
This phase corresponds to the general processing of a response phase as described in
About the Response Phase.

For information about how to view or revoke approved requests, see Viewing or Revoking
Approved Requests.
For information about a fallback solution if the connection between the Ensemble Controller
and the network element inadvertently interrupts or fails, see Fallback Solution if the Network
Element Connection Fails.

Viewing or Revoking Approved Requests

This section presents the option to either view or revoke an approved request of granting
administrative user privileges on network elements.

Requirement to Revoke Approved Requests 153

Opening the Approved Temporary Privileges Dialog Box 154
Revoking an Approved Request 154

Requirement to Revoke Approved Requests

To revoke an approved request, you need to have the permission Temporary Privilege Session
Kill. This permission is by default granted to the roles of administrators or configurators.
The administrator sets permissions and corresponding user roles in the Security Manager. To
open the Security Manager, in the Ensemble Controller Settings, select Security, and then
Security Manager. For more information about user roles and allocated privileges, see Roles and
Allocated Actions.

Ensemble Controller R15.3 Administrator Manual - Issue: A 153

Adtran Configuring Ensemble Controller

Opening the Approved Temporary Privileges Dialog Box

In the Networks tree pane, right-click the relevant network element, and then select Approved
Temporary Privileges.

The network element name that displays in the Permission Requested column, is based on the
NE identity type settings. For more information about how to set the NE identity type, see the User
Manual, Configuring the Network Element Identity.

Revoking an Approved Request

In the Approved Temporary Privileges dialog box, select the relevant request, and then click the
icon to remove that request . An informational dialog box displays when the system
successfully revoked the selected request.

Fallback Solution if the Network Element Connection Fails

If the connection between Ensemble Controller and the network element (NE) interrupts or fails,
the NE-fallback password management tool ensures that the system can still grant
administrative privileges. It is assumed that the connection between the NE and a RADIUS server
is interrupted, too. The fallback user is available only if the NE cannot reach the RADIUS server
because the system stores the fallback user in the NE local user database.
The NE-fallback password management tool handles the password of the fallback user, the
user of "last resort" for each NE individually.

Requirement to Use the Fallback Solution 154

Enabling the Network-Element Fallback User-Password Management Tool 155
Opening the Management Tool 156
Revealing a Fallback User Password 157

Requirement to Use the Fallback Solution

These network elements support the fallback user password if they have the software version as
specified in this table:

Ensemble Controller R15.3 Administrator Manual - Issue: A 154

Adtran Configuring Ensemble Controller

Network Element Required

Software
Version

Ethernet including XG, GE, EGX, and OSA 8.5.1

FSP 3000R7 15.1.2

Enabling the Network-Element Fallback User-Password

Management Tool
Complete these steps to enable the management tool for the network element (NE) fallback
user password.
1. In the fnm.properties file, locate the property com.adva.fnm.option.FallbackNEUserID,
and then specify the user name that relates to the randomly created fallback password. An
acceptable user name must conform to character rules. The rules differ according to the
network-element type and any configured security policies. For FSP 3000R7 network
elements, the fallback user name must:
l Have 4 to 10 characters.
l Contain only these alphanumeric characters: a to z; A to Z; 0 to 9.
l Contain only these special characters: “.” and “_”. No other special characters are
allowed.
For information about the user name policies for other NEs, see the associated product
manual.
For information about how to configure properties in the fnm.properties file, see Editing the
fnm.properties File.
2. Configure the relevant NE that will use SNMPv3 to communicate to the Ensemble Controller,
as described in the User Manual.
If you miss to customize the SNMP settings, Ensemble Controller will continuously clutter you
with error messages in the message pane until you have changed to SNMPv3.

Effect of Enabling the Management Tool

After you enable the management tool, these events take place:
l After Ensemble Controller discovers the network element, the system randomly creates the
fallback password for the user that you configure in the fnm.properties file. Because of keep
alive polling (KAP), Ensemble Controller repeatedly attempts to create these passwords while
the network element is online.
If the user that you configure in the fnm.properties file already exists on the network element,
one of these results will occur:
o If the user is unlocked and has administrative user rights, the fallback password changes.
o If the user is locked or has no administrative user rights, the fallback password remains
the same and the message pane displays a related error message.

Ensemble Controller R15.3 Administrator Manual - Issue: A 155

Adtran Configuring Ensemble Controller

Rules that Ensemble Controller follows when generating a random

fallback password:

o Contains at least one alphabetic character (a..z; A..Z).

o Contains at least one numeric character (0..9).

o Contains at least one special character ( ! , @ , # , $ , % , ^ , ( , ) , _ , + , | ,

~ , { , } , [ , ] , - , . ).

l The message pane displays success or failure messages when you try to create the
password, and the management tool presents these messages as the status for each
network element. Ensemble Controller saves and displays both the previous and the new
password for password creation failures that result in an Unknown password status (see
Figure 6).
l You can use the management tool to reveal the stored fallback-user password for a
particular network element, as described in Revealing a Fallback User Password.
l The management tool automatically updates the network element and password statuses,
and the presence of network elements that you add or delete.

Opening the Management Tool

Sorting Table Content 156
Filtering Table Content 156

You can open the management tool in either of these ways:

l In the Ensemble Controller Settings, select Security, and then NE Fallback User Passwords.
l In the Networks tree pane, right-clicking the relevant network element, and then select NE
Fallback User Passwords. If you open the management tool from the network element, then
Ensemble Controller preselects that network element in the Fallback User Passwords window.

The Fallback User Passwords window displays the status for each password and its
corresponding network element in tabular form.

Sorting Table Content

You can sort the content of the management tool table. The sorting in this table follows the
usual behavior for sorting tables in Ensemble Controller. For more information about sorting, see
the User Manual, Sorting Table Columns.
By default, the management tool table sorts its content by the NE column. To change the
default sorting, right-click the relevant column header, and then select Sort by default.

Filtering Table Content

You can filter the management tool table by the information that each column provides. The
filtering in this table follows the usual behavior for filtering table content in Ensemble Controller.
For more information about how to filter table content, see the User Manual, Filtering Table
Columns.

Ensemble Controller R15.3 Administrator Manual - Issue: A 156

Adtran Configuring Ensemble Controller

Revealing a Fallback User Password

Complete the steps in this procedure to reveal a fallback user password.

Requirements to Reveal a Fallback User Password 157

Procedure to Reveal a Fallback User Password 157

Requirements to Reveal a Fallback User Password

l To reveal a fallback user password, you need to have the permission Reveal Fallback NE
Password. This permission is by default only granted to the roles of administrators, and is also
subject to the two-man rule. For information about the two-man rule, see Enabling Two-Man
Approval for Actions.
The administrator sets permissions and corresponding user roles in the Security Manager. To
open the Security Manager, in the Ensemble Controller Settings, select Security, and then
Security Manager. For more information about user roles and allocated privileges, see Roles
and Allocated Actions.
l You enabled the fallback user password management tool as described in Enabling the
Network-Element Fallback User-Password Management Tool.
l The network element does temporarily NOT connect to a RADIUS server. The fallback user is
available only if the network element cannot reach the RADIUS server because the system
stores the fallback user in the network element local user database.

Procedure to Reveal a Fallback User Password

1. Open the management tool as described in Opening the Management Tool.
2. In the management tool table, select the row that contains the relevant network element
and corresponding password that you want to reveal.
3. Click the Reveal password button .
A window displays with the required password information:

If the system could not set the password in the network element because of, for example
connectivity problems, this window also shows the previous password as illustrated here:

Ensemble Controller R15.3 Administrator Manual - Issue: A 157

Adtran Configuring Ensemble Controller

Figure 6: Revealed, new Password and Previous Password

4. Inform the requesting user about the revealed password.

5. Click OK to close the revealed password information window.
Ensemble Controller creates a new fallback password when you reveal the current fallback
password. If the network element is offline, Ensemble Controller creates a new fallback
password as soon as the network element is back online. After the network element is online
for approximately two minutes, Ensemble Controller sets the fallback password in the
network element.

SSH Settings
Complete these steps on the primary and secondary Ensemble Controller Servers to access the
SSH servers:
1. Change the location of the user non-root or root home directory to:
/opt/adva/fsp_nm: sudo vipw
2. From the OpenSSH installation bin directory, select ssh-keygen to generate the
public/private key pair /usr/bin/ssh-keygen. Use one of these methods:
l Generate a public/private key pair that is either a DSA or an RSA type without a pass
phrase. For OpenSSH 7.8 and later, add this extension to the generated RSA key pair:
-m PEM: ssh-keygen -t rsa -m PEM.
l Generate a public/private key pair that is either a DSA or an RSA type with a pass phrase.
This step requires you to populate the property com.adva.fnm.ssl.passphrase as
described in com.adva.fnm.ssl.passphrase.
For OpenSSH 7.8 and later, add this extension to the generated RSA key pair:
-m PEM: ssh-keygen -t rsa -m PEM.
3. In the Ensemble Controller installation directory fnm.properties file, use the property
com.adva.fnm.ssl.keyfile to specify the path of the private key file:
com.adva.fnm.ssl.keyfile=/opt/adva/fsp_nm/.ssh/id_rsa
For information about how to edit the fnm.properties file, see Editing the fnm.properties File.
4. In the SSH user home directory, change the name of the file with the public key from id_
rsa.pub to authorized_keysto:
/opt/adva/fsp_nm/.ssh/authorized_keys
5. To exchange the public keys, move the authorized_keys file from the primary server to the
secondary server. Then move the file back from the secondary server to the primary server.

Ensemble Controller R15.3 Administrator Manual - Issue: A 158

Adtran Configuring Ensemble Controller

SFTP Settings
If the fnm.properties com.adva.fnm.option.useKeyBasedAuthenticationForFileTransfer
parameter is set to true, key-based authentication must authenticate any FTP operations that
ENC runs. The SCP/SFTP connect method uses the user-name and private-key file settings
instead of the user-name and password. See SSH Settings for more information about the SSH
settings.

High Availability
To continuously deploy, monitor, or maintain Ensemble Controller, you can use the high-
availability mode of operation. It secures your system 24/7 even if hardware or software
outages occur, for example, in situations where unplanned faults or planned maintenance
activities cause downtimes.
Ensemble Controller supports these high-availability solutions:

Solution Basic Feature Overview

Standard High l Available natively in Windows and Linux operating systems.

Availability
l Only supports two-node clusters with a primary-secondary server
concept. For an overview of the two-node cluster structure, see Standard
High Availability – Two-Node Cluster Concept.
l Copies the entire database from the primary to the secondary server at a
configured periodic interval, for example, once a day, or every 8 hours.
After each database copy, the secondary server restarts against the new
database, which causes a downtime.
l The primary and secondary servers are both operational (hot standby)
and both receive notifications from the network elements to stay
synchronized with the network.
l Supports manual and automatic server-side failover.
l The client typically connects to the primary server in normal situations
and will reconnect to a newly elected primary server after failover.

Streaming l Available natively in Linux operating systems.

Replication l Supports three-node clusters but not two-node clusters. For an overview
High Availability of the three-node cluster structure, see Streaming Replication High
Availability - Three-Node Cluster Concept.

Ensemble Controller R15.3 Administrator Manual - Issue: A 159

Adtran Configuring Ensemble Controller

Solution Basic Feature Overview

l All three nodes host a distributed configuration store (DCS) that provides
quorum determination and reliable leader election for the cluster. Two of
the nodes are designated to host the Ensemble Controller core server and
database; these operate in a primary-standby concept with assistance
from the DCS.
l Uses incremental, asynchronous database replication. As changes are
made on the primary server, these are incrementally applied to update
the standby database. This significantly reduces the window for data loss
between systems.
l Only the primary server is operational against the primary database. The
standby server is only partly initialized; it cannot use the standby database
in any meaningful way until the system has failed over.
l Manual and automatic switchover with reliable quorum determination
avoids split-brain scenarios in network partitions and allows the solution to
operate autonomously at least with respect to switchover.

l You can manually split the cluster for rolling upgrades, and enable a
single node to continue operation as primary server even in light of
multiple concurrent failures.

The streaming replication high-availability solution has these benefits over the standard
version:
l Asynchronous streaming database replication, which guarantees that data changes are
almost immediately copied to the standby server.
l Handles network partitions and thus avoids situations where you have multiple primary
servers (split brain).

Regardless of the high-availability solution that your system uses, you must
make sure that you maintain identical fnm.properties settings on the primary
and secondary or standby servers.
For information about the properties related to high-availability, see High
Availability Options.
For general information about how to edit the fnm.properties file, see Editing
the fnm.properties File.

See these topics for more information about the high-availability solutions:

Standard High Availability 161

Streaming Replication High Availability 184
Migrating from Standard to Streaming Replication High Availability 210

Ensemble Controller R15.3 Administrator Manual - Issue: A 160

Adtran Configuring Ensemble Controller

Standard High Availability

General Information 161
Preparing to Configure Standard High Availability 167
Maintaining Standard High Availability 179

General Information
The Two-Node Cluster Concept 161
Server-Mode Switchover Behavior for Standard High Availability 162
Server Status 164
Comparing the Primary-to-Secondary Server Activity 165

The Two-Node Cluster Concept

The standard high-availability version requires two Ensemble Controller Servers (ENC Servers)
that must operate in parallel.
You configure one server to be the primary server and the other server to be the secondary
server. That makes the servers intercommunicate. Both servers receive events from the network
elements (NEs) as shown in Figure 7. After you log in to the Ensemble Controller Client (ENC
Client), the system will always redirect you to the primary server.
Figure 7: Standard High Availability – Two-Node Cluster Concept

Most of the time, the primary server operates in master mode, and the secondary server
operates in slave mode.

Ensemble Controller R15.3 Administrator Manual - Issue: A 161

Adtran Configuring Ensemble Controller

l The Ensemble Controller primary server has full read-and-write access to its database (DB)
and reports.
l An Ensemble Controller secondary server cannot write to its database and reports.
l Only one Ensemble Controller Server can be the primary server at a time. If both servers are in
master mode, the system raises an alarm.

The administrator must change the secondary Ensemble Controller Server to slave mode.
However, you can configure the Ensemble Controller Servers to work in automatic changeover
mode. If you specify this configuration, the system automatically changes servers without
administrator intervention.
The database and reports of the secondary server are identical to the primary server database
and reports. The recurring database-backup feature creates this identical copy. The system
automatically copies the primary database backup file to the secondary server in a controlled
manner. To avoid large backups, back up only the database but not the reports. See Changing
the Ensemble Controller Server Work Mode for more information.

In case of HA switchover when using REST NBI, the connection would work with
the wrong information. Therefore, if a server is in slave mode, REST API is
blocked and 409 error-code displays.

Server-Mode Switchover Behavior for Standard High Availability

Implications if Primary Servers Stop Working 162
Implications After Restoring Primary Servers 163
Manually Changing the Server Mode 163
Configuring Server Shell Scripts 164

Implications if Primary Servers Stop Working

If the primary Ensemble Controller Server, which works in master mode, stops working, these
results occur:
l The server sends an event to the connected Ensemble Controller Clients.
l If you enable Automatic Switchover, the secondary Ensemble Controller Server automatically
changes to master mode after it loses contact to the primary Ensemble Controller Server.
Thereafter, the secondary Ensemble Controller Server continuously attempts to connect to
the primary Ensemble Controller Server to change it to slave mode.
l If you disable Automatic Switchover in the Ensemble Controller Client, you must then
manually change the secondary Ensemble Controller Server to master mode. Thereafter, the
secondary Ensemble Controller Server continuously attempts to connect to the primary
Ensemble Controller Server to change it to slave mode. If the secondary server fails to change
the primary server to slave mode, connected Ensemble Controller Clients cannot reconnect
to any Ensemble Controller Server.

For information about how to enable or disable automatic switchover, see Enabling or Disabling
Automatic Switchover for Standard High Availability.

Ensemble Controller R15.3 Administrator Manual - Issue: A 162

Adtran Configuring Ensemble Controller

Implications After Restoring Primary Servers

If you re-establish the primary Ensemble Controller Server that no longer works correctly and
thus works in slave mode, these results occur:
l The server sends an event to the connected Ensemble Controller Clients.
l If you enable Automatic Switchover, the primary Ensemble Controller Server detects that the
secondary Ensemble Controller Server is in master mode. However, the primary server does
not automatically change back to master mode. You must first identify the server that has
the most accurate database, and then if appropriate, manually change the primary server
back to master mode.
l If you disable Automatic Switchover, the primary Ensemble Controller Server detects that the
secondary Ensemble Controller Server is in master mode. You must identify the server that
has the most accurate database. Then, if appropriate, use the Ensemble Controller Client to
manually change the primary server back to master mode, and the secondary server to
slave mode. If no client is connected, the primary server continues to run in slave mode and
the secondary server in master mode. If the secondary server no longer functions, the
primary server does NOT automatically change back to master mode.
l After the primary Ensemble Controller Server changes back to master mode, all Ensemble
Controller Clients that connect to the server display a message. This message informs you
that your client will be connected to a server that runs in slave mode, and you must change
to the server that runs in master mode.

Manually Changing the Server Mode

You must manually change the Ensemble Controller Server mode in these situations:

Situation Description

Maintenance You need to perform maintenance work on the primary server, which
requires administrator privileges to change the primary server to slave
mode. The secondary server automatically changes to master mode,
and the Ensemble Controller Client can connect to that secondary
server that now works in master mode.
During this changeover, you must configure the system so that the
secondary server is identical to the primary server database. After you
complete the maintenance work, you must change the primary server
back to master mode and replicate the database again.

Corrupt The database on the primary server is corrupt or not current. This
database situation requires you to change the primary server to slave mode
WITHOUT replicating the primary server database onto the secondary
server during the changeover.

Ensemble Controller R15.3 Administrator Manual - Issue: A 163

Adtran Configuring Ensemble Controller

Situation Description

Disabled The Ensemble Controller Client cannot connect to the primary server,
automatic and you disabled automatic switchover. The primary server detects this
switchover situation and prompts you to connect to the secondary server. In the
status bar, you can verify the Server Status. This status shows whether
your client connects to a server that runs in slave mode. If you disable
automatic switchover on the secondary server, you must manually
change the secondary server to master mode. During this changeover,
you cannot replicate the primary server database to the secondary
server because your client is not connected to the primary server.

Configuring Server Shell Scripts

In the fnm.properties file, you can use these properties to configure shell scripts for both the
primary and secondary servers:

Shell Script Description

com.adva.fnm.option.afterSwitchoverPrimaryScript Points to the script that the

system uses after the server
changes to master mode.

com.adva.fnm.option.afterSwitchoverSecondaryScript Points to the script that the

system uses after the server
changes to slave mode.

You are fully accountable for the content of your scripts. The Ensemble
Controller Server does NOT analyze or verify scripts for errors.

After you configure scripts in the fnm.properties file, and after you complete the procedure to
change servers, the system runs the scripts.

Server Status
The Ensemble Controller Client status bar displays information about the Ensemble
Controller Server that the client connects to.

Ensemble Controller R15.3 Administrator Manual - Issue: A 164

Adtran Configuring Ensemble Controller

If you configure a high-availability server pair, the server status information includes the IP
address and the mode for the two servers. If the system loses its connection to the Ensemble
Controller Server, the system displays, Not responding.

Comparing the Primary-to-Secondary Server Activity

This table provides an overview of Ensemble Controller features in a standard high-availability
configuration and whether these features are activated or disabled on the primary and
secondary servers.

Ensemble Controller R15.3 Administrator Manual - Issue: A 165

Adtran Configuring Ensemble Controller

Ensemble Standard Operation After Switchover: Failure Case

Controller Environment
Feature
Active on Active on the Active on the Active on the
the Secondary Primary Server in Secondary
Primary Server in Slave Slave Mode Server in
Server in Mode Master Mode
Master
Mode

Trap reception Yes Yes Yes Yes

and processing

Event Yes No No Yes

forwarding
through SNMP to
OSS

CSV event Yes Yes Yes Yes

reporting

Event Yes No No Yes

notification
through email,
script, or an
Internet Control
Message
Protocol (ICMP)
message

Scheduled Yes No. No. Yes

performance To enable it on To enable it on
monitoring data demand, in the demand, in the
collection fnm.properties fnm.properties
file, edit the file, edit the
applicable applicable
property. property.

Scheduled Yes Yes Yes Yes

performance
monitoring data
comma-
separated
values (CSV) file
reporting

Scheduled Yes Yes Yes Yes

inventory report

Ensemble Controller R15.3 Administrator Manual - Issue: A 166

Adtran Configuring Ensemble Controller

Ensemble Standard Operation After Switchover: Failure Case

Scheduled Yes Yes Yes Yes

service
inventory report

Scheduled Yes No No Yes

backup of the
network
element
configuration

Processing Yes No No Yes

incoming Multi-
Technology
Operations
Systems
Interface
(MTOSI)
requests

Scheduled Yes N/A N/A Yes.

database But no
backup and automatic
automated sync sync to
to secondary secondary
server server occurs.

Preparing to Configure Standard High Availability

Complete these tasks first on each server to prepare two Ensemble Controller Servers to work
together to provide high availability:
l Install Ensemble Controller as described in Installing Ensemble Controller.
l Set up an SSH server as described in Installing CopSSH. This step is necessary for the
secondary Ensemble Controller Server to update its database from the primary Ensemble
Controller Server.
l Define IP addresses for the primary and the secondary Ensemble Controller Servers so that
they can intercommunicate, and the Ensemble Controller Clients can reach the servers.

Ensemble Controller R15.3 Administrator Manual - Issue: A 167

Adtran Configuring Ensemble Controller

l For the servers to properly communicate, you must install both the primary and the
secondary Ensemble Controller Servers on computers that run the same operating system,
version, and architecture such as a 64-bit system. For example, you can run Linux + Linux or
Windows + Windows, and so on. In general, the Ensemble Controller Servers support Windows
and Linux.

While you are in the process of configuring high availability, avoid any
database-intensive activities such as a database backup.

See these procedures according to your operating system:

Configuring Standard High Availability in Windows 168

Configuring Standard High Availability in Linux Systems 173
Applying and Testing the New Standard High-Availability Configuration 175

Configuring Standard High Availability in Windows

Complete these steps to configure high availability for Ensemble Controller in a Windows
environment on both the primary and the secondary server. High availability requires either
password or key authentication. This procedure focuses on password authentication. To use
key authentication, start with Step 20 in this procedure.
1. Install Ensemble Controller on the two computers where you want the primary and the
secondary servers to run. The Ensemble Controller Server automatically installs at the same
time.
2. Ensure that the Ensemble Controller Servers shut down on both computers. If they do not,
shut them down manually as described in Stopping the Ensemble Controller Server.
3. Turn OFF the Windows User Account Control (UAC). Navigate to the Windows Start menu,
Control Panel > User Accounts.
4. Restart your computer.
5. In the console, type lusrmgr.msc to create a new system user account for later use with the
SSH server.
6. In the New User window, add a new user, for example, advaremote, with password secret123.
The New User window is shown here:

Ensemble Controller R15.3 Administrator Manual - Issue: A 168

Adtran Configuring Ensemble Controller

Figure 8: New User Window

7. Select both User cannot change password and Password never expires as shown in Figure 8.
8. Click Create to create the new user.
The system adds the new user as shown in Figure 9.
Figure 9: New User Added and Selected

Ensemble Controller R15.3 Administrator Manual - Issue: A 169

Adtran Configuring Ensemble Controller

9. To grant administrator rights to the new user:

a. Right-click Properties > Member Of tab, and then click Add.
b. In the Select Groups window, add the user to the administrators group as shown in Figure
10.
Figure 10: Adding a New User to the Administrators Group

10. If the CopSSH version is a version 3.1.1 or later, complete these steps:

a. Uninstall CopSSH.
b. Delete the user SvcCOPSSH.
c. Restart the computer.
11. Double-click the installer of copssh to install CopSSH. For example, the installer can be
copssh_server_7.10.1_x64_prod_installer.
During installation process, provide the license key and finish the installation using the
default settings.

Continue with these steps:

Ensemble Controller R15.3 Administrator Manual - Issue: A 170

Adtran Configuring Ensemble Controller

1. Open the COPSSH Control Panel.

2. Verify that the SSH service runs successfully and that no active connections exist.
3. Select Users to activate the user for the SSH access.
4. Click Add.

5. From the User list, select the relevant user name.

Ensemble Controller R15.3 Administrator Manual - Issue: A 171

Adtran Configuring Ensemble Controller

6. Click Forward twice, and then Apply by using default values.

The CopSSH Control Panel window opens again.

7. Click Apply to finish the user activation.

8. To verify the connection by using CopSSH, enter the remote host IP address to start PuTTY.
Use the login credentials or password of the user that you created.
A typical PuTTY screen is shown in Figure 11. If the connection succeeds, the process
completes successfully.
Figure 11: PuTTY Dialog

l If you CANNOT connect to the remote server through PuTTY using IPv4,
change to IPv6. Try again and to connect through PuTTY or another SSH
client.

Ensemble Controller R15.3 Administrator Manual - Issue: A 172

Adtran Configuring Ensemble Controller

l If you CAN connect to the remote server through PuTTY using IPv6, run
commands from Step 4 of this procedure to connect to the remote
server through Ensemble Controller Server High Availability.

9. Verify that the user you set up to have SSH access has full security rights to the folder and
the sub-folders of c:\Program Files\ADVA Optical Networking.
10. Turn ON the Windows User Account Control (UAC) located in Control Panel > User Accounts.
11. To use key authentication instead of password authentication, go to the CopSSH bin
directory. The default directory is C:\Program Files (x86)\ICW\bin.
12. Follow the procedure for key authentication described in Configuring Standard High
Availability in Linux Systems.
After you complete the procedure, the password field in the high availability setup wizard
becomes unavailable, and you can use key authentication instead.
13. You can test your high availability configuration as described in Applying and Testing the
New Standard High-Availability Configuration.

Configuring Standard High Availability in Linux Systems

Complete these steps to configure high availability for Ensemble Controller in Linux.
1. Install Ensemble Controller on the computers where you want the primary and secondary
servers to run.
2. Decide if you want to configure high availability using the SSH password or the SSH key.

Configuring High Availability with the SSH Password 174

Configuring High Availability with the SSH Key 174

Ensemble Controller R15.3 Administrator Manual - Issue: A 173

Adtran Configuring Ensemble Controller

Configuring High Availability with the SSH Password

1. Decide if you want to use the root account, and if so, see Applying and Testing the New
Standard High-Availability Configuration.
–or–
If you want to use an account other than root, complete these steps on both the primary
and secondary server:
2. Shut down all Ensemble Controller Servers. See Procedure for Stopping the Server in Linux.
3. Create a user account to use for remote communication:

a. Set the user password: passwd username

b. Change to the current directory: cd/opt/adva/fsp_nm
c. If you used the Ensemble Controller installation software to install both the Embedded
License Server and Ensemble Controller on the same computer, change the owner and
group of the ELS services. If not, continue with Step 3d.
To change the owner and group of the ELS services, run the elschangeuser.sh script:
/opt/adva/fsp_nm/els/elschangeuser.sh <username> <groupname>
d. Run the changeUser.sh script:
/opt/adva/fsp_nm/bin/changeUser.sh <username> <groupname>
Make sure that you use the same <username> and <groupname> for
both the changeUser.sh and elschangeuser.sh scripts. The names must
be identical.

e. Reboot the Ensemble Controller Servers to apply the changes.

4. To continue your high-availability configuration, see Applying and Testing the New Standard
High-Availability Configuration.

Configuring High Availability with the SSH Key

1. Decide if you want to use the root account, and if so see Step 4.
–or–
If you want to use an account other than root, complete these steps on both the primary
and secondary server:
2. Shut down all Ensemble Controller Servers. See Procedure for Stopping the Server in Linux.
3. Create a user account to use for remote communication:

a. Set the user password: passwd username

Ensemble Controller R15.3 Administrator Manual - Issue: A 174

Adtran Configuring Ensemble Controller

Make sure that you use the same <username> and <groupname> for
both the changeUser.sh and elschangeuser.sh scripts. The names must
be identical.

Ignore any request to reboot the server for now because the step that
follows also requires a reboot.

4. See SSH Settings for more information on the SSH settings.

5. Reboot the Ensemble Controller Server to apply the changes.
6. To continue your high-availablity configuration, see Applying and Testing the New Standard
High-Availability Configuration for information.

Applying and Testing the New Standard High-Availability

Configuration
Requirements
l The account that you use to configure standard high-availability must be the same account
that you use to log into ENC GUI. If you use a RADIUS account, also make sure that you can log
into the ENC GUI on the secondary server with this account.
l If you use ENC 14.3.1 version or later, make sure that port 9543 is set in this property in the
fnm.properties file:
com.adva.fnm.option.rest.securePortWithMutualAuth=9543

Procedure
l Complete this task only on the primary server, which usually works in master
mode. The secondary server currently works as a standalone server in this
high-availability configuration.
l If the remote server receives a new host key, the system generates the
security event:
S-HOSTKEY “HA SSH Host Key Changed (potential security threat, if
unexpected).”
If this event occurs because you changed the high-availability server
configuration, for example, if you installed new server hardware or a new
operating system, you can ignore the event. If the event occurs for another
reason, the event might indicate a potential security threat, for example a
man-in-the-middle attack.

Complete these steps to apply and test the new standard high-availability configuration.
1. On the primary Ensemble Controller Server, from the application bar Settings menu, select
System, and then High Availability. The High Availability Setup Wizard opens:

Ensemble Controller R15.3 Administrator Manual - Issue: A 175

Adtran Configuring Ensemble Controller

2. If you are setting up high availability for the first time, click Get Defaults, which populates the
Primary Server area, IP Address field and Port field.
3. In the Secondary Server area, edit these fields:

l IP Address - the IP address of the secondary server.

l ENC user - the user name of the secondary server.
l ENC password - the user password of the secondary server.

4. In the Server Account area, Server account and Server password fields, type the server
account credentials for the SSH connection. For details, see Preparing to Configure Standard
High Availability.

Ensemble Controller R15.3 Administrator Manual - Issue: A 176

Adtran Configuring Ensemble Controller

5. Click Next. The test begins:

The High Availability Test Process wizard indicates in real time which of these tests are
running:
l The connection
l SSH
l SFTP
6. The High Availability information area shows the results of the test:
l If the test is successful, click Next.

Ensemble Controller R15.3 Administrator Manual - Issue: A 177

Adtran Configuring Ensemble Controller

l If the test fails, the Description area provides failure details. Correct any configuration
problems and retest.

7. After the High Availability information area shows COMPLETED and All tests passed, click Next.
The remote high-availability server reboots.

Ensemble Controller R15.3 Administrator Manual - Issue: A 178

Adtran Configuring Ensemble Controller

8. If the SSH or SFTP connection test fails, to increase the connection attempts, in the
fnm.properties file, modify this property com.adva.fnm.ssl.connectionAttempts.
9. After the remote server reboots and resynchronizes with the local server, the High Availability
Apply Configuration Setting wizard opens:

10. Click Close.

Maintaining Standard High Availability

This section provides information about how to maintain an existing high-availability
configuration.

Upgrading Ensemble Controller Servers that Use Standard High Availability 179
Changing an Existing Standard High-Availability Configuration 180
Changing the Ensemble Controller Server Work Mode 182
Enabling or Disabling Automatic Switchover for Standard High Availability 183
Disabling a Standard High-Availability Configuration 184

Upgrading Ensemble Controller Servers that Use Standard High

Availability
Complete these steps to upgrade Ensemble Controller Servers that run in a standard high-
availability configuration, and especially if you want to upgrade from an earlier version, for
example 11.2, to 12.x.

Ensemble Controller R15.3 Administrator Manual - Issue: A 179

Adtran Configuring Ensemble Controller

With 12.1, the Embedded License Server manages the licenses that the Ensemble Controller
requires. To guarantee a consistent high availability licensing operation, you must follow this
procedure.
To upgrade servers that do not use high availability, see Upgrading Ensemble Controller.
1. Disable the high-availability configuration as described in Disabling a Standard High-
Availability Configuration.
2. For both servers, back up the database to a directory outside of the Ensemble Controller
installation folder:
a. On the one server, start the nmsadmin script located in the Ensemble Controller
installation bin directory, and then type J to select Backup Database.
b. Follow the displayed commands.
c. Repeat Step 2a-b for the other server.
3. On the primary server:
a. (Optional) Uninstall the dated version as described in Uninstalling Ensemble Controller.
b. Install the target version as described in Installing Ensemble Controller.
c. Only if you uninstalled Ensemble Controller in Step 3a:
i. Stop the server as described in Stopping the Ensemble Controller Server.
ii. Restore the database as described in Restoring the Ensemble Controller Database.
iii. Start the server as described in Starting the Ensemble Controller Server.

4. On the secondary server:

a. (Optional) Uninstall the dated version as described in Uninstalling Ensemble Controller.
b. Install the target version as described in Installing Ensemble Controller.
c. Only if you uninstalled Ensemble Controller in Step 4a:
i. Stop the server as described in Stopping the Ensemble Controller Server.
ii. Restore the database as described in Restoring the Ensemble Controller Database.
iii. Start the server as described in Starting the Ensemble Controller Server.

5. Log in the Ensemble Controller Client to connect to the primary server, and then re-enable
high availability:
a. From the Ensemble Controller application bar Settings menu, select System, and then
High Availability.
b. In the High Availability Setup Wizard, select Enable High Availability, and then click Next.

Changing an Existing Standard High-Availability Configuration

Requirements to Change a Standard High-Availability Configuration 180
Procedure to Change a Standard High-Availability Configuration 181

Requirements to Change a Standard High-Availability Configuration

l This procedure applies only to servers in master or standalone mode except if the master or
primary server fails.

Ensemble Controller R15.3 Administrator Manual - Issue: A 180

Adtran Configuring Ensemble Controller

If the primary server fails, you can use the non-standard method to exchange server roles,
that is, only in case of emergency. For more details about this emergency method, see
Exchanging Server Roles if the Primary Server Fails - Emergency Method Only.
We recommend that you use the safer method, which is to configure high availability only on
a primary server, and then the system automatically sets the secondary server.
l This procedure assumes that the servers currently operate in high-availability mode.
l You cannot change an existing high-availability configuration. Before you can create a new
high-availability configuration, you must disable the previous high-availability configuration.
See Disabling a Standard High-Availability Configuration.

Procedure to Change a Standard High-Availability Configuration

1. From the application bar Settings menu, select System, High Availability. The High Availability
Setup Wizard opens and auto-populates the current settings:

For an existing configuration, you can change the values in the Secondary Server area only
for these fields:

l IP Address
l Port
l ENC user
l ENC password

and the Server Account area fields. All other values are unavailable (appear
dimmed).

Ensemble Controller R15.3 Administrator Manual - Issue: A 181

Adtran Configuring Ensemble Controller

2. Change the values as required, and then click Next. The system tests the new settings. If the
tests succeed, the system stores the settings in the database and the remote server reboots
and synchronizes. For more information about how to test and apply settings, see Applying
and Testing the New Standard High-Availability Configuration.
3. To change the settings of the Primary Server, you must retrieve the default values. Click Get
Defaults.
The Primary Server area fields automatically populate with the default values.
Exchanging Server Roles if the Primary Server Fails - Emergency Method
Only
If you perform the Get Defaults action on a secondary server that is running
in master mode, the local secondary server settings populate the Primary
Server area fields into the wizard.
Consequently, the local secondary server now becomes the primary server.
In this case, you must manually specify a new secondary server for
Ensemble Controller.

4. Click Close to save all changes.

Changing the Ensemble Controller Server Work Mode

You must log in as administrator to change the Ensemble Controller Server
mode.

If you configure a high-availability concept with a primary and secondary Ensemble

Controller Server, and you have administrator rights in the Ensemble Controller Client, you can
change the server work mode between the master and the slave. You can verify the Server
Status in the status bar. The server status shows the server IP address and mode.
If you disabled automatic switchover as described in Enabling or Disabling Automatic
Switchover for Standard High Availability, you must manually change the server mode in these
situations:
l If your Ensemble Controller Client disconnects from the primary server, change the
secondary or standby server to master mode.
l If you need to perform maintenance work on the primary server, change the secondary or
standby server to master mode.
l If the primary server database is corrupt, change the secondary or standby server to master
mode.

l If both servers run in slave mode, change the primary server to master mode.

If you manually perform a changeover after you schedule a software update

for at least one network element, you can cancel the changeover.

Complete these steps to change the work mode of the Ensemble Controller Server.
1. In the Ensemble Controller Settings, select System, and then Change Server Mode.
2. Select the appropriate mode for your server, either Slave or Master.

Ensemble Controller R15.3 Administrator Manual - Issue: A 182

Adtran Configuring Ensemble Controller

3. If you want to make an exact copy of the database and all reports and copy them to the
other server, select Replicate.
If the server database is corrupt, do NOT select Replicate.

4. Click OK to save your changes, or Cancel. The Progress window opens.

a. If necessary, click Abort to stop the changeover.

A confirmation dialog box opens.
–or–
Click Hide so that the Progress window will move to and finish in the background.
b. If you clicked Abort:
In the dialog box, click Yes to stop the changeover.
–or–
Click No, and the changeover will finish.
The message pane displays a related message.

5. After the changeover completes, connect to the new master server.

Enabling or Disabling Automatic Switchover for Standard High

Availability
If you configure standard high availability using a primary and secondary Ensemble
Controller Server, you can enable or disable the automatic switchover to the master mode. This
change might become advantageous if, for example, the servers disconnect from each other.
At that point, the server in slave mode automatically elevates itself to the master mode.

If the high availability-configured servers disconnect from each other, the

Ensemble Controller Clients show a related notification with a delay of one
minute after the connection fails.

You must configure the automatic switchover equally on both the primary and secondary
Ensemble Controller Server.
Complete these steps to enable or disable automatic switchover for standard high availability.
On the primary server:
1. Stop the Ensemble Controller Server as described in Stopping the Ensemble Controller
Server.
2. Use your preferred text editor to open the fnm.properties file located in the Ensemble
Controller installation directory.
3. In the fnm.properties file, edit the property com.adva.fnm.option.automaticSwitchover:
l To enable automatic switchover, type enabled:
com.adva.fnm.option.automaticSwitchover=enabled
l To disable automatic switchover, type disabled:
com.adva.fnm.option.automaticSwitchover=disabled
4. Save and close the fnm.properties file.

Ensemble Controller R15.3 Administrator Manual - Issue: A 183

Adtran Configuring Ensemble Controller

5. Restart the Ensemble Controller Server as described in Starting the Ensemble Controller
Server.

On the secondary server:

6. Repeat this procedure.

Disabling a Standard High-Availability Configuration

The standard high-availability configuration window is available only on the
server that works in master or standalone mode.
If you must disable high availability on the server that works in slave mode,
change the work mode to master as described in Changing the Ensemble
Controller Server Work Mode.

Complete these steps to disable high availability for the master or standalone server.
1. From the Ensemble Controller application bar Settings menu, select System, and then High
Availability.
2. In the High Availability Setup Wizard, clear the Enable High Availability field, and then click
Next.
l If servers work in high-availability mode, the master server stores new settings in the
database, and then populates, synchronizes, and restarts the slave server. Both servers
then work in standalone mode.
l If servers do not work properly in high-availability mode, for example if one of them fails,
but you set high availability, you must separately clear the Enable High Availability field
for each server. The High Availability information window Description area shows the
status Finished with errors.

Streaming Replication High Availability

General Information 184
Installation Requirements 191
Installation Software 194
Installation Overview 194
Maintaining Streaming Replication High Availability 198

General Information
The Three-Node Cluster Concept 185
Primary and Standby Server Coordination 185
Resilience to Outages 186
Dividing a Cluster in Availability Zones 186
Server-Mode Switchover Behavior for the Streaming Replication High Availability 187

Ensemble Controller R15.3 Administrator Manual - Issue: A 184

Adtran Configuring Ensemble Controller

Comparing the Primary-to-Standby Server Activity 187

Effects of nmsadmin Operations on the Primary and Standby Server 189

The Three-Node Cluster Concept

The streaming replication high-availability version requires two Ensemble Controller Servers
(ENC Servers) and at least one more server that hosts the distributed configuration store (DCS).
The ENC Servers operate in a primary-standby concept with assistance from the DCS quorum
server to provide resilience to outages.
Figure 12: Streaming Replication High Availability - Three-Node Cluster Concept

The ENC Servers also host a DCS instance each that the system uses for reliable cross-cluster
configuration data storage, quorum determination, and leader election.

Primary and Standby Server Coordination

The Ensemble Controller Servers coordinate to elect the leader, which will function as the
primary server. The non-leader will function as the standby server and will not become fully
active until a switchover happens. The primary server has full read-and-write access to its
database whereas the standby server cannot write to its database because it receives a
consistent stream of updates from the primary server.
After an initial synchronization of the entire database, the standby database (DB) uses the
PostgreSQL asynchronous streaming replication to incrementally synchronize with the primary
database.

Ensemble Controller R15.3 Administrator Manual - Issue: A 185

Adtran Configuring Ensemble Controller

Resilience to Outages
Server Outages 186
Network Outages 186

Server Outages
If the primary server experiences an outage, the system automatically starts to coordinate
amongst the remaining cluster members to change to a different server to become the new
primary. While the system changes to the new primary server, the Ensemble Controller Clients
might be unable to connect to any servers until they recognize the new primary server.
Even if the failed server becomes operative again, the system does not change back and the
current primary server remains in this position.
If required, you can disable the automatic switchover feature, which makes the system to not
change servers automatically when an outage occurs. You must then change servers
manually. For information, see the appropriate topic:
l Enabling or Disabling Automatic Switchover for Streaming Replication High Availability
l Initiating a Server Work Mode Switchover

Network Outages
The system is designed to ensure that only one server is running as Primary at any point in time
even if network problems prevent the servers from communicating fully with each other. They
might assume that the other server is down and both could attempt to become Primary.
Commonly this is known as the split-brain problem and the streaming replication high-
availability solution uses the DCS cluster to determine whether a quorum that is, the majority of
nodes, is still in communication. If so, then the Primary will consistently be elected with the
quorum-side of the cluster.
In the rare case that all machines become isolated, none will participate in a quorum and no
Primary will be elected. In this case, we recommend resolving the network partition to allow the
quorum to be determined correctly. If this is not be possible and multiple failures occur that you
cannot easily resolve, you can run the cluster in a single-server mode as described in Enabling
the Single-Server Mode.

Dividing a Cluster in Availability Zones

An availability zone is commonly defined as a distinct location that is insulated from failures in
other availability zones, and provides sufficient, low-latency, high-bandwidth network
connectivity to servers in other availability zones. We further recommend to use a redundant
network interconnect between availability zones.
Situate the servers or virtual machines in different availability zones so that a disaster or power
outage in one zone does not impact the correct operation of the servers in other zones.
You can have multiple availability zones within a single data center if power distribution and
network communication are diverse from other nodes of the cluster within the same data
center.
For more information about bandwidth and latency parameter requirements to support the
communication within availability zones in a streaming replication high-availability
configuration, see Installation Requirements.

Ensemble Controller R15.3 Administrator Manual - Issue: A 186

Adtran Configuring Ensemble Controller

Server-Mode Switchover Behavior for the Streaming Replication

High Availability
If the primary Ensemble Controller Server stops working or is partitioned from the quorum side
of the cluster, these results occur:
l If you have enabled automatic switchover, the standby Ensemble Controller Server
automatically:
o Becomes the primary.
o Reconfigures its PostgreSQL database as the primary.
o Completes initialization and starts managing the network.
l If you have disabled automatic switchover, your administrator must trigger a switchover to
the standby node to allow it to become primary.
l Ensemble Controller Clients detect the situation and offer to reconnect to the next available
primary. As a switchover can take some time, the client can not immediately be able to
connect.
l Thereafter, when the prior primary returned to service, it is configured as the standby.

For information about how to enable or disable automatic switchover, see Enabling or Disabling
Automatic Switchover for Streaming Replication High Availability.
For information about how to manually initiating a switchover, see Initiating a Server Work Mode
Switchover.

Comparing the Primary-to-Standby Server Activity

This table provides an overview of Ensemble Controller features in a streaming replication high-
availability configuration and whether these features are activated or disabled on the primary
and standby servers.

Ensemble Standard Operation After Switchover: Failure Case

Controller Feature Environment

Active on Active on the Active on the Active on the

the Primary Standby Standby Primary Server
Server on Server on Server on on Node B
Node A Node B Node A

Trap reception and Yes No No Yes

processing

Event forwarding Yes No No Yes

through SNMP to
OSS

CSV event Yes No No Yes

reporting

Ensemble Controller R15.3 Administrator Manual - Issue: A 187

Adtran Configuring Ensemble Controller

Ensemble Standard Operation After Switchover: Failure Case

Controller Feature Environment

Active on Active on the Active on the Active on the

the Primary Standby Standby Primary Server
Server on Server on Server on on Node B
Node A Node B Node A

Event notification Yes No No Yes

through email,
script, or an
Internet Control
Message Protocol
(ICMP) message

Scheduled Yes No No Yes

performance
monitoring data
collection

Scheduled Yes No No Yes

performance
monitoring data
comma-
separated values
(CSV) file reporting

Scheduled Yes No No Yes

inventory report

Scheduled service Yes No No Yes

inventory report

Scheduled backup Yes No No Yes

of the network
element
configuration

Processing Yes No No Yes

incoming Multi-
Technology
Operations
Systems Interface
(MTOSI) requests

Scheduled Yes No No Yes

database backup

Streaming Yes N/A N/A Yes

replication to
Standby

Ensemble Controller R15.3 Administrator Manual - Issue: A 188

Adtran Configuring Ensemble Controller

Effects of nmsadmin Operations on the Primary and Standby

Server
The nmsadmin script that Ensemble Controller stores in the installation directory, is available on
both the primary and standby servers. The behavior can slightly vary between servers as
described in this table:

Option Primary Standby Description

[A] Thread Dump Yes Yes Shows threads of the local server.

[B] Shutdown Yes Yes Shuts down the local server.

Server

[C] Monitor Yes Yes Monitors the log on the local server.
Server Log

[D] SNMP Yes No Only applicable on the primary server.

detailed NE data

[E] Backup Yes Yes Backs up the configuration files of the

Config Files local server.

[F] Machine Yes Yes Shows the machine architecture of the

Architecture local server.

[G] ENC Info Yes Yes Shows Ensemble Controller common

information although it is retrieved from
the database on the local server.

[H] System Yes Yes Includes system and database

Health Report information of the local server.
l If you run this option on the primary, it
includes a copy of the master
database.
l If you run this option on the standby, it
includes a copy of the standby
database.

[I] Display Yes No Shows configurable, internal metrics and

RapidTerm counters from the Ensemble Controller
Monitor'g State Server. Only available on the primary
server.

[J] Backup Yes No

Database

[K] Reinitialize Yes No

Database

Ensemble Controller R15.3 Administrator Manual - Issue: A 189

Adtran Configuring Ensemble Controller

Option Primary Standby Description

[L] Restore Yes No

Database
Backup

[M] Machine Yes Yes Shows resources of the local server.

Resources

[N] Start Rapid Yes No Starts monitoring on the primary

Term Monitoring Ensemble Controller Server.

[O] Bundle Log Yes Yes Bundles logs of the local server.
Files

[P] Process Yes Yes Shows the process status of the local
Status server.

[Q] Query DB Yes Yes Performs queries against the local

database, which might be the
standby/replica.

[R] Reset Yes No Resets the application password on the

Application primary server.
Password

[S] Start Server Yes Yes Starts the local server processes.

[T] Remove Log Yes Yes Removes log files from the local server.
Files

[U] Stop Rapid Yes No Stops monitoring on the primary

Term Monitoring Ensemble Controller Server.

[V] Exit Yes Yes Exits the utility.

[W] On Demand Yes No Shows on-demand internal metrics and

Monitoring counters from the Ensemble Controller
Server. Only available on the primary
server.

[X] Synchronize Yes No Synchronizes the database secondary

Cache cache on the primary server.

Ensemble Controller R15.3 Administrator Manual - Issue: A 190

Adtran Configuring Ensemble Controller

Option Primary Standby Description

[Y] Change Yes No This option changes the PostgreSQL

Database password and the content of
Password dbaccess.txt file on the local server.
To provide a cluster-wide change, you
must manually copy the dbaccess.txt file
to the standby server, and then restart
the server. See Changing an Existing
Streaming Replication High-Availability
Configuration for the recommended
sequence to change a working cluster.

[Z] Heap Dump Yes Yes Shows the heap dump for the local
server.

Installation Requirements

Area Requirement Description

Supported You can install the streaming replication high-availability solution

Operating Systems only on servers that run Red Hat Enterprise Linux (RHEL) operating
system versions 7.8, 7.9, 8.6 and 8.8.

Linux packages Install these Linux packages on all three servers using the yum
package management tool or source code:
l Python 3.6.8 or later compatible version.
l OpenSSL 1.0.2 or later compatible version. You can preinstall
OpenSSL on RHEL in various versions. To verify which version the
system currently uses, type: "openssl version". Make sure that all
servers have an installed, compatible OpenSSL version.

Server IP Addresses Create a cluster plan that identifies the IP addresses or host names of
Overview the three required servers, which can be physical hardware or virtual
machines. For information about servers required for streaming
replication high availability, see The Three-Node Cluster Concept.

Server Time Verify that the cluster servers use NTP or equivalent to synchronize
Synchronization their system time with an external source. A time deviation greater
than 0.8 seconds between the servers can result in the streaming
replication high-availability feature to operate incorrectly.

Ensemble Controller R15.3 Administrator Manual - Issue: A 191

Adtran Configuring Ensemble Controller

Area Requirement Description

Availability Zones In the event of a power outage, to avoid negatively impacting correct
server operation in other zones, situate servers or virtual machines in
different availability zones. Ideally, configure a protected network
between availability zones to minimize the effect of network partitions
on cluster operation. See Dividing a Cluster in Availability Zones.
The communication network between data centers or availability
zones must have sufficient bandwidth and latency parameters.
These requirements are necessary to support the communication
requirements for the streaming replication high-availability solution.
The requirements on network capacity varies with system size and
usage. We recommend this minimum connectivity for small or extra
large systems:

Table 9: Availability Zone Connectivity Requirements

Connectivity Parameters Small Extra Large
Systems Systems

Maximum Latency 500 ms 400 ms

Minimum Bandwidth 1 Mbps 2 Mbps

Hardware Server Use an appropriately sized hardware server (S/M/L/XL) to host the
Size Ensemble Controller Servers.

DCS Quorum The distributed configuration service (DCS) quorum server supports
Server Deployment these deployment options:
Options l Installation on a dedicated hardware server.
To minimize cost, we recommend that you use a class S server.
l Installation on a virtual machine.
The virtual machine can share physical hardware resources with
components from other clusters. Any virtual machines you use
within the same cluster must also follow the Availability Zone
Connectivity Requirements. See Dividing a Cluster in Availability
Zones.
l Installation on an existing infrastructure server.
You can use an available hardware server that you already use for
other infrastructure services such as a file server, authentication
server, and so on. Verify that this existing server has sufficient
resources and appropriate network connectivity to adequately
run the DCS component.

Ensemble Controller R15.3 Administrator Manual - Issue: A 192

Adtran Configuring Ensemble Controller

Area Requirement Description

Required TCP Ports to Ports for the primary and standby servers:
be Open l 2379

l 2380

l 5432

l 8008

The ports for the quorum server depend on the number of pairs or
clusters that the server manages. One quorum server can manage
several clusters. The ports differ accordingly as follows:
Table 10: Overview of Quorum Server Ports
Cluster Quorum Server Ports
Number
Port 1 Port 2

Cluster 1 12379 12380

Cluster 2 22379 22380

Cluster 3 32379 32380

Cluster 4 33379 33380

Cluster 5 34379 34380

Cluster 6 35379 35380

Cluster 7 36379 36380

Cluster 8 37379 37380

Cluster 9 38379 38380

Cluster 10 39379 39380

For information about how to open these ports, see Steps to Installing
Ensemble Controller in Linux, especially For Red Hat Enterprise Linux 7.x
and 8.x.

Required Licenses You need these licenses:

l 2 of each basic license.
l 2 of the feature license for ENC-HA-STREAM.
l 2 of any other feature license to use with the Ensemble Controller
Server.
l 2 of each connection license in various sizes.

Ensemble Controller R15.3 Administrator Manual - Issue: A 193

Adtran Configuring Ensemble Controller

Installation Software
The streaming replication high-availability software is a separate package named HA_
Stream_for_Linux-vXX.X.X-SNAPSHOT.tgz that is included in the core Ensemble Controller
installation package.
After you extract the streaming replication high-availability software, the system creates a new
ha-stream directory to avoid any overlap or conflict with other optional packages.
The extracted files include the install-ha-stream installer script that helps to install the
streaming replication high-availability software on each server in the three-node cluster in a
specific sequence that you must follow. For more information about the sequence, see
Installation Overview.

Installation Overview
Complete these steps to install the streaming replication high-availability software on each
server in the three-node cluster in this specific sequence. Some of the steps include links to
more detailed instructions if required.
1. Configure the server that you intend to use for the primary Ensemble Controller. See
Installing and Configuring the Intended Primary Ensemble Controller Server for detailed
instructions.
2. Configure the server that you intend to use as the quorum server that only hosts the
distributed configuration service (DCS). See Installing and Configuring the Intended DCS
Quorum Server for detailed instructions.
3. Configure the server that you intend to use for the standby Ensemble Controller. See
Installing and Configuring the Intended Standby Ensemble Controller Server for detailed
instructions.
4. After you configured all required servers (Step 1 to 3), wait for the cluster to become fully
operational. To verify whether the cluster completed synchronization between the primary
and the standby Ensemble Controller Servers, you can use either option:
l From the Ensemble Controller installation bin directory, run the nmsadmin script, and
then type the option number for Steaming Replication HA Cluster Status.
–or–
l From the Ensemble Controller application bar Settings menu, select System, and then
Streaming Replication HA Status. The Streaming Replication High Availability Cluster
Status dialog box opens.
5. To secure the cluster and prevent access from servers other than the cluster members,
complete these steps:

a. Log into each cluster member that is, the primary, the quorum, and the standby server
one at a time, and open the Linux CLI.
b. Type the command iptables -I INPUT ! --src <cluster member IP> -m tcp -p
tcp --dport 5432 -j DROP, once for each cluster member. The command closes the
PostgreSQL database port for all servers that are not part of the cluster.

For example, if your cluster members have these IPs, type the commands as shown:

Ensemble Controller R15.3 Administrator Manual - Issue: A 194

Adtran Configuring Ensemble Controller

Primary 10.143.170.99

Quorum 10.143.170.100

Standby 10.143.170.101

On the primary server:

iptables -I INPUT ! --src 10.143.170.99 -m tcp -p tcp --dport 5432 -j
DROP
iptables -I INPUT ! --src 10.143.170.100 -m tcp -p tcp --dport 5432 -j
DROP
iptables -I INPUT ! --src 10.143.170.101 -m tcp -p tcp --dport 5432 -j
DROP
On the quorum server:
iptables -I INPUT ! --src 10.143.170.99 -m tcp -p tcp --dport 5432 -j
DROP
iptables -I INPUT ! --src 10.143.170.100 -m tcp -p tcp --dport 5432 -j
DROP
iptables -I INPUT ! --src 10.143.170.101 -m tcp -p tcp --dport 5432 -j
DROP
On the standby server:
iptables -I INPUT ! --src 10.143.170.99 -m tcp -p tcp --dport 5432 -j
DROP
iptables -I INPUT ! --src 10.143.170.100 -m tcp -p tcp --dport 5432 -j
DROP
iptables -I INPUT ! --src 10.143.170.101 -m tcp -p tcp --dport 5432 -j
DROP
c. Make sure to add these commands to all servers that are part of the cluster.

6. (Optional) To finalize the procedure, test a subset of switchover and fault handling
scenarios, for example:
l Initiating a Server Work Mode Switchover
l Stopping the Ensemble Controller Server
l Starting the Ensemble Controller Server
For all these operations, you can use the nmsadmin script located in the Ensemble
Controller installation bin directory.

If you install the streaming replication high-availability software the postgres

settings are reset to default values.

Ensemble Controller R15.3 Administrator Manual - Issue: A 195

Adtran Configuring Ensemble Controller

Installing and Configuring the Intended Primary Ensemble

Controller Server
Requirements to Install and Configure the Intended Primary Ensemble Controller Server 196
Procedure to Install and Configure the Intended Primary Ensemble Controller Server 196

Requirements to Install and Configure the Intended Primary Ensemble

Controller Server
l You meet the Installation Requirements to install and configure a streaming replication high
availability cluster.
l You are acquainted with and follow the required sequence as described in Installation
Overview to configure the servers in a three-node cluster that you need for streaming
replication high availability.

Procedure to Install and Configure the Intended Primary Ensemble

Controller Server
1. Log in the server that you intend to use as the primary server, and then install Ensemble
Controller as described in Installing Ensemble Controller. The Ensemble Controller
installation package includes the optional software package for streaming replication high
availability.
2. In the Ensemble Controller installation directory, extract the HA_Stream_for_Linux-vXX.X.X-
SNAPSHOT.tgz streaming replication high-availability software package. The extracted files
include the install-ha-stream installer script for streaming replication high availability. For
more information, see Installation Software.
3. Run install-ha-stream.
4. Type 1 to select Install a first HA host, and then complete the installer command requests
that follow.

Ensemble Controller R15.3 Administrator Manual - Issue: A 196

Adtran Configuring Ensemble Controller

The values in square brackets are suggestions for what you can type. If the bracket includes
only one suggestion, you can press Enter to accept the suggested value without having to
type it and continue.
5. Proceed with Installing and Configuring the Intended DCS Quorum Server.

Installing and Configuring the Intended DCS Quorum Server

See these topics for instructions about how to install and configure the intended distributed
configuration service (DCS) quorum server:

Requirements to Install and Configure the Intended DCS Quorum Server 197
Procedure to Install and Configure the Intended DCS Quorum Server 197

Requirements to Install and Configure the Intended DCS Quorum Server

l You meet the Installation Requirements to install and configure a streaming replication high
availability cluster.
l You already configured the intended primary Ensemble Controller Server as described in
Installing and Configuring the Intended Primary Ensemble Controller Server. If not, become
acquainted with and follow the required sequence to configure the servers in a three-node
cluster that you need for streaming replication high availability as described in Installation
Overview.

Procedure to Install and Configure the Intended DCS Quorum Server

1. Log in the server that you intend to use as the quorum server, and then extract the HA_
Stream_for_Linux-vXX.X.X-SNAPSHOT.tgz streaming replication high-availability software
package. The extracted files include the install-ha-stream installer script for streaming
replication high availability. For more information, see Installation Software.
2. Run install-ha-stream.
3. Type 3 to select Install a quorum host, and then complete the installer command requests
that follow.
The values in square brackets are suggestions for what you can type. If the bracket includes
only one suggestion, you can press Enter to accept the suggested value without having to
type it and continue.
4. Proceed with Installing and Configuring the Intended Standby Ensemble Controller Server.

Installing and Configuring the Intended Standby Ensemble

Controller Server
Requirements to Install and Configure the Intended Standby Ensemble Controller Server 197
Procedure to Install and Configure the Intended Standby Ensemble Controller Server 198

Requirements to Install and Configure the Intended Standby Ensemble

Controller Server
l You meet the Installation Requirements to install and configure a streaming replication high
availability cluster.

Ensemble Controller R15.3 Administrator Manual - Issue: A 197

Adtran Configuring Ensemble Controller

l You already configured the intended DCS quorum server as described in Installing and
Configuring the Intended DCS Quorum Server. If not, become acquainted with and follow the
required sequence to configure the servers in a three-node cluster that you need for
streaming replication high availability as described in Installation Overview.

Procedure to Install and Configure the Intended Standby Ensemble

Controller Server
1. Log in the server that you intend to use as the standby server, and then install Ensemble
Controller as described in Installing Ensemble Controller. The Ensemble Controller
installation package includes the optional software package for streaming replication high
availability.
2. In the Ensemble Controller installation directory, extract the HA_Stream_for_Linux-vXX.X.X-
SNAPSHOT.tgz streaming replication high-availability software package. The extracted files
include the install-ha-stream installer script for streaming replication high availability. For
more information, see Installation Software.
3. Run install-ha-stream.
4. Type 2 to select Install a standby HA host, and then complete the installer command
requests that follow.
The values in square brackets are suggestions for what you can type. If the bracket includes
only one suggestion, you can press Enter to accept the suggested value without having to
type it and continue.
5. Verify that you completed all the sequential steps in Installation Overview that you require to
finalize the streaming replication high-availability configuration. If not, complete remaining
steps.

Maintaining Streaming Replication High Availability

Checking the Cluster Status 198
Pausing or Resuming the Streaming Replication High-Availability Control 199
Changing an Existing Streaming Replication High-Availability Configuration 200
Enabling the Single-Server Mode 200
Upgrading Streaming Replication High Availability 201
Updating High Availability Stream Package 203
Enhancing the Database Password Encryption Security 204
Initiating a Server Work Mode Switchover 207
Enabling or Disabling Automatic Switchover for Streaming Replication High Availability 208
Reverting to a Non-Resilient Configuration or Disabling Streaming Replication High
Availability 208

Checking the Cluster Status

You can verify the status for:
l The servers included in the cluster
l The overall cluster

Ensemble Controller R15.3 Administrator Manual - Issue: A 198

Adtran Configuring Ensemble Controller

l The replication
l The last switchover

To verify the status, use either option:

l From the Ensemble Controller installation bin directory, run the nmsadmin script, and then
type the option number for Steaming Replication HA Cluster Status.
–or–
l From the Ensemble Controller application bar Settings menu, select System, and then
Streaming Replication HA Status. The Streaming Replication High Availability Cluster Status
dialog box opens. To refresh the dialog box with the latest data from the database, close and
re-open it.
l Verify the Server Status in the Ensemble Controller status bar.

Pausing or Resuming the Streaming Replication High-Availability

Control
To perform manual maintenance operations, you can temporarily pause the automatic control
of the cluster. This setting is not persistent and will clear if the cluster restarts.

To pause the cluster control can impair the automatic capabilities of the
streaming replication high availability feature. Only use it with specific
procedures or when the Adtran Technical Support recommends it.

If you pause the cluster control:

l Cluster monitoring continues, but automatic control features are paused.
l Automatic switchover is disabled and automatic switchovers will not occur.
l There is no automatic read-only mode when the DCS is not accessible.
l Manual switchover is still possible.
l The pause mode affects all servers included in the cluster. The servers are not changed to the
pause mode simultaneously. Therefore, it might take a moment until all servers change.

Complete these steps to pause the cluster control either on the primary or standby Ensemble
Controller Server. To resume the cluster control, see Step 3.
1. On the relevant server, from the Ensemble Controller installation bin directory, run the
nmsadmin script.
2. To start the option [3] Pause HA Control, type 3, and then press Enter.
Ensemble Controller Pause HA Control...
HA control is paused.
Press any key to continue . . .

To resume cluster control:

3. To start the option [4] Resume HA Control, type 4, and then press Enter.
Ensemble Controller Resume HA Control...
HA control is resumed.
Press any key to continue . . .

Ensemble Controller R15.3 Administrator Manual - Issue: A 199

Adtran Configuring Ensemble Controller

Changing an Existing Streaming Replication High-Availability

Configuration
Complete these steps to update the PostgreSQL credentials for a deployed streaming
replication high-availability cluster.
1. Log in to the server that hosts the primary Ensemble Controller Server, and then pause the
cluster control as described in Pausing or Resuming the Streaming Replication High-
Availability Control.
2. From the Ensemble Controller installation bin directory, run the nmsadmin script.
3. To change the password on the primary server, type Y to select Change Database
Password. The primary core server restarts (no switchover). After the restart, the system
automatically deactivates the pause mode.
4. On the primary Ensemble Controller Server, restart PostgreSQL and its monitoring
component (systemctl restart patroni) to activate the server with the new credentials.
l This restart will not cause a switchover because by now, PostgreSQL on the standby
server will be unable to access its database from the password change.
l It impairs replication temporarily because the standby server is not authenticated using
the new password.
5. Log in to the standby Ensemble Controller Server, and then copy the updated dbaccess.txt
file to the correct location.
6. On the standby Ensemble Controller Server, restart PostgreSQL and its monitoring
component (systemctl restart patroni). This restart will cause the server to use the new
credentials. Replication re-establishes and incrementally synchronizes.

Enabling the Single-Server Mode

If neither the primary nor the standby server can reliably determine quorum, for example
because of multiple failures, they will deactivate themselves rather than risk a multi-master
database situation. It is preferable to restore complete system functions by resolving the
underlying root cause, which allows proper quorum determination. However, in some cases this
repair can not be possible in a timely manner. To safeguard the system operation in this
situation, you can manually bring one Ensemble Controller instance up, as a standalone
primary server.
After you enable the single-server mode, some streaming replication high-availability features
might not be available:
l Monitoring components for failures.
l Switchover.
l The cluster-status display.
l Transient events for high availability.
l Alarms related to high availability clear and re-instate if the system still does not operate
correctly after you enable high availability again.

Complete these steps to enable the single-server mode on one of the servers in the cluster that
you consider most stable.

Ensemble Controller R15.3 Administrator Manual - Issue: A 200

Adtran Configuring Ensemble Controller

1. Stop nms service – systemctl stop fnmserver.

2. Stop and disable patroni service – systemctl stop patroni ; systemctl disable patroni.
3. Stop and disable Etcd service – systemctl stop etcd.<name of your etcd cluster> ; systemctl
disable etcd.<name of your etcd cluster>
4. Backup current configuration files without overwriting existing backups made by patroni at
bootstrapping.
5. Overwrite current configuration with Patroni-made backups.
6. Start and enable PostgreSQL service – systemctl start postgres ; systemctl enable postgres.
7. Promote PostgreSQL server to master if it previously was a slave - pg_ctl promote -D <path
to postgres data> ; as a postgres user.
8. In the fnm.properties file, remove this property:
com.adva.nlms.mediation.ha-stream.enabled
9. Restart fnm service – systemctl start fnmserver.

Upgrading Streaming Replication High Availability

This section describes how to upgrade to a newer streaming replication high availability
version. The procedure also involves an update of Ensemble Controller and other software such
as PostgreSQL, Patroni, etcd, and so on.
Any scripts that you require to complete this procedure are included in the separate HA_
Stream_for_Linux-vXX.X.X-SNAPSHOT.tgz package within the core Ensemble Controller
installation package.
Complete these steps carefully:
1. Make sure you can reach the servers that host the primary and standby Ensemble Controller
Servers, and the quorum server.
2. Verify the status of the primary and standby Ensemble Controller Servers as described in
Checking the Cluster Status. The replication and overall cluster must have the status Normal.
Use the status also to become acquainted with the server roles and distinguish the primary
from the standby server.
------------
3. On the server that hosts the quorum Ensemble Controller Server, update High Availability
stream package as described in Updating High Availability Stream Package.
4. On the server that hosts the standby Ensemble Controller Server, complete these steps:

a. Run the server_fallback.sh script with super-user privileges:

sudo ./server_fallback.sh
b. Update High Availability stream package as described in Updating High Availability
Stream Package.
c. Upgrade the Ensemble Controller Server as described in Upgrading Ensemble Controller.
d. At the end of the installation procedure, when the system asks you whether you want to
run the server, type y for yes. Wait for the server to completely restart.
e. After the restart completes, run the server_restore.sh script with super-user privileges:

Ensemble Controller R15.3 Administrator Manual - Issue: A 201

Adtran Configuring Ensemble Controller

sudo ./server_restore.sh
------------

Here is the last moment to stop the procedure and undo the changes -
downgrade and restart standby and quorum server. After proceeding to
the next step, you have to complete the procedure without going back.

5. On the server that hosts the primary Ensemble Controller Server, complete these steps:

a. Turn off these services:

l sudo systemctl stop fnmserver
l sudo systemctl stop patroni
l sudo systemctl disable postgres

b. Update High Availability stream package as described in Updating High Availability

Stream Package.
c. Upgrade the Ensemble Controller Server as described in Upgrading Ensemble Controller,
however without starting it.
d. At the end of the installation procedure, when the system asks you whether you want to
run the server, type n for no.
e. Run the server_master.sh script with super-user privileges:
sudo ./server_master.sh
------------

6. On the server that hosts the standby Ensemble Controller Server, complete these steps.
Work with the utmost caution while you use the Patroni software in the
subsequent steps.

a. Run this command with super-user privileges:

<nms-home-directory>/fsp_nm/ha/venv/bin/patronictl -c <nms-home-
directory>/fsp_nm/ha/postgres.yml remove <cluster-name>
l The <nms-home-directory> attribute is the Ensemble Controller installation directory.
The default is /opt/adva.
l You can verify the <cluster-name> attribute using the nmsadmin script as described
in Checking the Cluster Status. The default is ha-stream.
For example, the complete command might look as follows:
sudo /opt/adva/fsp_nm/ha/venv/bin/patronictl -c /opt/adva/fsp_
nm/ha/postgres.yml remove ha-stream
Type the commands with reasonable care in the subsequent steps. Any
typographical error causes the procedure to fail.

Ensemble Controller R15.3 Administrator Manual - Issue: A 202

Adtran Configuring Ensemble Controller

The system presents this cluster table:

b. Locate the line that starts with Please confirm [...], and then type the correct cluster name,
which also displays in the table Cluster column. The default is ha-stream.
c. Locate the line that starts with You are about [...], and then type Yes I am aware
d. Locate the line that starts with This cluster currently [...], and then type the primary
Ensemble Controller Server member name, which also displays in the table Member
column. The primary Ensemble Controller Server has the Leader role as the Role column
in the table shows.
e. Run this command with super-user privileges:
<nms-home-directory>/fsp_nm/ha/venv/bin/patronictl -c <nms-home-
directory>/fsp_nm/ha/postgres.yml list <cluster-name>
For example:
sudo /opt/adva/fsp_nm/ha/venv/bin/patronictl -c /opt/adva/fsp_
nm/ha/postgres.yml list ha-stream
f. Verify the cluster table. If the table has not changed and shows the exact information as
before in Step 6a, for example the same Leader, or rows, rerun this list command, and
then verify the table once more:
<nms-home-directory>/fsp_nm/ha/venv/bin/patronictl -c <nms-home-
directory>/fsp_nm/ha/postgres.yml list <cluster-name>
If the table still shows no changes, repeat all of Step 6.
------------

7. On the server that hosts the primary Ensemble Controller Server, turn on these services:
l sudo systemctl start patroni
l sudo systemctl start fnmserver
------------

8. Verify the primary and standby Ensemble Controller Server status whether they kept their
role as described in Checking the Cluster Status. If required, you can do a role switchover as
described in Initiating a Server Work Mode Switchover.
9. If you upgraded your streaming replication high availability version to 13.3 or later, make sure
to enhance the database password encryption algorithm. Continue with the steps
described in Enhancing the Database Password Encryption Security.

Updating High Availability Stream Package

Complete these steps to update High Availability (HA) Stream Package:
1. Unzip new HA Stream package for Linux, for example:
tar -zxvf HA_Stream_for_Linux-vXX.X.X-SNAPSHOT.tgz
System will create "ha-stream" folder.

Ensemble Controller R15.3 Administrator Manual - Issue: A 203

Adtran Configuring Ensemble Controller

2. Run the install.sh installation script with super-user privileges, for example:
sudo ./install-ha-stream.sh
3. Type:
l 5 - if you want to update HA package on the first or standby HA host.
l 6 - if you want to update HA package on the quorum host.

4. Type Y and press enter.

Enhancing the Database Password Encryption Security

After you upgrade your streaming replication high availability version to 13.3 or later as
described in Upgrading Streaming Replication High Availability, you must enhance the
database password encryption algorithm from the potentially insecure MD5 to the secure
SHA256.

This password security enhancement is an obligatory step. If you miss it,

Ensemble Controller and the streaming replication high availability
configuration are inoperable.

With a clean installation to 13.3 or later, which means that any previous version does not exist on
the system, the database password is already configured to use the SHA256 encryption
algorithm.
See one of these sections according to the version you upgraded, and then complete the steps
to enhance the password security:

Any 13.x Version Upgraded to 13.3 or Later 204

Any Supported Version Before 13.1 Upgraded to 13.3 or Later 207

Any 13.x Version Upgraded to 13.3 or Later

On the server that hosts the primary Ensemble Controller Server, complete these steps:

Ensemble Controller R15.3 Administrator Manual - Issue: A 204

Adtran Configuring Ensemble Controller

1. To add a valid password:

a. Open the postgres.yml file from here: /opt/adva/fsp_nm/ha/postgres.yml

b. In the restapi area, password field, change none to NeverChange as shown here:

2. To add password encryption:

a. Run this command:

sudo /opt/adva/fsp_nm/ha/venv/bin/patronictl -c /opt/adva/fsp_
nm/ha/postgres.yml edit-config

b. After the lc_time parameter, in a new line, add:

password_encryption: scram-sha-256

Ensemble Controller R15.3 Administrator Manual - Issue: A 205

Adtran Configuring Ensemble Controller

3. To reload Patroni, type this command:

sudo /opt/adva/fsp_nm/ha/venv/bin/patronictl -c /opt/adva/fsp_
nm/ha/postgres.yml reload <cluster-name>

The default <cluster-name> is ha-stream, which you can change if required, for example:
sudo /opt/adva/fsp_nm/ha/venv/bin/patronictl -c /opt/adva/fsp_
nm/ha/postgres.yml reload ha-stream

While Patroni reloads, the system automatically performs a switchover that is, the primary
server turns into the standby server, and the other way around.
4. Log into the server that now hosts the primary server. The root and Adtran user passwords
currently use the MD5 encryption algorithm.

Ensemble Controller R15.3 Administrator Manual - Issue: A 206

Adtran Configuring Ensemble Controller

5. To enhance the passwords to use SHA256, run the nmsadmin script file located here:
/opt/adva/fsp_nm/bin/nmsadmin.sh
l To enhance the Adtran user password:

a. Type Y, which starts the Change Database Password option.

b. Type a new password as requested.
c. Type V to exit the script.
After you change the password in the nms home directory /opt/adva/fsp_nm, the
dbaccess.txt file displays.
d. Copy the dbaccess.txt file to the server that now hosts the standby server.

l To enhance the root user password:

a. Type Q, which starts the Query DB option.

fnm-#
b. Type this command:
alter user root with password ‘new_password_here’;

Specify the new password by replacing new_password_here, for example:

alter user root with password ‘MyNewPassword#123’;

c. Type exit to exit the Query DB option.

d. Type V to exit the script.

Any Supported Version Before 13.1 Upgraded to 13.3 or Later

The Adtran user password currently uses the MD5 encryption algorithm. The root user password
by default uses SHA256 already. On the server that hosts the primary Ensemble Controller
Server, complete these steps to enhance the Adtran password to also use the SHA256
algorithm.
1. Run the nmsadmin script file located here: /opt/adva/fsp_nm/bin/nmsadmin.sh
2. Type Y, which starts the Change Database Password option.
3. Type a new password as requested.
4. Type V to exit the script.
After you change the password in the nms home directory /opt/adva/fsp_nm, the
dbaccess.txt file displays.
5. Copy the dbaccess.txt file to the server that hosts the standby server.

Initiating a Server Work Mode Switchover

You can apply a server work mode switchover manually even if you enabled automatic
switchover. This can be needed for testing, maintenance, upgrades, or other activities.

Ensemble Controller R15.3 Administrator Manual - Issue: A 207

Adtran Configuring Ensemble Controller

Furthermore, if you disabled automatic switchover as described in Enabling or Disabling

Automatic Switchover for Streaming Replication High Availability, you must manually change
the server mode in these situations:
l If your Ensemble Controller Client disconnects from the primary server, change the
secondary or standby server to master mode.
l If you need to perform maintenance work on the primary server, change the secondary or
standby server to master mode.
l If the primary server database is corrupt, change the secondary or standby server to master
mode.

Complete these steps to manually change the primary or secondary Ensemble Controller
Server work mode:
1. Identify and log in to the server where you will trigger the switchover.
l If both primary and standby are up and operating normally, you can trigger the
switchover from either server.
l If the primary is down or unreachable, you can trigger a switchover from the standby
server.
2. On the relevant server, from the Ensemble Controller installation bin directory, run the
nmsadmin script.
3. To start the option [2] Perform HA Switchover, type 2, and then press Enter.
Ensemble Controller HA Switchover...
Switch current primary <ip-address> to: <ip-address> [Y/N]:
4. Type y to confirm the command. After you type y, this message displays:
Switchover initiated; use "HA Cluster Status" to see status during
switchover.
Press any key to continue . . .
–or–
Type n to cancel the operation.
5. To see the status for this operation, type the appropriate option number for HA Cluster
Status.

Enabling or Disabling Automatic Switchover for Streaming

Replication High Availability
In the fnm.properties file that Ensemble Controller stores in the installation directory, edit the
property com.adva.nlms.mediation.ha-stream.automatic-switchover. Make sure that you set
the same property values on both the primary and standby server.

Reverting to a Non-Resilient Configuration or Disabling

Streaming Replication High Availability
Requirement to Revert to a Non-Resilient Configuration 209
Procedure to Revert to a Non-Resilient Configuration 209

Ensemble Controller R15.3 Administrator Manual - Issue: A 208

Adtran Configuring Ensemble Controller

Requirement to Revert to a Non-Resilient Configuration

l You have installed and operated a three-node cluster for the streaming replication high-
availability solution.
l You are aware that you downgrade your system to a non-resilient configuration and disable
streaming replication high availability.
l After you complete this procedure, be aware that the remaining Ensemble Controller Server
is the one that used to be primary and therefore, the database content of the primary is
preserved for the non-resilient configuration. If you want to preserve the database content
from the standby server instead, before you start the procedure, perform a manual
switchover as described in Initiating a Server Work Mode Switchover to have the primary
operate on the appropriate server.

Procedure to Revert to a Non-Resilient Configuration

1. (Optional) Before you start the downgrade, back up your Ensemble Controller database as
described in Immediate Database Backup.
2. Log in the quorum server that hosts the distributed configuration service (DCS), and then
complete these steps:

a. Run the install-ha-stream installer script located in the streaming replication high-
availability installation directory /opt/adva/fsp_nm/ha/bin/install-ha-stream.sh
b. Type 4 to select Remove HA features on the host, and then complete the installer
command requests that follow.

The values in square brackets are suggestions for what you can type. If the bracket
includes only one suggestion, you can press Enter to accept the suggested value without
having to type it and continue.

3. Log in the server that hosts the standby Ensemble Controller, and then repeat the Steps 2a.
to 2b. While the system uninstalls the streaming replication high availability from the
standby server, the primary server experiences an outage.
4. Log in the server that hosts the primary Ensemble Controller, and then complete these steps:

a. Repeat the Steps 2a. to 2b.

Ensemble Controller R15.3 Administrator Manual - Issue: A 209

Adtran Configuring Ensemble Controller

b. Restart the Ensemble Controller Server as described in Starting the Ensemble Controller
Server. After the restart, high availability is no longer available for your system and you
reverted to a non-resilient server that used to be the primary server.
c. Test the non-resilient server.
5. Log in the server that used to host the standby Ensemble Controller, and then uninstall the
Ensemble Controller software as described in Uninstalling Ensemble Controller.

Migrating from Standard to Streaming

Replication High Availability
Requirement to Migrate from Standard to Streaming Replication High Availability 210
Procedure to Migrate from Standard to Streaming Replication High Availability 210

Requirement to Migrate from Standard to Streaming

Replication High Availability
l You have installed and operated a two-node cluster for the standard high-availability
solution.
l You meet the Installation Requirements for the streaming replication high-availability
solution.
l Your Ensemble Controller holds a license for streaming replication high-availability (ENC-HA-
STREAM). You can verify your license coverage from the Ensemble Controller application bar
Help menu > Support > License Info. For information, see the User Manual, Displaying License
Information.
l After you complete this procedure, be aware that the remaining Ensemble Controller Server
is the one that used to be primary and therefore, the database content of the primary is
preserved for the streaming replication high-availability configuration. If you want to
preserve the database content from the standby server instead, before you start the
procedure, perform a manual switchover as described in Initiating a Server Work Mode
Switchover to have the primary operate on the appropriate server.

Procedure to Migrate from Standard to Streaming

Replication High Availability
1. (Optional) Before you start the upgrade, back up your Ensemble Controller database as
described in Immediate Database Backup.
2. Log in the server that hosts the primary Ensemble Controller, and then disable the standard
high-available feature as described in Disabling a Standard High-Availability Configuration.
3. Log in the server that hosts the standby Ensemble Controller, and then complete these
steps:

a. Disable the standard high-available feature as described in Disabling a Standard High-

Availability Configuration.

Ensemble Controller R15.3 Administrator Manual - Issue: A 210

Adtran Configuring Ensemble Controller

b. Shut down the Ensemble Controller Server as described in Stopping the Ensemble
Controller Server.
c. Delete the local database.
4. Log in to the server with the primary Ensemble Controller, and then complete these steps:

a. Shut down the Ensemble Controller Server as described in Stopping the Ensemble
Controller Server. After you shut down the Ensemble Controller Server, the outage
associated with this upgrade begins.
b. In the Ensemble Controller installation directory, extract the HA_Stream_for_Linux-
vXX.X.X-SNAPSHOT.tgz streaming replication high-availability software package. The
extracted files include the install-ha-stream installer script for streaming replication high
availability. For more information, see Installation Software.
c. Run install-ha-stream.
d. Type 1 to select Install a first HA host, and then complete the installer command requests
that follow. For more information, see Installing and Configuring the Intended Primary
Ensemble Controller Server. After the installer completes the initialization, the outage
associated with this upgrade ends.
5. Log in the server that you intend to use as the quorum server that hosts the distributed
configuration service (DCS), and then complete the steps in Installing and Configuring the
Intended DCS Quorum Server.
6. Log in to the server with the standby Ensemble Controller, and then complete these steps:

a. In the Ensemble Controller installation directory, extract the HA_Stream_for_Linux-

vXX.X.X-SNAPSHOT.tgz streaming replication high-availability software package. The
extracted files include the install-ha-stream installer script for streaming replication high
availability. For more information, see Installation Software.
b. Run install-ha-stream.
c. Type 2 to select Install a standby HA host, and then complete the installer command
requests that follow. For more information, see Installing and Configuring the Intended
Standby Ensemble Controller Server.
7. (Optional) Complete post-migration steps as described in Step 4 and 5 in Installation
Overview.

System Settings
The system settings apply to all users. See these topics for information about how to adapt the
system settings for Ensemble Controller.

Suppressing Noisy Events 212

Broadcasting Messages to Ensemble Controller Clients 216
Server Preferences 218
Configuring the NBI Trap Transmitter Settings 236
Configuring ENC-ELS Single Sign-On Connection 240

Ensemble Controller R15.3 Administrator Manual - Issue: A 211

Adtran Configuring Ensemble Controller

Suppressing Noisy Events

If network elements become unstable, they send an undesirable amount of events that we
consider as noise. These many, mostly irrelevant noisy events cause the event log to fill up
quickly and thus to purge the oldest but important events. To prevent this scenario, you can
suppress noisy events in the Event Severities window as described here.
For an overview of noisy events that network elements can emit, see Overview of Noisy Events
Per Network Element.
1. From the Ensemble Controller application bar Settings menu, select System, and then Event
Severities. The Event Severities window opens.
2. In the Event Severities ribbon menu, Products area, select the product from which you want
to see the events.
3. In the Event Severities ribbon menu, Noisy Events area, select Suspend. A Confirmation dialog
box opens.
After you select Yes, the system verifies all network elements that support noisy-event
identification, and then suppresses respective events. The Severity column displays Not
Reported for those events that Ensemble Controller suppressed. The system does neither log
suppressed events in the database nor forward them to the northbound interface (NBI).
4. In the Confirmation dialog box, click Yes to suppress noisy events, or No to stop the action.
After the unstable network elements return to normal operation, you might want to revoke
the suppression of noisy events.
5. To revoke the noisy event suppression, in the Event Severities ribbon menu, Noisy Events area,
select Resume. A Confirmation dialog box opens.
After you select Yes in the Confirmation dialog box, Ensemble Controller
irretrievably overwrites the settings for the severities that you customized
up to this point in time, and reverts them to factory defaults.

6. In the Confirmation dialog box, click Yes to revert customized severities to factory defaults, or
No to stop the action.
After you select Yes, the table updates and shows default severity values, and resumes
database logging and NBI notifications.

Ensemble Controller R15.3 Administrator Manual - Issue: A 212

Adtran Configuring Ensemble Controller

Overview of Noisy Events Per Network Element

This section provides an overview of event traps that certain network element types emit that we consider as noise. You can suppress these events
as described in Suppressing Noisy Events. After you suppress the noisy events, the system does no longer log them in the database.

Device State Change Traps Authentication Traps Other Traps

Type

FSP 150 cmStateChangeTrap authenticationFailure cmAttributeValueChangeTrap

(CC)-GExxx

FSP 150- f3SyncJClockProbeStatusChangeTrap cmObjectCreationTrap

XG210

FSP 150CM f3SyncJPTPClockProbeStatusChangeTrap cmObjectDeletionTrap

FSP 150EG-X f3SyncJPTPNetworkProbeStatusChangeTrap f3BulkTrap

f3PtpTSStatusChangeTrap

linkDown

linkUp

coldStart

warmStart

cmSnmpDyingGaspTrap

Ensemble Controller R15.3 Administrator Manual - Issue: A 213

Adtran Configuring Ensemble Controller

Device State Change Traps Authentication Traps Other Traps

Type

FSP 150CCf- nidStateChangeTrap authenticationFailure -

825
dsx1LineStatusChange

dsx3LineStatusChange

nidSnmpDyingGaspTrap

linkDown

linkUp

coldStart

warmStart

FSP 150EG- ovnNGTrapControlGroup

- -
M2
FSP 150EG- linkDown
M4
FSP 150EG-
linkUp
M8

FSP 150- cmStateChangeTrap authenticationFailure cmAttributeValueChangeTrap

XG116Pro

FSP 150- linkDown cmObjectCreationTrap

XG120Pro

FSP 150- linkUp cmObjectDeletionTrap

XG120Pro-
SH

Ensemble Controller R15.3 Administrator Manual - Issue: A 214

Adtran Configuring Ensemble Controller

Device State Change Traps Authentication Traps Other Traps

Type

coldStart f3BulkTrap

warmStart

cmSnmpDyingGaspTrap

FSP 3000R7 equipmentInserted authenticationNotification transientWorkingSwitchedtoProtection

equipmentRemoved authentication transientWorkingSwitchedBacktoWorking

neStateChange transientManualWorkingSwitchedtoProtection

entityStateChange transientManualWorkingSwitchedBacktoWorking

layer2EntityStateChange transientForcedWorkingSwitchedBacktoWorking

transientNeColdStart transientForcedWorkingSwitchedBacktoProtection

snmpAgentStateChanged transientIntrusionRx

snmpAgentSynchronizationStageChanged transientIntrusionTx

transientFarEndDyingGasp

transientFarEndChanged

Ensemble Controller R15.3 Administrator Manual - Issue: A 215

Adtran Configuring Ensemble Controller

Broadcasting Messages to Ensemble

Controller Clients
Complete these steps to broadcast important messages to Ensemble Controller Clients (ENC
Clients). For example, you can broadcast that a server restart will occur soon. ENC Clients that
are currently logged in (online) will see this message immediately. Other ENC Clients see this
message as soon as they log in.

Requirement to Broadcast Messages 216

Procedure to Broadcast Messages 216

Requirement to Broadcast Messages

To broadcast messages, you need to have the permission Broadcast User Messages. The
system grants this permission only to the administrator role, as the default.
The administrator sets permissions and corresponding user roles in the Security Manager. To
open the Security Manager, in the Ensemble Controller application bar Settings menu, select
Security, and then Security Manager. For more information about user roles and allocated
privileges, see the Administrator Manual, Roles and Allocated Actions.

Procedure to Broadcast Messages

1. From the application bar Settings menu, select System, and then Broadcast Message. The
Broadcast Messages window opens:

2. In the Broadcast Message window, select either of these tabs:

l Messages that you create and send from the Immediate tab receive the clients only if
they are currently online.
l Messages that you create and send from the Immediate and Login tab receive online
and offline clients after they log in, unless the message expired. Ensemble Controller
saves the message in the database. With each new message that you send, Ensemble
Controller overwrites the previous message.
3. Create a message as described in these steps:
a. Type a message that corresponds to the stated writing rule. If you type more characters
than allowed, an error message appears below the text field.

Ensemble Controller R15.3 Administrator Manual - Issue: A 216

Adtran Configuring Ensemble Controller

b. In the Immediate and Login tab, select a date and time when you want the message to
expire:

By default, the system presets the date/ time field with a value that is 24 hours in the
future from when the window opened.
For keyboard navigation, to specify date and time, these options are supported:
l Focus a digit that you wish to change and type the relevant date/ time value.
l Focus a digit that you wish to change and use the Up/ Down Arrow keys on your
keyboard.
Depending on the digit you focus, this digit is incremented/ decremented by one with
the relevant key.
l Focus the calendar button adjacent to the field, and then press the spacebar or
Enter to open a one-month-at-a-time calendar.
Select the relevant date from the calendar.
For mouse navigation, to specify date and time, these options are supported:
l Select a digit that you wish to change and use the little up/ down arrows next to the
date/ time field.
Depending on the digit you select, this digit is incremented/ decremented by one with
the relevant arrow.

l Click the calendar button , which opens a one-month-at-a-time calendar.

Select the relevant date from the calendar.

4. Select Send to broadcast the message. The Broadcast Messages window indicates the
client local time when you sent the message and additionally the expiration date for the
Immediate and Login tab:

The message will not appear to the user who sent the message.

Ensemble Controller R15.3 Administrator Manual - Issue: A 217

Adtran Configuring Ensemble Controller

5. Proceed with these actions as required:

l To reuse the message you just sent for another broadcast, edit the existing text as
required, which enables the Send button again and clears the Sent/ Expiration time
indication. You must wait for 10 seconds before you can send another message.
l To immediately compose another message without closing the window, select Clear,
which removes the previous message from the text field. Repeat this procedure from
Step 3.
l If a message with expiration date is no longer valid and must not display to any more
clients that log in, select Expire Now, which removes the message from the Ensemble
Controller database. A respective information about the action displays below the text
field.
l To close the window, you can click Close, select x, or press Esc.
For clients currently online and for the ones that log in later, this Broadcast Message from
<username> window opens according to the message sent by the user:

6. Proceed with one of these options:

l Click OK to confirm the message.
l Close the message with x.
l Press Esc.
If a user sends multiple messages, the windows are all stacked on top of each other and
must be closed one by one. Each message displays just once and thus, when confirmed the
message disappears and will not appear again.
Messages created and sent from the Immediate tab endure only for that client session. That
is, when you log in to the client next time, the text field in the Immediate tab is blank.
Messages created and sent from the Immediate and Login tab are saved to the database
and therefore are still available in the text field when you log in to the client next time.

Server Preferences
See these topics for information about how to configure the Ensemble Controller Server to
conform to your network requirements.

Event Log Settings 219

Editing Security Parameters 224
Setting SMTP Properties 231

Ensemble Controller R15.3 Administrator Manual - Issue: A 218

Adtran Configuring Ensemble Controller

Setting the Default NE Identity Type 232

Changing the Network Element Icon Labeling 233
Setting the Client Time Zone 235

Event Log Settings

You use the event log settings to specify different thresholds and time periods for the events in
the live and history tables.
Ensemble Controller maintains:
l Live events in the Alarms, Events, and Security tab, also referred to as live tables.
l Historical events in the Alarm History tab, also referred to as history table.

For more information about alarms and events, see the User Manual.

Opening the Event Log Page 219

Event Log Parameters 221
Log Size Details of Live Events 223
Anonymization Details 223

Opening the Event Log Page

1. From the Ensemble Controller Settings, select System, and then Server Preferences. The
Server Preferences dialog box opens.
2. From the left menu, select Event Log:

Ensemble Controller R15.3 Administrator Manual - Issue: A 219

Adtran Configuring Ensemble Controller

The Event Log page divides into areas that contain parameters either for the live or historical
events. For each parameter, you have a field to set relevant values. Some fields already
show appropriate default values. For information about the Event Log parameters, see Event
Log Parameters.
3. To change a parameter, type a relevant value in the field. For the Anonymization area, you
can also use the up and down arrows to select an appropriate value.

Ensemble Controller R15.3 Administrator Manual - Issue: A 220

Adtran Configuring Ensemble Controller

Event Log Parameters

For an overview of all the parameters available in the Event Log page, see this table:

Settings for ... Area Parameter Default Value Description

Live Events Truncation Maximum Event Log Size/ Records 30,000 The maximum number of events that the live table
(< = 200,000) can hold.
The maximum size of 200,000 can be increased by
changing the property
‘com.adva.nlms.mediation.event.maxEventLogSize’
located in the fnm.properties file. See the appendix >
com.adva.nlms.mediation.event.maxEventLogSize for
more information.
For details regarding the log size, see Log Size Details
of Live Events.

Wait Before Auto-Delete/ Minutes 30 The waiting time in minutes before events are
automatically deleted.

Event Log Size Warning Threshold/ 95 The event log size in percentage that triggers a
% warning to be raised.

Minimal Warning Interval/ Hours 24 The minimal interval in hours of sending out warnings.

Remaining Log Size After Deletion/ 90 The log size in percentage remaining after events
% have been deleted.

Historical History History Retention Period/ Days 211 The time period in days of retaining events in the
Events (1..360) history table.

History Capacity/ Records (< 1.5 1,000,000 The maximum number of events that the history table
Million) can hold.

Ensemble Controller R15.3 Administrator Manual - Issue: A 221

Adtran Configuring Ensemble Controller

Settings for ... Area Parameter Default Value Description

Live to History Alarm auto-acknowledge 50 A threshold in percentage that triggers an alarm
Transfer Threshold/ % of all Events in Log when the value of auto-acknowledged events has
been reached or is exceeded.

Waiting Time before Transfer to 1 The waiting time in hours before events are
History/ Hours (1..48) transferred to the history table.

Archive Default Start Age of Events to be 5 The minimum age in days before the event is
Archived/ Days (1..360) archived.

Default End Age of Events to be 0 The maximum age in days with which the event is still
Archived/ Days (0..360) archived.

Live Events Anonymization Removes Personal Information 0 The time in days when personal information are
Historical After/ Days (0...360) removed from the event/ faulted service.
Events As long as the value is 0, anonymization is disabled
indicated by the red cross next to the spin box ( ).
Faulted
Services After you select a value, anonymization is enabled
indicated by the green icon ( ). When enabled,
anonymization is initialized once a day.
For details regarding anonymization, see
Anonymization Details.

Ensemble Controller R15.3 Administrator Manual - Issue: A 222

Adtran Configuring Ensemble Controller

Log Size Details of Live Events

To assist in monitoring the event log, warnings are issued when the log size is getting close to
the specified maximum size. These warnings are then issued regularly until the event log size is
reduced below the warning threshold or until the maximum size is reached.
If the maximum size is reached, events are automatically deleted until the event log size is
reduced below a specified threshold. The oldest events will be deleted first. However, deletion
does not start immediately. This is due to the fact that during a trap storm the maximum limit
can very well be exceeded. In this situation it is desirable to refrain from removing events at the
same time to avoid overloading the system.
If you increase the parameter for the event log size to a large value (> 500,000), the Ensemble
Controller could have temporary problems in displaying new events. It can happen at the time
when the Ensemble Controller starts to delete old events to bring the number below the
specified threshold.
All settings regarding the event log size are stored on the Ensemble Controller server and are
valid for all users using this Ensemble Controller server.

Anonymization Details
Live events, historical events as well as faulted services can be anonymized and thus freed from
personalized information. This involves these tasks:
l The user name of the acknowledger is replaced by XXXX if the acknowledgment date is older
than the specified number of days.
The acknowledgment date and the anonymized user name XXXX stays in place so that log
inspection shows that acknowledgment did happen but not by whom.
l All events that are tagged to be security events and faulted services that are older than the
specified number of days are removed.

Anonymization of alarms, events and faulted services as described here for

the Ensemble Controller cannot guarantee full data anonymization on itself.
Other settings have to be made so the combination of settings result in the
overall required level of anonymization. Such a setting is for example not to
enable the tagging of none-security events with user-specific data on the
FSP 3000R7.

Ensemble Controller R15.3 Administrator Manual - Issue: A 223

Adtran Configuring Ensemble Controller

Editing Security Parameters

Complete the procedures in this section to:
l Set the time of inactivity before Ensemble Controller locks itself automatically. To regain
access, log in again.
l Set the time of inactivity before Ensemble Controller automatically shuts down.
l Set user account policies for your entire network such as, the user name minimum length, the
password minimum number of digits, and so on.
l Set authentication parameters for RADIUS, TACACS+, or LDAP.

Opening the Security Page 224

Setting Auto Lock and Auto Logout 225
Setting User Account Policies 226
Setting Authentication Parameters 228
Verifying Certificates of other Servers 230

Opening the Security Page

1. In the Ensemble Controller Settings, select System, and then Server Preferences. The Server
Preferences dialog box opens.
2. From the left menu, select Security:

Parameters with a red icon ( ) are disabled. Parameters with a green icon ( ) are
enabled.

Ensemble Controller R15.3 Administrator Manual - Issue: A 224

Adtran Configuring Ensemble Controller

Figure 13: Server Preferences Security Options

See these topics for details about:

l Setting Auto Lock and Auto Logout
l Setting User Account Policies
l Setting Authentication Parameters

Setting Auto Lock and Auto Logout

1. Open the Server Preferences Security page as described in Opening the Security Page.
2. To specify relevant values, edit these areas:

Ensemble Controller R15.3 Administrator Manual - Issue: A 225

Adtran Configuring Ensemble Controller

Area Description Steps

Auto Lock Specifies the length of user inactivity before l Type the number
Ensemble Controller becomes locked. By of minutes.
default this parameter is enabled and set to 10
–or–
minutes.
l Use the up and
If Ensemble Controller becomes locked, the
down arrows.
Login window opens where you can log in
again and restore the last Ensemble Controller
session.

Auto Logout Specifies the user inactivity before the

Ensemble Controller Client, not the Server,
automatically shuts down and logs out users.
By default this parameter is disabled.

3. Click OK to save your settings, or click Cancel.

Setting User Account Policies

1. Open the Server Preferences Security page as described in Opening the Security Page.
The User Account Policies area shows these parameters:
Figure 14: Server Preferences Security Page – User Account Policies

2. To specify the relevant values according to this table, you can either type in the fields or use
the up and down arrows. This table describes the fields and their value requirements.

Ensemble Controller R15.3 Administrator Manual - Issue: A 226

Adtran Configuring Ensemble Controller

Policy name Default value Allowed range Remarks

0 = disabled minimum to
parameter maximum

User name 6 characters 1 to 32 This attribute constrains user

minimum characters names. That is, the user name that
length you create must be within this
minimum number to the maximum
number of allowed characters.

Password 8 characters 1 to 32 This attribute constrains passwords.

minimum characters That is, the password that you
length create must be within this minimum
number to the maximum number
of allowed characters.
If you set a value that is unequal to
or does not meet all of the required
minimum parameters, an error
displays. The minimum parameters
are lowercase, uppercase, special
characters, and digits. Adjust your
settings appropriately.

Optional Parameters
Password 0 characters 1 to 10 characters This attribute constrains passwords.
minimum That is, the password that you create
number of must be within this minimum number
lowercase to the maximum number of allowed
letters characters.
Password
minimum
number of
uppercase
letters
Password
minimum
number of
digits
Password
minimum
number of
special
characters

Ensemble Controller R15.3 Administrator Manual - Issue: A 227

Adtran Configuring Ensemble Controller

Policy name Default value Allowed range Remarks

0 = disabled minimum to
parameter maximum

Time period 60 days 0 to 360 days This attribute constrains inactive

after which user accounts. That is, if an account
an inactive is unused for the number of days
user account that you specify in this field, the
is disabled account becomes disabled. The
administrator must then reactivate
the account before a user can use
it again.

Password will 90 days If you set this attribute to 0, which

expire in disables it, the password never
expires.
Admin 30 days
password will
expire in

Keep 5 passwords This attribute constrains password

password reuse. It specifies how many
history for passwords are retained before a
user can reuse it.

3. Select Disable user name cache if you do NOT want to store the user name locally. With this
setting, the login window opens with the user name field unspecified or empty. By default,
the user name cache is enabled.
4. Click OK to apply your settings, or Cancel.

Setting Authentication Parameters

Complete these steps to set authentication parameters such as the type of authentication and
shared secret passwords for RADIUS, TACACS+, or LDAP servers.

Ensemble Controller R15.3 Administrator Manual - Issue: A 228

Adtran Configuring Ensemble Controller

1. Open the Server Preferences Security page as described in Opening the Security Page.
The Authentication area shows these fields:

2. From the Authentication Type list, select the relevant option for authentication at login:
l Local: Normal user login, no remote authentication.
l Remote via RADIUS: Centralized authentication using the Remote Access Dial-In User
Service (RADIUS).
l Remote via TACACS+: Centralized authentication using the Terminal Access Controller
Access Control Service Plus (TACACS+).
l Remote via LDAP: Centralized authentication using the Lightweight Directory Access
Protocol (LDAP).
3. To set a secret password, next to the server that you want to configure, click Set. The Shared
Secret dialog box for that server opens.
If you use LDAP authentication and you want to configure more than one
server, make sure you set the secret password for each server, even if the
same value is used.

4. In the Password field, enter a password.

By default, you can use a maximum of 16 characters for the RADIUS shared secret password.
To use more than 16 characters, in the fnm.properties file, edit the property
com.adva.fnm.option.radiusclient
For information about how to edit properties in the fnm.properties file, see Editing the
fnm.properties File.
5. In the Confirm Password field, re-enter the password.
6. Click OK to apply the settings, or Cancel to stop the operation.
7. Repeat the procedure from Step 2 to specify a password also for the other servers, as
applicable. The icons next to the Set button indicate the password status as follows:

Icon Meaning

A password is defined, and the respective server is configured in the

fnm.properties file.

Ensemble Controller R15.3 Administrator Manual - Issue: A 229

Adtran Configuring Ensemble Controller

Icon Meaning

No password is defined, but the respective server is configured in the

fnm.properties file.

A password is defined, but no respective server is configured in the

fnm.properties file.

no icon Neither a password nor a respective server is configured in the

fnm.properties file.

Additionally, if you hover over an icon, a tooltip reveals information about the icon. For more
information about how to configure servers in the fnm.properties file:
l For RADIUS, see Configuring the RADIUS Server Access in Ensemble Controller.
l For TACACS+, see Configuring the TACACS+ Server Access in Ensemble Controller.
l For LDAP, see Configuring Access to the LDAP Server.
8. Click OK to apply the settings, or Cancel to stop the operation.

Verifying Certificates of other Servers

The ENC mediation communicates with these servers over HTTPS:
l GeoServer
l ELS
l FNE
l CPc
l GNSS Assurance, SNTGnmi, Sync Quality Compliance, TPA Assurance - ENC configures these
servers altogether, using the rproxy entry of the fnm property.

Use the fnm property com.adva.nlms.mediation.http.client.certs.verification with the values

shown in bold in Table 11 to specify whether ENC mediation verifies the servers certificates. If you
want to enable the verification, set its server property to on. To disable verification, set its server
property to off.

Table 11: FNM Property to Enable or Disable Verification of Server Certificates

FNM Property Description

com.adva.nlms.mediation.http.client.certs. All servers are disabled. No verification

verification:geoserver:off,els:off,fne: happens.
off, cpc:off,rproxy:off

com.adva.nlms.mediation.http.client.certs. This is an example where the ELS server

verification:geoserver:off,els:on,fne: and rproxy server are enabled. The ENC
off,cpc:off,rproxy:on mediation verifies the ELS, GNSS Assurance,
SNTGnmi, Sync Quality Compliance and
TPA Assurance server.

Ensemble Controller R15.3 Administrator Manual - Issue: A 230

Adtran Configuring Ensemble Controller

You can enable or disable verification of the server certificates as you want. The verification of
all server is disabled by default. If a server is not defined in the property, the default is used, and
thus the server certificate is not verified. See also
com.adva.nlms.mediation.http.client.certs.verification.

Changing the FNM Property

Each time if there is a change in the value of the property, ENC mediation sends the security
event Certificates Verification state property changed. This is visible in the Events tab,
Description field. After you change the property, there is no need to restart the server. ENC
checks the property every one minute. If you change the property while ENC is shutdown, ENC
emits the event as normal when the server starts.

Setting SMTP Properties

Complete these steps to set the simple mail transfer protocol (SMTP) properties that the server
uses to send email notifications.
1. In the Ensemble Controller Settings, select System, and then Server Preferences. The Server
Preferences dialog box opens.
2. From the left menu, select SMTP.

Ensemble Controller R15.3 Administrator Manual - Issue: A 231

Adtran Configuring Ensemble Controller

3. In the SMTP page, edit these fields:

Field Description or Steps

Server Type the name of the SMTP server that the Ensemble Controller will
use to send emails. You can enter either a fully qualified name,
such as mail.yourdomain.com, or the IP address. If the server IP
address changes, you will have to adapt this setting. The fully
qualified name will not require any changes.
NOTE:
If you use the Windows Exchange Server 2010, add the Ensemble
Controller Server IP address to the Exchange server list of SMTP-
relays.

Outgoing server Type the appropriate SMTP port number for the outgoing server.
port number
(SMTP)

Sender email Type an identifying text for the notification, for example,
address (field notification .
FROM) For email notifications, you will receive an email with the sender
identity equal to <From address field>@<SMTP server name>.
For example, notification@yourdomain.com. This address must be
valid, or the email server will reject it.

Authentication If the SMTP server requires authentication from Ensemble

required Controller:

a. From your SMTP server administrator, request a login name

and password.
b. Select Authentication required.
c. In the Login field, type the login name.
d. In the Password field, type the password.

Test email To verify if your SMTP properties are correct, send a test email:
address (field TO)
a. In the Test email address (field TO) field, type the email
address where you want to receive a test email.
b. Make sure that this message displays: Email sent successfully.
Please check that it was received correctly.
c. Verify that you received a test email.

4. Click OK to apply your settings, or click Cancel.

Setting the Default NE Identity Type

Complete these steps to specify the default identity type for all network elements (NEs) that you
newly add to the Ensemble Controller (ENC) database.

Ensemble Controller R15.3 Administrator Manual - Issue: A 232

Adtran Configuring Ensemble Controller

The identity type determines how you label an NE wherever it is presented that is, for example, in
the tree and map pane, at the northbound interface (NBI), or in any of the regular reports, such
as inventory report, resource report, and so on.
1. In the Ensemble Controller Settings, select System, and then Server Preferences. The Server
Preferences dialog box opens.
2. From the left menu, select Identity.
3. In the Default NE Identity Type list, select the appropriate option.
Supported Identity Type options:

Identity Description
Type

Name The name of a string that you set on the network element. If you change
the name in Ensemble Controller, the network element also uses the
changed name. If you change this name on the network element,
Ensemble Controller uses the changed name.
The string name requires the use of special characters. Use the NE
Identifier that supports special characters to specify the name.

IP Address This address is the host or network interface identification.

NE Identifier This identifier exists only in Ensemble Controller and conforms to a

secondary network element name. If you change the NE identifier, the
network element keeps it original name. This ID supports characters that
the network element might not support.

4. Click OK to apply the value that you selected, or click Cancel.

Changing the Network Element Icon Labeling

Complete these steps to change the labeling for all network element icons presented in the
Ensemble Controller. You can separately configure the icon labeling of the network elements for
the tree pane, the map pane in the Networks tab, and the map pane in the Services tab.
1. From the application bar Settings menu, select System, and then Server Preferences. The
Server Preferences dialog box opens.

Ensemble Controller R15.3 Administrator Manual - Issue: A 233

Adtran Configuring Ensemble Controller

2. From the left menu, select NE Icon Label.

Figure 15: NE Icon Label, Server Preferences

For more information about how to set identity parameters, see the User Manual.
By default, the label value that you set for Identity Type <identity> displays for the tree pane
and the Topology Graph window. For the Service Paths window, the label value set for Name
and IP Address displays by default.
Depending on the options you selected from the lists, the adjacent graphical presentation
updates accordingly and you can preview the settings.
3. To change the icon labels for the network elements available in the tree pane, in the Tree
area, select from the Label list options.
4. To change the icon labels for the network elements available in:
l The Topology Graph window, edit the Network Map area.
l The service graph windows, which include the Service Paths window, the Optical Trace
window, or the Layer Browser window, edit the Service Map area.
5. In the Network Map area or Service Map area, select from the Label Line 1-3 list options:
As the lines indicate, the icon labels in the map pane can be provided with up to 3 lines:
l Line 1 is mandatory and therefore, the option <empty> is not available in the option list.
l Line 2 and 3 are optional and can be selected as appropriate.
Label settings for the Topology Graph also affect the service wizard, for example the Node
Page or Summary Page will display the network element labels accordingly.

Ensemble Controller R15.3 Administrator Manual - Issue: A 234

Adtran Configuring Ensemble Controller

For the Service Map settings, if a network element label is longer than a predefined width,
that line is then truncated. A dot (.) symbol is appended to denote abbreviation.
If you hover over the network element label, a tooltip indicates the full label.
6. Click OK. A notification dialog box appears:

7. Click OK, and then restart the Ensemble Controller Client.

Setting the Client Time Zone

Complete these steps to set a time zone for all your Ensemble Controller (ENC) Clients that
connect to that server. This can be useful if the operating systems where the Clients run, display
an undesirable time zone name. After you set a time zone, the Ensemble Controller Clients
ignore the time zone settings of their operating systems.
You can also set time zones for the Ensemble Controller Server. For information about how to set
Ensemble Controller Server time zones, see Setting the Server Time Zone.
1. In the Ensemble Controller Settings, select System, and then Server Preferences. The Server
Preferences dialog box opens.
2. From the left menu, select Time Zone.

3. To enable the Time Zone page for editing, select Enforce on the clients.
4. From the Time Zone ID list, select a time zone according to your geographical location.
The time zone overview updates according to the selection.

Ensemble Controller R15.3 Administrator Manual - Issue: A 235

Adtran Configuring Ensemble Controller

The date is formatted according to the property com.adva.fnm.option.date_format and

the value that you can specify in the fnm.properties file. For more information about the date
format property, see Graphical User Interface Options.
The timestamp indicates the abbreviation for the time zone, such as CET - Central European
Time or CEST - Central European Summer Time.
The Time Zone Database defines the time zone IDs that the Internet Assigned Numbers
Authority (IANA) maintains.
5. Alternatively, to restrict the time zone ID list to those with the same UTC offset, select Filter by
UTC offset. This enables the adjacent list of time offsets.
6. Select the desired offset, then select the desired value from the now shorter Time Zone ID list.
7. Click OK to apply the selected values, or click Cancel to stop the action. A notification
displays.
8. Click OK, and then restart the Ensemble Controller Client.
9. You can quickly verify the time zone changes:
l In the starting dialog box that appears after you successfully logged into the Client as
shown here:

l In the Alarms or Events table, Time column.

Configuring the NBI Trap Transmitter Settings

Complete these steps to configure trap transmitter parameters for the northbound interface
(NBI) to send traps to the operating support systems (OSS) that you specify. By default, the NBI
uses SNMPv2c.
These steps also include the instructions about how to modify the trap community string
applicable to SNMPv2c for the OSS.

Requirement to Configure the NBI Trap Transmitter Settings 237

Procedure to Configure the NBI Trap Transmitter Settings 237

Ensemble Controller R15.3 Administrator Manual - Issue: A 236

Adtran Configuring Ensemble Controller

Requirement to Configure the NBI Trap Transmitter

Settings
To configure the NBI trap transmitter, you need to have the permission Control NBI Trap
Transmitter Settings. This permission is by default granted only to the role of administrators.
The administrator sets permissions and corresponding user roles in the Security Manager. To
open the Security Manager, in the Ensemble Controller Settings, select Security, and then
Security Manager. For more information about user roles and allocated privileges, see Roles and
Allocated Actions.

Procedure to Configure the NBI Trap Transmitter Settings

1. In the Ensemble Controller Settings, select System, and then NBI Trap Transmitter Settings.
The NBI Trap Transmitter window opens.
2. Edit the fields as described in this table. The fields that are shaded in yellow or red are
mandatory fields. You must edit them. However, the value that you enter in a red-shaded
field must meet certain criteria to be valid. Note the field messages, which inform about the
criteria.

Field Description or Steps

SNMP Version l Select v2c to modify the trap community string of that SNMP
version.
The SNMP v1/v2 Settings area is made available.
l Select v3 to change from the default SNMPv2c to SNMPv3 and
configure this interface accordingly. The SNMPv3 Settings area is
made available.

OSS Address List Specify the OSS addresses to which you want Ensemble Controller
to apply the settings:

a. To add an address, select Add. The Add new OSS Address

dialog box displays.

b. Edit these fields:

Field Description or Steps

IP/Host Type the IP or the host address.

Address

Port If required, you can change the default port

162 that already shows in this field.

Ensemble Controller R15.3 Administrator Manual - Issue: A 237

Adtran Configuring Ensemble Controller

Field Description or Steps

c. Click OK to apply your changes, or Cancel to stop the

operation.
After you click OK, the new address displays in the OSS Address
List field.

d. To modify or delete an existing address, in the OSS Address List

field, select the address, and then select Modify or Delete.
l After you select Delete, Ensemble Controller immediately
removes the address from the OSS Address List field.
l After you select Modify, the Modify OSS Address dialog box
displays.
i. See Step 2 for information about how to edit the fields.
ii. After you edit the fields, click Modify to save your
changes, or Cancel to stop the operation.

Whenever you add, delete, or modify an address in the OSS

Address List field, the system sends respective event notifications,
for example, OSS-DEL or OSS-ADD, to each of the listed addresses.
For more information about these events, see the User Manual.

e. If you have several IP interfaces, to specify the source IP that is

reported as varbind inside the event, in the fnm.properties file,
set the parameter com.adva.fnm.option.snmpNBISource.
For a description of this property, see Server Access Options.

Get Community This field is available only if you selected v2c in the SNMP Version
field. If required, you can change the default trap community string
public that already shows in this field.

User Name Type the user name for this SNMP version.

Security Level Select the level of security that Ensemble Controller and the OSS
use to communicate.

Authentication These fields are Select the authentication protocol that

Protocol available only if you Ensemble Controller uses to
selected Authentication authenticate messages.
and Privacy or
Authentication Authentication Only in Type the appropriate password for the
Password the Security Level field. selected authentication protocol.

Retype Retype the exact password you

Authentication entered in the Authentication Password
Password field.

Ensemble Controller R15.3 Administrator Manual - Issue: A 238

Adtran Configuring Ensemble Controller

Field Description or Steps

Privacy Protocol These fields are Select the privacy protocol that
available only if you Ensemble Controller uses to encrypt
selected Authentication the data portion of messages.
and Privacy in the
Privacy Password Security Level field. Type the appropriate password for the
selected privacy protocol.

Retype Privacy Retype the exact password you

Password entered in the Privacy Password field.

Use Custom Select to set the field to Yes and thus enable the use of an SNMP
Engine engine ID, or set it to No to disable the use. After you set it to Yes, you
can edit the Custom Engine ID field.

Custom Engine ID This field is available only if you set the Use Custom Engine field to
Yes. Type an appropriate ID.

3. Click Save to immediately apply the settings, or Cancel to stop the operation.
After you click Save, the trap forwarder will resolve the host name addresses that you
specified in the OSS Address List field, into IP addresses by using a domain name system
(DNS) server. If the trap forwarder fails to resolve these host name addresses, a red
exclamation mark displays next to that address as illustrated in this figure:

4. Reopen the NBI Trap Transmitter window to verify whether the trap forwarder could not
resolve any of the host name address that you specified. To open a tooltip with required
information, hover over an unresolved host-name address.

Ensemble Controller R15.3 Administrator Manual - Issue: A 239

Adtran Configuring Ensemble Controller

Configuring ENC-ELS Single Sign-On

Connection
With this feature you can configure three types of Single Sign-On (SSO) accounts:
l Admin - User is able to connect to ELS with ROLE_ADMIN+ROLE_READ privileges, which gives full
administrative and read privileges to all Flexnet Embedded Server (FNE) data.
l Restricted admin - User is able to connect to ELS with ROLE_ADMIN+ROLE_READ privileges but
with no ability to perform user management functions on the ELS.
l Read - User is able to connect to ELS with ROLE_READ privileges, which gives only the ability to
view non-sensitive data of the FNE.

SSO connection to ELS is limited for every user by these permissions:

l View ENC-ELS Single Sign-On settings.
l Modify ENC-ELS Single Sign-On settings.
l Perform ELS Single Sign-On as Administrator.
l Perform ELS Single Sign-On as Restricted Administrator.
l Perform ELS Single Sign-On as Read.

The user will be able to connect to ELS with the currently configured SSO account depending on
the permissions he has. The system takes into account the highest granted permission for the
user. For example, if "Perform ELS Single Sign-On as Restricted Administrator" is the highest
permission granted to the user, restricted administrator account must be enabled in the ENC-
ELS SSO settings to have restricted administrator privileges. The system grants all five
permissions only to the administrator account, by the default. All other users have only "Perform
ELS Single Sign-On as Read" permission enabled. The administrator sets permissions and
corresponding user roles in the Security Manager. To open the Security Manager, in the
Ensemble Controller application bar Settings menu, select Security, and then Security Manager.
For more information about user roles and allocated privileges, see the Administrator Manual,
Roles and Allocated Actions.
ELS SSO operates independently from authentication and authorization methods used to log in
to Ensemble Controller. Therefore, you can use ELS SSO alongside Ensemble Controller Local,
RADIUS, TACACS+ and LDAP authentication and authorization methods.

Requirement to Configure ENC-ELS Single Sign-On Connection 240

Procedure to Configure ENC-ELS Single Sign-On Connection 241

Requirement to Configure ENC-ELS Single Sign-On

Connection
In the fnm.properties file, located in the Ensemble Controller installation directory, edit these
properties to specify the main and backup license server GUI URL:

Ensemble Controller R15.3 Administrator Manual - Issue: A 240

Adtran Configuring Ensemble Controller

l com.adva.fnm.option.elsgui.ipaddress
l com.adva.fnm.option.backupElsgui.ipaddress

For information about how to edit the fnm.properties file, see Editing the fnm.properties File.

Procedure to Configure ENC-ELS Single Sign-On

Connection
1. In the Ensemble Controller Settings, select System-> Licensing and ELS-> ENC-ELS Single
Sign-On Settings. The ENC-ELS Single Sign-On Settings window opens.
2. Enable SSO connection using administrator account, if required:

l Select Enable Admin SSO.

l Enter username and password.
l To test the connection, click Test Admin ELS Connection.
o If the test is successful, go to the next step.
o If the test fails, make sure that you enter the correct credentials and retest.

l Click OK to save.

3. Enable SSO connection using restricted administrator account, if required:

l Select Restricted Admin SSO.

l Enter username and password.
l To test the connection, click Test Restricted Admin ELS Connection.
o If the test is successful, go to the next step.
o If the test fails, make sure that you enter the correct credentials and retest.

l Click OK to save.

Restrict User Management field is displayed for information only.

4. Enable SSO connection using read account, if required:

l Select Enable Read SSO.

l Enter username and password.
l To test the connection, click Test Read ELS Connection.
o If the test is successful, go to the next step.
o If the test fails, make sure that you enter the correct credentials and retest.

l Click OK to save.

Ensemble Controller R15.3 Administrator Manual - Issue: A 241

Adtran Configuring Ensemble Controller

Configuring Operations from the

fnm.properties File
This chapter discusses the operations that you configure in the fnm.properties file.

Editing the fnm.properties File 242

Enabling the Login or Post-Login Dialog Box Message 244
Setting Up RADIUS Authentication 246
Setting Up TACACS+ Authentication 249
Setting Up LDAP Authentication 252
Using Multiple Network Interfaces for Communication 255

Editing the fnm.properties File

To customize the Ensemble Controller Server, you can edit the appropriate properties in the
fnm.properties file. This file is located in the Ensemble Controller installation directory.
Figure 16 gives an overview of the fnm.properties file.
The syntax for the properties is: com.adva.fnm.option.<parameter name>=<parameter
value>. The properties that you can customize, are organized in sections.
l Lines that begin with the symbol #, are either comments or disabled properties, and do not
affect the Ensemble Controller Server.
l Lines that do NOT begin with the symbol #, are enabled properties that include a value.
Enabled properties affect the Ensemble Controller Server.

Each property is also briefly described in the fnm.properties file.

Ensemble Controller R15.3 Administrator Manual - Issue: A 242

Adtran Configuring Ensemble Controller

Figure 16: fnm.properties File Example

Complete these steps to edit the fnm.properties file:

1. Open the fnm.properties file on the relevant Ensemble Controller Server using a text editor,
for example, WordPad on Windows or Linux.
2. Use one of these options to customize the relevant properties:
l To enable the property, delete the initial # at the beginning of the line.
l To disable a property, add # at the beginning of the line.
l Change an enabled property value.
See the appendix > Server Property Overview for more information about the supported
properties.
3. Save and close the fnm.properties file.
4. Restart the Ensemble Controller Server, as described in Starting the Ensemble Controller
Server.

Ensemble Controller R15.3 Administrator Manual - Issue: A 243

Adtran Configuring Ensemble Controller

Enabling the Login or Post-Login Dialog Box

Message
In the fnm.properties server file, you can enable login and post-login messages.
The fnm.properties file is located in the Ensemble Controller (ENC) installation directory
C:\Program Files\ADVA Optical Networking\FSP Network Manager.
See these topics for more information about these messages and how you can enable them:

Login Dialog Box Message 244

Post-Login Dialog Box Message 245

Login Dialog Box Message

When enabled, the login message displays in the Login dialog box for each Ensemble Controller
Client connecting to the server as illustrated here:

The first time the Ensemble Controller Client displays the Login dialog box, it does not display
any configured message. This is because the client has not yet established contact with the
server and thus has not yet access to the message.
After the first login, the Ensemble Controller Client stores the message in its cache. All
subsequent logins will display the message until you change or remove it.
If you change a message on the server, the Ensemble Controller Client Login dialog box will not
show the new message for the first login after the change. This is again because the client has
not yet established contact with the server and thus has not yet stored the new message in its
cache.
To enable the login message, do as follows:
1. Open the fnm.properties file on the relevant server using a text editor, for example WordPad.
2. Search (Ctrl + f) for the parameter
com.adva.fnm.option.server_welcome_text
3. Enable the parameter by deleting the initial number sign <#> at the beginning of the line.
4. As appropriate, change the default text to what is to be displayed in the Login dialog box.
For example:

Ensemble Controller R15.3 Administrator Manual - Issue: A 244

Adtran Configuring Ensemble Controller

com.adva.fnm.option.server_welcome_text=Welcome to this session.

5. Save and close the fnm.properties file.
For more information about editing the fnm.properties file, see Editing the fnm.properties File.

Post-Login Dialog Box Message

In the fnm.properties file, you can enable the post-login message. After you log in to the
Ensemble Controller Client, the message displays as shown:
Figure 17: Post-Login Dialog Box with Example Message

If the text has many lines and spreads beyond the border of the dialog box, you can use the
scroll bar or resize the dialog box to see the complete text.
Complete these steps to enable the post-login message:
1. Open the fnm.properties file on the relevant server using a text editor, for example WordPad.
2. Use Ctrl + f to search for the property
com.adva.fnm.option.server_postLogonText
3. To enable the property, delete the initial number sign <#> at the beginning of the line.
4. As appropriate, change the default text to what you want Ensemble Controller to display in
the post-login dialog box. The text is unlimited, which means you can add as many lines as
appropriate. For a better overview, you can use these optional elements to structure the text:
l To separate lines and to indicate that the text continues, use \ backslashes.
Consequently, do NOT add a backslash to the end of the last line.

Ensemble Controller R15.3 Administrator Manual - Issue: A 245

Adtran Configuring Ensemble Controller

l To wrap lines, use \n\ as this example shows:

See Figure 17 for how this text is presented in the post-login dialog box.

5. Save and close the fnm.properties file.

For more information about how to edit the fnm.properties file, see Editing the fnm.properties
File.

Setting Up RADIUS Authentication

Ensemble Controller supports the remote access dial-in service (RADIUS) protocol based on
RFC2865 for centralized authentication.
RADIUS allows authentication of users by communicating with a central server. The server
maintains the user profiles in a central database, and RADIUS automatically recognizes the
properties that are assigned to each RADIUS user. Each user needs only one user name and one
password for all network elements.
To use RADIUS authentication with Ensemble Controller,prepare as follows:
l Configure one or up to three RADIUS servers to support Ensemble Controller, and then specify
the relevant user accounts with corresponding Ensemble Controller group memberships.
l Configure Ensemble Controller with the RADIUS servers, host addresses, and the RADIUS server
shared secret passwords.

For information about how to configure the RADIUS shared secret passwords, see Setting
Authentication Parameters.

Configuring an External RADIUS Server 246

Configuring the RADIUS Server Access in Ensemble Controller 247
Configuring the RADIUS Server Timeout 247
RADIUS Access-Challenge 248

Configuring an External RADIUS Server

In order to use RADIUS authentication, a RADIUS server has to be configured. An example of a
RADIUS server is FreeRADIUS, a free RADIUS server (see www.Freeradius.org).
1. Register the ADVA vendor ID 2544.
2. Register an attribute with ID 101 (ADVA-User-Groups) as an ADVA-vendor attribute of type
string. This table shows a FreeRADIUS dictionary example:

Ensemble Controller R15.3 Administrator Manual - Issue: A 246

Adtran Configuring Ensemble Controller

VENDOR ADVA 2544

ATTRIBUTE ADVA-User-Groups 101 string ADVA

3. For each user account that you want to log in to Ensemble Controller, create the Adva-User-
Groups attribute.
4. For each user account that you want to log in to Ensemble Controller, assign a value to the
Adva-User-Groups.
The value must be a comma separated list of the Ensemble Controller user group names
that the user account is to be a member of.

Configuring the RADIUS Server Access in Ensemble

Controller
1. In the relevant Ensemble Controller Server, open the fnm.properties file. Use a text editor, for
example WordPad. The fnm.properties file is located in the Ensemble Controller installation
directory C:\Program Files\ADVA Optical Networking\FSP Network Manager (for Windows).
2. In the fnm.properties file, search for these host properties according to the number of
servers that you want to configure:
l 1st server: com.adva.fnm.option.radiushost
l 2nd server: com.adva.fnm.option.radiushost2
l 3rd server: com.adva.fnm.option.radiushost3
3. Remove the number sign # in front of the property to enable it for the respective RADIUS
server that you want to configure.
4. Replace the IP address after the equal sign = with the IP address of your RADIUS server host.
5. Save the file.
6. Search for these port properties of the servers that you enabled in Step 2:
l 1st server: com.adva.fnm.option.radiusport
l 2nd server: com.adva.fnm.option.radiusport2
l 3rd server: com.adva.fnm.option.radiusport3
7. Remove the number sign # in front of the property to enable it for the respective RADIUS
server that you want to configure. Ensemble Controller listens on this RADIUS server host port.
By default this port is set to 1812.
8. If relevant, change the port number of the RADIUS server host that Ensemble Controller is to
listen to.
9. Save the file.
10. Set the server timeout as described in Configuring the RADIUS Server Timeout.

Configuring the RADIUS Server Timeout

The RADIUS server timeout controls the time after which Ensemble Controller attempts to reach
another server for authentication if the previous server is not available.
RADIUS authentication takes place sequentially as described here:
Ensemble Controller R15.3 Administrator Manual - Issue: A 247
Adtran Configuring Ensemble Controller

1. Try first RADIUS server if configured.

2. Try second RADIUS server if configured.
3. Try third RADIUS server if configured.
4. Authenticate locally.

To change the timeout values, complete these steps:

1. In the relevant Ensemble Controller Server, open the fnm.properties file. Use a text editor, for
example WordPad. The fnm.properties file is located in the Ensemble Controller installation
directory C:\Program Files\ADVA Optical Networking\FSP Network Manager (for Windows).
2. In the fnm.properties file, search for these timeout properties according to the number of
servers that you want to configure:
l 1st server: com.adva.fnm.option.radiustimeout
l 2nd server: com.adva.fnm.option.radiustimeout2
l 3rd server: com.adva.fnm.option.radiustimeout3
3. Remove the number sign # in front of the property to enable it for the respective RADIUS
server that you want to configure. The default timeout is set to 8 seconds per server.
4. If relevant, change the default timeout value for the respective RADIUS server. Type a new
value after the equal sign =.
The total value of timeouts that you can configure for all RADIUS servers
must NOT exceed 60 seconds.

5. Save the file.

RADIUS Access-Challenge
This section provides one example method of how you can use the RADIUS access-challenge
during login. The other methods are not in the scope of the Ensemble Controller user
documentation.

Logging In Through One-Time-Password

To log into Ensemble Controller, you can use an RSA SecurID token to create a one-time-
password (OTP). For information about the regular Ensemble Controller login procedure, see
Logging Into the Ensemble Controller Client.

If you use OTP to log in, you cannot connect to multiple Ensemble Controller
Servers anymore. For more information about how to connect to multiple
Ensemble Controller Servers, see Enabling a Connection of One Ensemble
Controller Client to Multiple Servers.

The first time that you use the RSA SecurID token, you have to specify the PIN as this example
shows:

Ensemble Controller R15.3 Administrator Manual - Issue: A 248

Adtran Configuring Ensemble Controller

After you set the PIN, you can log into Ensemble Controller through OTP.

Setting Up TACACS+ Authentication

Ensemble Controller supports the Cisco terminal-access controller access-control system
(TACACS+) protocol for centralized authentication.
TACACS+ allows authentication of users by communicating with a central server. The server
maintains the user profiles in a central database, and TACACS+ automatically recognizes the
properties that are assigned to each TACACS+ user. Each user needs only one user name and
one password for all network elements.
To use TACACS+ authentication with Ensemble Controller, prepare as follows:
l Configure one or up to three TACACS+ servers to support Ensemble Controller, and then
specify the relevant user accounts with corresponding Ensemble Controller group
memberships.
l Configure Ensemble Controller with the TACACS+ servers, host addresses, and the TACACS+
server shared secret passwords.

For information about how to configure the TACACS+ shared secret passwords, see Setting
Authentication Parameters.

Configuring an External TACACS+ Server 249

Configuring the TACACS+ Server Access in Ensemble Controller 250
Configuring the TACACS+ Server Timeout 251

Configuring an External TACACS+ Server

To use TACACS+ authentication, you must configure a TACACS+ server. Complete these generic
steps to configure a TACACS+ server in Linux.
1. Open the configuration file /etc/tacacs+/tac_plus.conf.
The file displays comments as indicated in this example:

Ensemble Controller R15.3 Administrator Manual - Issue: A 249

Adtran Configuring Ensemble Controller

# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)

# See man(5) tac_plus.conf for more details
# Define where to log accounting data, this is the default.
accounting file = /var/log/tac_plus.acct
# This is the key that clients have to use to access Tacacs+
key = testing123

2. To create a new user, add these commands:

user = <login name> {
pap = cleartext ChgMeNOW

service = fspnm {
Adva-User-Groups = Administrator
}
}

If a user already exists, this message displays:

user = <existingUser> {
pap = cleartext <secretPassword>

...
}

3. To add a new service to the existing user, add these commands:

service = fspnm {
Adva-User-Groups = Administrator
}

Finally, the configuration message for an existing user displays:

user = <existingUser> {
pap = cleartext <secretPassword>

...

service = fspnm {
Adva-User-Groups = Administrator
}
}

Configuring the TACACS+ Server Access in Ensemble

Ensemble Controller R15.3 Administrator Manual - Issue: A 250

Adtran Configuring Ensemble Controller

2. In the fnm.properties file, search for these host properties according to the number of
servers that you want to configure:
l 1st server: com.adva.fnm.option.tacacshost1
l 2nd server: com.adva.fnm.option.tacacshost2
l 3rd server: com.adva.fnm.option.tacacshost3
3. Remove the number sign # in front of the property to enable it for the respective TACACS+
server that you want to configure.
4. Replace the IP address after the equal sign = with the IP address of your TACACS+ server
host.
5. Save the file.
6. Search for these port properties of the servers that you enabled in Step 2:
l 1st server: com.adva.fnm.option.tacacsport1
l 2nd server: com.adva.fnm.option.tacacsport2
l 3rd server: com.adva.fnm.option.tacacsport3
7. Remove the number sign # in front of the property to enable it for the respective TACACS+
server that you want to configure. Ensemble Controller listens on this TACACS+ server host
port. By default this port is set to 49.
8. If relevant, change the port number of the TACACS+ server host that Ensemble Controller is
to listen to.
9. Save the file.
10. Set the server timeout as described in Configuring the TACACS+ Server Timeout.

Configuring the TACACS+ Server Timeout

The TACACS+ server timeout controls the time after which Ensemble Controller attempts to
reach another server for authentication if the previous server is not available.
TACACS+ authentication takes place sequentially as described here:
1. Try first TACACS+ server if configured.
2. Try second TACACS+ server if configured.
3. Try third TACACS+ server if configured.
4. Authenticate locally.

To change the timeout values, complete these steps:

1. In the relevant Ensemble Controller Server, open the fnm.properties file. Use a text editor, for
example WordPad. The fnm.properties file is located in the Ensemble Controller installation
directory C:\Program Files\ADVA Optical Networking\FSP Network Manager (for Windows).
2. In the fnm.properties file, search for these timeout properties according to the number of
servers that you want to configure:
l 1st server: com.adva.fnm.option.tacacstimeout1
l 2nd server: com.adva.fnm.option.tacacstimeout2
l 3rd server: com.adva.fnm.option.tacacstimeout3
3. Remove the number sign # in front of the property to enable it for the respective TACACS+
server that you want to configure. The default timeout is set to 8 seconds per server.

Ensemble Controller R15.3 Administrator Manual - Issue: A 251

Adtran Configuring Ensemble Controller

4. If relevant, change the default timeout value for the respective TACACS+ server. Type a new
value after the equal sign =.
The total value of timeouts that you can configure for all TACACS+ servers
must NOT exceed 60 seconds.

5. Save the file.

Setting Up LDAP Authentication

Ensemble Controller supports the Lightweight Directory Access Protocol (LDAP), specifically
LDAPv3 for centralized authentication.
LDAP authenticates users by communicating with a central server. The server maintains user
profiles in a tree-structured directory, which is described in Basics About the LDAP Server
Directory Structures. After you assign properties to each LDAP user, LDAP is automatically aware
of these properties. Because the centralized directory maintains each user’s properties, you do
not need to define each user with a local account in Ensemble Controller.
To use LDAP authentication with Ensemble Controller, prepare as follows:
1. Configure one or up to three LDAP servers to support Ensemble Controller. Then populate the
directory with user accounts and group memberships that correspond to the Ensemble
Controller security groups. These options are available to represent Ensemble Controller
group information in the directory:

Group Management Option Description

advaUserGroups Lists the group names of a user in a string

attribute.

memberOf Uses the native directory group objects to

represent the group membership.

2. Configure the Ensemble Controller access and directory properties for the LDAP servers and
the LDAP server shared secret passwords.

For information about how to configure the LDAP shared secret passwords, see Setting
Authentication Parameters.

Configuring Access to the LDAP Server 252

Configuring the LDAP Server Timeout 253
Changing the Default Security Protocol 254

Configuring Access to the LDAP Server

1. In the relevant Ensemble Controller Server, use a text editor such as WordPad to open the
fnm.properties file. If your PC is running Windows, the fnm.properties file is located in the

Ensemble Controller R15.3 Administrator Manual - Issue: A 252

Adtran Configuring Ensemble Controller

Ensemble Controller installation directory C:\Program Files\ADVA Optical Networking\FSP

Network Manager.
2. In the fnm.properties file, search for these host properties according to the number of
servers that you want to configure:
l 1st server: com.adva.fnm.option.ldaphost1
l 2nd server: com.adva.fnm.option.ldaphost2
l 3rd server: com.adva.fnm.option.ldaphost3
3. At the beginning of each property name, remove # to enable the property for the respective
LDAP server that you want to configure.
4. Replace the IP address after = with the IP address of your LDAP server host.
5. Save the file.
6. Search for these port properties of the servers that you enabled in Step 2:
l 1st server: com.adva.fnm.option.ldapport1
l 2nd server: com.adva.fnm.option.ldapport2
l 3rd server: com.adva.fnm.option.ldapport3
7. At the beginning of the property name, remove # to enable the property for the respective
LDAP server that you want to configure. Ensemble Controller listens from this LDAP server host
port, number 389 by default.
8. If relevant, change the port of the LDAP server host that you want Ensemble Controller to
listen to. According to the port that you specify, Ensemble Controller automatically uses a
standard security protocol that you can change if the port supports that change. This table
shows the options:

Ports Default Security Protocol Optionally Change to

636 LDAPS

389, the default StartTLS Unencrypted

Non-Standard port LDAPS or Unencrypted

For information about the default protocols and how to change them, see Changing the
Default Security Protocol.
9. Save the file.
10. Set the server timeout as described in Configuring the LDAP Server Timeout.

Configuring the LDAP Server Timeout

The LDAP server timeout controls the length of time that Ensemble Controller attempts to reach
another server for authentication, if the previous server is unavailable.
LDAP authentication occurs sequentially:
1. Try the first LDAP server if configured.
2. Try the second LDAP server if configured.

Ensemble Controller R15.3 Administrator Manual - Issue: A 253

Adtran Configuring Ensemble Controller

3. Try the third LDAP server if configured.

4. Authenticate locally.

Complete these steps to change the timeout values:

1. In the relevant Ensemble Controller Server, use a text editor such as WordPad to open the
fnm.properties file. If your PC runs Windows, the fnm.properties file is located in the Ensemble
Controller installation directory C:\Program Files\ADVA Optical Networking\FSP Network
Manager.
2. In the fnm.properties file, search for these timeout properties according to the number of
servers that you want to configure:
l 1st server: com.adva.fnm.option.ldaptimeout1
l 2nd server: com.adva.fnm.option.ldaptimeout2
l 3rd server: com.adva.fnm.option.ldaptimeout3
3. At the beginning of the property name, remove # to enable it for the respective LDAP server
that you want to configure. The default timeout is 8 seconds per server.
4. If relevant, change the default timeout value for the respective LDAP server. Type a new
value after =.
The total value of timeouts that you can configure for all LDAP servers must
be less than or equal to 60 seconds.

5. Save the file.

Changing the Default Security Protocol

The LDAP server port that you specify automatically uses a standard security protocol. See
Configuring Access to the LDAP Server. If you can change the port settings, shown in this table,
you can change the default protocol for the selected LDAP server port.

Table 12: Default Protocols for the Selected LDAP Server Port
LDAP Server Ports Default Security Protocol Optionally Change to

636 LDAPS: SSL tunnel encryption with simple

authentication.

389, the default StartTLS: TLS encryption with simple Unencrypted

authentication.
Non-standard LDAPS or Unencrypted
port

1. In the relevant Ensemble Controller Server, open the fnm.properties file in a text editor, such
as WordPad. The fnm.properties file on a PC running Windows is located in the Ensemble
Controller installation directory C:\Program Files\ADVA Optical Networking\FSP Network
Manager.
2. In the fnm.properties file, search for these security protocol properties according to the
number of servers that you want to configure:

Ensemble Controller R15.3 Administrator Manual - Issue: A 254

Adtran Configuring Ensemble Controller

l 1st server: com.adva.fnm.option.ldapsecprot1

l 2nd server: com.adva.fnm.option.ldapsecprot2
l 3rd server: com.adva.fnm.option.ldapsecprot3
3. At the beginning of the property name, remove # to enable the property for the respective
LDAP server that you want to configure. The software sets the default security protocol to
StartTLS.
4. If relevant, after =, change the security protocol for the respective LDAP server. See Table 12
for information about the supported ports and their protocols.
5. Save the file.

Using Multiple Network Interfaces for

Communication
Complete the steps in this procedure to configure the Ensemble Controller Server to use
multiple network interfaces for communication.

Prerequisites to Use Multiple Network Interfaces 255

Configuring Multiple Network Interfaces 256

Prerequisites to Use Multiple Network Interfaces

If you want the Ensemble Controller Server (ENC Server) to use two (or multiple) network
interfaces for communication you must configure the interfaces. One interface communicates
with the network elements, and the other one with the ENC Server client machines.
The user that configures the server must be logged on with system administrator rights and be
aware of the IP address that belongs to the respective network interface.
This procedure uses the IP address 10.0.119.50 for the interface facing the network elements, and
10.31.66.67 for the interface facing the network, where the Ensemble Controller Server clients are
connected, as shown in Figure 18.

Ensemble Controller R15.3 Administrator Manual - Issue: A 255

Adtran Configuring Ensemble Controller

Figure 18: IPCONFIG of Communication Interfaces

Configuring Multiple Network Interfaces

Complete these steps to specify IP addresses for the Ensemble Controller Server that is
provided with several IP interfaces.
To specify the IP addresses, you edit the respective properties in the fnm.properties file. The
fnm.properties file is located in the Ensemble Controller installation directory, which is for
example C:\Program Files (x86)\ADVA Optical Networking\FSP Network Manager for a Windows
operating system.
For more information about the fnm.properties file and how to edit it, see Editing the
fnm.properties File.

Ensemble Controller R15.3 Administrator Manual - Issue: A 256

Adtran Configuring Ensemble Controller

1. In the fnm.properties file, navigate to these properties:

Properties Description

com.adva.fnm.option.serverIP For communication from the

server to the client, and from
the server to the server.

com.adva.fnm.option.trapsink For SNMP trap registrations. The

property supports only IPv4
addresses or host names. Type
a trapsink IP address that faces
network elements.

com.adva.fnm.option.trapsinkport The port that the server uses

for SNMP trap notifications. The
default is 162. If you do not
define a port, the system uses
the default.

com.adva.fnm.option.trapsink.ip6 For SNMP trap registrations. The

property supports only IPv6
addresses. Local link addresses
are not accepted.

com.adva.fnm.option.trapsink.IpValidationEnabled To enable the property, set it to

true. After you enable it, the
system validates the trapsink
IPv4 and IPv6 addresses to
verify whether they belong to
the system. The validation
process takes place during
server restart.

com.adva.fnm.option.snmpProviderHost For Element Manager SNMP

communication. Type an IP
address that faces Ensemble
Controller Server clients.

com.adva.nlms.mediation.mtosi.hostName Displays in MTOSI responses.

com.adva.fnm.option.snmpNBISource You can configure Ensemble

Controller to transmit SNMP
northbound interface (NBI)
traps. If configured, the
software reports the source IP
address that you specify with
this property as varbind within
the event.

2. To enable the properties, delete the initial number sign (#) at the beginning of each line.

Ensemble Controller R15.3 Administrator Manual - Issue: A 257

Adtran Configuring Ensemble Controller

3. To specify an appropriate IP address for each property, replace the given value after the
equal sign (=).
4. Use these commands to restart the Ensemble Controller Server:

a. StopServer.bat
b. StartServer.bat
For more information about how to stop and restart the Ensemble Controller Server
according to your operating system, see the relevant topic:
l Stopping the Ensemble Controller Server
l Starting the Ensemble Controller Server

Script or Command-based
Operations
This chapter discusses operations that require scripts or commands to be configured in
Ensemble Controller.

Enabling IPv6 258

Setting the Server Time Zone 259
Setting the Shared Buffer Size 261
Using Customer Certificates 261
Adapting the jms.properties File to the New Password 264
Adapting the Ensemble Controller Server to the New Password 264
Keystore and Private Key Password Encryption 265
Updating the Keystore and Defining a New Passphrase 267
Changing the Maximum User Processes Property in Linux 268
Creating Configuration File Templates for Ethernet Devices 269

Enabling IPv6
For IPv6 to be used with respect to Ensemble Controller (ENC), you must specify an IP alias
according to the operating system (OS):
l For Windows, specify the IP alias in c:\Windows\System32\drivers\etc\hosts.
l For Linux, specify the IP alias in /etc/hosts.

Upon next login to the Ensemble Controller Client, you must use the defined alias (not IPv6 in
numeric format).
When connecting to a remote Ensemble Controller Server (not the one installed locally), you
must specify the aliases on both, the Ensemble Controller Server system and the system where
the Ensemble Controller Client is located.

Ensemble Controller R15.3 Administrator Manual - Issue: A 258

Adtran Configuring Ensemble Controller

However, if you use a real IPv6 environment with a domain name system (DNS), then any
configuration of the network is done automatically and there is no need to set aliases manually
to be able to use IPv6.

Setting the Server Time Zone

Complete these steps to set a time zone for the Ensemble Controller Server (ENC Server). This
can be useful if the server is located in a different time zone than the clients to which it is
connected or if the operating system where the Server runs, displays an undesirable time zone
name. After you set a time zone, the Ensemble Controller Server ignores the time zone settings
of its operating system.
You can also set time zones for the Ensemble Controller Clients. For information about how to
set Ensemble Controller Client time zones, see Setting the Client Time Zone.
See the appropriate topic for your operating system:

In a Windows Operating System 259

In a Linux Operating System 260

In a Windows Operating System

1. Stop the Ensemble Controller Server.
2. Navigate to the fspnm.vmoptions file located in:
ENC Installation Directory/fspnm.vmoptions
3. Add the property -Duser.timezone=<time zone> as indicated in this example:

4. Make sure that you write the <time zone> string exactly as given in the Ensemble Controller
Client Server Preferences Time Zone ID field. Look it up again if necessary:

Ensemble Controller R15.3 Administrator Manual - Issue: A 259

Adtran Configuring Ensemble Controller

5. Save the fspnm.vmoptions file.

6. Double-click the SetVMOptions.bat file located in:
ENC Installation Directory/SetVMOptions.bat
7. Restart the Ensemble Controller Server.

In a Linux Operating System

1. Stop the Ensemble Controller Server.
2. Navigate to the fnm.server file located in: /opt/adva/fsp_nm/bin/fnm.server
3. Add the property -Duser.timezone=<time zone> as indicated in this example:
$JAVASRV -Xmx6000M -XX:MaxPermSize=192m -Djava.awt.headless=true -
Djava.endorsed.dirs=lib/endorsed -javaagent:lib/aspectjweaver.jar -
Djavax.net.ssl.keyStore=activemq/conf/client.ks -
Djavax.net.ssl.keyStorePassword=ChgMeNOW -
Djavax.net.ssl.trustStore=activemq/conf/client.ts -
Djava.util.logging.config.file=./celtixlogging.properties -Duser.timezone=UTC
com.adva.nlms.mediation.Launcher >
/opt/adva/fsp_nm/var/log/mediation-start.log 2>&1 &
4. Make sure that you write the <time zone> string exactly as given in the Ensemble Controller
Client Server Preferences Time Zone ID field. Look it up again if necessary:

Ensemble Controller R15.3 Administrator Manual - Issue: A 260

Adtran Configuring Ensemble Controller

5. Save the fnm.server file.

6. Restart the Ensemble Controller Server.

Setting the Shared Buffer Size

Use this procedure to change the shared buffer size value:
1. Shutdown FSP Mediation server.
2. Shutdown PostgreSQL database server.
3. Edit this file to set shared buffer:
NM Installation Directory/postgres/data/postgresql.conf
4. Change:
shared_buffers = 3072MB
5. Change:
effective_cache_size = 3584MB
6. Save the file.
7. Start PostgreSQL database server.
8. Start the FSP Mediation server.

Using Customer Certificates

You can replace an existing certificate with a customer certificate in these three ways.
Ensemble Controller supports the PEM or X.509/DER formats.

Creating a Keystore and a Self-Signed Certificate 261

Generating a Certificate Signing Request and Signing the Certificate Externally 262
Creating the Key, Signing it Externally, and Bundling it as p12 Container 263

Creating a Keystore and a Self-Signed Certificate

Follow this procedure in order to use a self-signed certificate to identify the Ensemble Controller
(ENC).
1. Stop the Ensemble Controller Server as described in Stopping the Ensemble Controller
Server.
2. Remove the existing ssl-keystore file from the Ensemble Controller installation directory
<InstallLocation>\certs\fnmserver.ks.
3. Create and populate the keystore with a self-signed server certificate by going to the
<InstallLocation>\bin folder in the command line and running either command according to
your operating system:
l For Windows: createKeystore.bat
l For Linux: createKeystore
You will be prompted interactively for this information:

Ensemble Controller R15.3 Administrator Manual - Issue: A 261

Adtran Configuring Ensemble Controller

l A password for the keystore

You can use the default password “NeverChange” for the keystore. If you enter your own
password you must modify:
o The activemq\conf\jms.properties file with the new password as described in
Adapting the jms.properties File to the New Password.
–and–
o The Ensemble Controller Server with the new password as described in Adapting the
Ensemble Controller Server to the New Password.
l Your first and last name.
Important: You should enter the DNS name of the Ensemble Controller Server here.
l Your organizational unit, such as a department within your company
l Your company/ organization
l A city or locality
l A country code
l A password for the private key, nms-server-key that protects access to the generated
private key. You can use the default password “NeverChange” for the private key. If you
enter your own password you must modify:
o The activemq\conf\jms.properties file with the new password as described in
Adapting the jms.properties File to the New Password. It is required using the same
password for both keystore and privatekey.
–and–
o The Ensemble Controller Server with the new password as described in Adapting the
Ensemble Controller Server to the New Password.
The above information is used to construct the keystore and populate a default certificate
with CN=<DNS name>, OU=<organizational unit>, O=<company/organization>, L=<city>,
ST=<state>, C=<country>.
4. Restart the Ensemble Controller Server as described in Starting the Ensemble Controller
Server.

Generating a Certificate Signing Request and Signing the

Certificate Externally
Complete these steps to generate a certificate signing request (CSR) from the Ensemble
Controller Server (ENC Server) and sign the certificate externally.
1. Stop the Ensemble Controller Server as described in Stopping the Ensemble Controller
Server.
2. Create a keystore as described in Creating a Keystore and a Self-Signed Certificate.
3. Backup the created keystore by using the Ensemble Controller installation directory
<InstallLocation>\certs\fnmserver.ks.
4. Generate a CSR for the nms-server-key by going to the <InstallLocation>\bin folder in the
command line and running this command according to your operating system:

Ensemble Controller R15.3 Administrator Manual - Issue: A 262

Adtran Configuring Ensemble Controller

l For Windows: generateCSR.bat nms-server-key

l For Linux: generateCSR nms-server-key

5. Send the generated CSR located at <InstallLocation>\certs\nms-server.csr, to the

'Certificate Authority' (CA) for signing.
6. Copy all the certificates to <InstallLocation>\certs.
7. Go to the <InstallLocation>\bin folder in the command prompt.
8. Import the CA root certificate into the Ensemble Controller keystore by using this command
according to your operating system:
l For Windows: importCACertificate.bat ..\certs\rootca.crt nmsserver-root
l For Linux: importCACertificate ..\certs\rootca.crt nms-server-root

9. If necessary, import any intermediate certificates into the Ensemble Controller keystore by
using this command according to your operating system:
l For Windows: importCACertificate.bat ..\certs\intermediate.crt nms-server-imd
l For Linux: importCACertificate ..\certs\ intermediate.crt nms-serveri-imd

10. Repeat Step 9 if you have more intermediate certificates. Import it by using different alias
names: <nms-server-imd1> <nms-server-imd2>.
11. Import the signed certificate by using this command according to your operating system:
l For Windows: importSignedCertificate.bat <InstallLocation>\certs\nms-server.crt
l For Linux: importSignedCertificate <InstallLocation>\certs\nms-server.crt
Make sure that an original-created keystore file exists in
certs\fnmserver.ks because you import the signed certificate to the
original keystore.

12. Restart the Ensemble Controller Server as described in Starting the Ensemble Controller
Server.

Creating the Key, Signing it Externally, and Bundling it as

p12 Container
The customer can create a key with his own tools, sign it externally, and then has to bundle the
key and all the certificates (signed certificate, root certificate, intermediate certificates) as p12
container.
This procedure provides the steps of importing the key and all certificates from the container
into the keystore.
1. Stop the Ensemble Controller Server as described in Stopping the Ensemble Controller
Server.
2. Copy the p12 container to <InstallLocation>\certs.
3. Remove the existing ssl-keystore file from the Ensemble Controller installation directory
<InstallLocation>\certs\ fnmserver.ks.

Ensemble Controller R15.3 Administrator Manual - Issue: A 263

Adtran Configuring Ensemble Controller

4. Go to the <InstallLocation>\bin folder in the command line and run either command
according to your operating system:
l For Windows: importp12conainer.bat ..\certs\nmskey-container.p12
l For Linux: importp12conainer ..\certs\nmskey-container.p12
5. Answer these questions about:
l destination keystore password
l re-entering new password
l source keystore password
You can use the default password “NeverChange” for the keystore. This same password
will be assigned for the key when importing the container. If you enter your own password
you have to modify the activemq\conf\jms.properties file with the new password as
described in Adapting the jms.properties File to the New Password.

6. Restart the Ensemble Controller Server as described in Starting the Ensemble Controller
Server.

Adapting the jms.properties File to the New

If you change these parameters, restart the Ensemble Controller Server as described in Starting
the Ensemble Controller Server.

Adapting the Ensemble Controller Server to

the New Password
1. Stop the Ensemble Controller Server as described in Stopping the Ensemble Controller
Server.
2. In the Ensemble Controller certs installation directory, open the sec.properties file.

Ensemble Controller R15.3 Administrator Manual - Issue: A 264

Adtran Configuring Ensemble Controller

3. In the sec.properties file, locate these properties:

Properties Description

#javax.net.ssl.keyStorePassword Protects the keystore.

#javax.net.ssl.trustStorePassword

#org.eclipse.jetty.ssl.keypassword Protects the private key.

4. To enable the properties, delete the preceding #, and then edit them as shown in this
example:
javax.net.ssl.keyStorePassword=MyKeystorePassword
javax.net.ssl.trustStorePassword=MyKeystorePassword
org.eclipse.jetty.ssl.keypassword=MyPrivateKeyPassword
5. Save the sec.properties file.
6. Restart the Ensemble Controller Server as described in Starting the Ensemble Controller
Server.

Keystore and Private Key Password

Encryption
The passwords that you specify for the keystore and private key have to appear in certain
configuration files for Ensemble Controller (ENC) to access the keystore and private key at
runtime. These passwords can be in plain text or in encrypted form.

Encrypting Passwords or <text> 265

Adapting the jms.properties File to the Newly Encrypted Password 266
Adapting the Ensemble Controller Server to the Newly Encrypted Password 266

Encrypting Passwords or <text>

1. In the Ensemble Controller bin installation directory, double-click the encrypt_passphrase
file.
2. In the command line, type the passphrase as needed. Ensemble Controller encrypts the
passphrase and displays an output similar to this example:
Encrypted passphrase:AV5GHvebKNucKUoKIXLPELPXfHw74BEGE8U4JHWiLLNwrYpN
3. In the Ensemble Controller ...\activemq\conf installation directory, jms.properties file, add
the value of the encrypted password you generated in Step 1 to the keystore or private key
property name starting with ?. For example:
l For the keystore:
?keyStorePassword=AV5GHvebKNucKUoKIXLPELPXfHw74BEGE8U4JHWiLLNwrYpN

Ensemble Controller R15.3 Administrator Manual - Issue: A 265

Adtran Configuring Ensemble Controller

l For the private key:

?keystorekeypassword=AV5GHvf92TEx2vr60X7j9rXyFsWP+dqMZhZFKoV6sJ4zBSuU

Adapting the jms.properties File to the Newly Encrypted

Password
The Ensemble Controller ...\activemq\conf installation directory includes the jms.properties file
that you can use to adapt certain settings.
We recommend that you do not change the file settings, except if you must add new password
information.
To define encrypted passwords, the entries in the configuration file must be similar to the
example shown here. The question mark in the beginning of the line characterizes an encrypted
password.
?keyStorePassword=AV5GHvebKNucKUoKIXLPELPXfHw74BEGE8U4JHWiLLNwrYpN
?keystorekeypassword=AV5GHvf92TEx2vr60X7j9rXyFsWP+dqMZhZFKoV6sJ4zBSuU
You can modify the keystorepassword and keystorekeypassword, which are the variables with
the encrypted password.
If you change these parameters, restart the Ensemble Controller Server as described in Starting
the Ensemble Controller Server.

Adapting the Ensemble Controller Server to the Newly

Encrypted Password
1. Stop the Ensemble Controller Server as described in Stopping the Ensemble Controller
Server.
2. In the Ensemble Controller certs installation directory, open the sec.properties file.

3. In the sec.properties file, locate these properties:

Properties Description

#javax.net.ssl.keyStorePasswordEncrypted Protects the keystore.

#javax.net.ssl.trustStorePasswordEncrypted

#org.eclipse.jetty.ssl.keypasswordEncrypted Protects the private key.

4. To enable the properties, delete the preceding #, and then paste the encrypted
passphrases as shown in this example:

5. Save the sec.properties file.

6. Restart the Ensemble Controller Server as described in Starting the Ensemble Controller
Server.

Ensemble Controller R15.3 Administrator Manual - Issue: A 266

Adtran Configuring Ensemble Controller

Updating the Keystore and Defining a New

Passphrase
Complete these steps to update an existing keystore and change the passphrase either for the
private key or the keystore itself.

Command Definition 267

Procedure to Update the Keystore and Define a New Passphrase for the Private Key 267
Procedure to Define a New Passphrase for the Keystore 268

Command Definition
This table describes the type of commands included in the steps:

Command Definition Example

<<keytool>> The keytool l For Linux:

command /opt/adva/share/jre/bin/keytool
that comes l For Windows: C:\Program Files
with the (x86)\ADVA Optical Networking\FSP
installed Network Manager\jre64\bin\keytool
Ensemble
Controller.

<<fnmserver_ks_location>> The location of l For Linux: /opt/adva/fsp_

the keystore nm/certs/fnmserver.ks
that Ensemble l For Windows: C:\Program Files
Controller (x86)\ADVA Optical Networking\FSP
uses. Network
Manager\certs\fnmserver.ks

<<private_key_alias>> The alias of the nms-server-key

private key
that exists in
the keystore.

Procedure to Update the Keystore and Define a New

Passphrase for the Private Key
1. Find the keystore type and the private key alias in the existing keystore:
<<keytool>> -list -v -keystore <<fnmserver_ks_location>>
The result includes these attributes:

Ensemble Controller R15.3 Administrator Manual - Issue: A 267

Adtran Configuring Ensemble Controller

l Keystore type: The type of the current keystore.

l Alias name: The alias of the private key.

2. Decide on the step to follow according to the Keystore type value in the result:
l If the Keystore type is JKS, proceed with Step 3.
l If the Keystore type is PKCS12, you must transform it to JKS because PKCS12 does not
support the use of different passphrases to protect the keystore itself and a private key.
For more details, see https://bugs.openjdk.java.net/browse/JDK-8008292. Complete
these substeps:

a. Use this command to transform PKCS12 to JKS:

<<keytool>> -importkeystore -srckeystore <<fnmserver_ks_location>> -
srcstoretype pkcs12 -srcalias <<private_key_alias>> -destkeystore
<<fnmserver_ks_location>> -deststoretype jks

b. Type the passphrase that protects the existing keystore.

A warning message displays that the JKS keystore uses a proprietary format, and the
system backed up the old keystore.

3. Change the passphrase that protects the private key:

<<keytool>> -keypasswd -alias <<private_key_alias>> -keystore <<fnmserver_ks_
location>>

4. Type the passphrase that protects the existing keystore.

5. Type the new passphrase for the private key twice.

Procedure to Define a New Passphrase for the Keystore

1. Change the passphrase that protects the keystore:
<<keytool>> -storepasswd -keystore <<fnmserver_ks_location>>

2. Type the passphrase that protects the existing keystore.

3. Type the new passphrase twice.

Changing the Maximum User Processes

Property in Linux
You need to ensure that the Ensemble Controller Server, which is installed in a Linux operating
system, has a sufficient number of threads to run all the user processes. To verify this
requirement, you must change the max user processes property to correspond to the size of
network that you manage:

Ensemble Controller R15.3 Administrator Manual - Issue: A 268

Adtran Configuring Ensemble Controller

Each user process requires approximately 1 MB of memory in a 64-bit operating system. In other
words, if your physical system memory has sufficient capacity, increase the maximum user
processes value to 8192. Otherwise, calculate a lower value that the system memory can
support.

Creating Configuration File Templates for

Ethernet Devices
To create a template, an expert user modifies an existing text file in the way that it describes the
current configuration of an Ethernet device. The template consists of configuration commands
and tags that express parameterized attributes on the device. The tags and attributes are
nested and edited by specific syntax rules described in this section.
For a list of valid template examples, see the Ensemble Controller installation directory
...\Examples\ECM-Templates.
For information about how to use configuration file templates, see the Packet Management
Guide, Managing NE Configuration Files.

Design Objectives 269

Tag Set 270
Rules 280

Design Objectives
The template format is targeted to provide a concrete baseline on top of which the template
creator can have full flexibility to express all available commands, while enabling to specify
coherent representation blocks to allow for sufficient input windows that constitute a rich GUI-
driven Ethernet service manager.
This includes ordering and grouping capabilities, selection for omission of optional commands
and associated fragments of configuration.

Ensemble Controller R15.3 Administrator Manual - Issue: A 269

Adtran Configuring Ensemble Controller

The mixture of both the template contents and the input information provided by the operator
can be blended to create a valid output configuration file that can then be applied to the
denoted NE type devices.
The syntax given, addresses all syntax particularities such as multiple level configuration,
nested commands, and multiple argument parameters.
The template creator is provided the means to parameterize the presented forms that hold the
adjustable parts of the NE. Independent naming facilities are in place to allow for friendly and
expressive naming of groupings, subgroupings and individual parameters.
Furthermore, the template syntax and rules are very similar to XML and any prior XML knowledge
will make it easy to follow and understand the contents easily.

Tag Set
The available tags and attributes for the template syntax are:

tag1 Description
l attribute

template This is the root tag covering the overall template

structure.

header This is the first tag after the <template> tag and it
wraps up these tags identifying the template:
<neType>, <applyMode>, <version>, <summary>,
<category>, <comment>.

neType The NE type to which this template applies. Supported

values are:
l Multiple values allowed separated by commas.
l ANY indicates NE types not known to the Ensemble
Controller and templates that can be applied to
any NE respectively. To support future or unknown
NE types the contents of this tag are not necessarily
NE types known to the Ensemble Controller.

applyMode Determines the mode by which the template will be

applied to the NE. Valid values inside this tag are "Delta"
and "Complete".

1. For service configuration templates, no tag is included to specify the service type. the service type is
closely related to the NE type to which a given template can be applied. So, no further division takes place.
However, templates that configure certain service types, for example, EPL, EVPL for GE201 or GE206) can
normally be created and a hint for this can be given at the template name by the creator if needed.
Ensemble Controller R15.3 Administrator Manual - Issue: A 270
Adtran Configuring Ensemble Controller

tag1 Description
l attribute

version A numerical value indicating the version of the

template. For the current release, version 1.3 is
applicable. This tag is required to validate a template.

summary Short description of template, 200 characters max.

category Specifies template operation. Valid values are:

l Service Provisioning
l Bulk Configuration

comment A string that introduces a comment in the output

configuration file. A comment suppress fragment
commands, appends NE types where the
configuration file applies, and so on. Different device
types have different comment characters. If a
<command> tag is NOT provided in the template the
default '#' character is assumed.

fragment This tag groups NE commands that are outside a

<command> tag.

l block Defines an associate block. If the specified block is

checked for omission, the grouped commands are
also omitted from the generated output configuration
file, i.e., the grouped commands are commented out.

l resolveGlobalParams This attribute is optional and disabled (set to false) by

default. When enabled (set to true), all global
parameters found in the <fragment> tag are replaced
with the parameter value.

l neType Specifies the NE types for which the given code

fragment is generated. This allows to specify sections
per NE type and thus to handle CLI differences
between products.

command Defines the configurable part of a template. All

adjustable arguments are located inside a
<command> tag.

cli-command This tag is used for all template fragments, which need
to be conveyed to the configuration file unchanged.

tag1 Description
l attribute

block Located inside the <command> tag, this tag defines

blocks that contain parameters or groups of other
blocks.

l display Defines the title of the block in the GUI form.

l name Refers to a block from the block attribute of the param

tag and from the blockParent attribute of the block tag.

l blockParent Defines the parent block. A block can be nested inside

another. If parent attribute is NOT provided the block is
handled as a Top Level block.

l blockOrder Define the relative order of the container block in the

form. The lower the attribute value the higher this block
is placed on the form. If omitted, blockOrder defaults to
1. If more than one block is found with the same
blockOrder value on the same level, their relative order
is as entered on the template.

l blockOptionality Specifies if the whole block can be unchecked or not. If

unchecked, all the parameters and blocks inside the
block and associated fragments are omitted from the
output configuration file. If no blockOptionality
attribute is given the default value is false.

l expanded The 'expanded' and 'selected' attributes only find use

when the blockOptionality attribute is enabled (set to
true). Then in the GUI, the optional block can be expan-
ded or collapsed with the

l selected
and

icons, and selected or cleared.

param Located inside the <command> tag, it is the core tag of

the template.

l display Defines the label shown in the GUI form for this
parameter.

tag1 Description
l attribute

l name Defines the name of the variable including these

reserved ‘fnm’ values for special cases:
l fnm.neName - The configured NE name.
l fnm.neIpAddress - The configured NE IP address.
l fnm.serviceEnd - The AID of the entity, which is the
service end (flow or flowpoint). For PWE3 services,
this is treated as customer service end.
l fnm.trailServiceEnd - Used with PWE3 services, this is
the end flow on EBP ports.
l fnm.erp.trailServiceEnd - Used with ring services
and specifies the AID of the entity, which is the
service end.

l block A container block in which this parameter is shown in

the GUI form. Blocks group together a number of
parameters or other blocks visually on the form.

l optional Specifies if this parameter is optional. Valid values are

true or false.

l default Default value for the parameter.

l copyFrom This attribute specifies from which parameter a value

will be copied (either from this template, or an external
template) to replace the current parameter’s value. It
can contain the name of a different parameter, or the
same parameter.

l scope Defines the visibility of the parameter, either “local” to

the containing <command> in this template only, or
“global” and visible throughout this template and other
templates.

l conveyanceType With this attribute, a parameter can be “locked”, which

means that its value will be the same across all loaded
templates and its modification will only be possible on
the initial template containing the locked parameter.
This attribute is valid only when the attributes
copyFrom and name have the same value, and the
attribute scope is “global”.

tag1 Description
l attribute

l paramOrder Defines the relative ordering of the corresponding

parameter inside the block. The lower the attribute
value the higher the parm is placed on the form. If
omitted, parmOrder defaults to 1. If more than one
parm is found with the same parmOrder value on the
same level, their relative order is as entered on the
template.

l regexp Specifies the regular expression syntax that the

parameter value must use.
For example, an ESA Probe’s name can only contain
letters and numbers for a maximum length of 15
characters. To enforce this, the regular expression “[a-
zA-Z0-9]{1,15}” can be used.

type Located inside a <param> tag, it defines the parameter

type. Valid values are String, Integer, Enum or
Composite.

token Located inside the <param> tag, it provides all the

available values for an Enum type.

l display Defines the label used to show this token in the form.

l literal Defines the string used to describe this value in the

exported configuration file.

l function Defines the profile that is used to collect database

information and enables creating dynamic templates.
These profile keyword values are supported with
template version 1.3:
l fnm.db.policerProfile
l fnm.db.queueProfile
l fnm.db.aclProfile
l fnm.db.flowPointCpdProfile
These values are supported with template version 1.4:
l fnm.db.prioMapProfile
l fnm.db.priorityRateProfile
l fnm.db.rateProfile

tag1 Description
l attribute

l neType Specifies the NE types for which the token will be visible
as a choice in the graphical user interface (GUI) form.
This option is mostly used in these cases:
l Adjusting port representation between GE112 versus
GE114
l Showing different tag controls depending on the NE
type
l Showing different speeds depending on the NE type.
l And others ...

default Located inside a <param> tag, it contains a <function>

tag used to populate the default value for the
parameter.
For information about supported keywords, see
Supported <default> Keywords.

validate Located inside a <param> tag, it contains a <function>

tag used to validate the parameter’s current value.

function Located inside a <default> or <validate> tag, it defines

the operation that dynamically queries the database
or validates the parameter’s value. It contains zero or
more <arg> tags. This attribute is available with
template version 1.4.

l name The function’s action/operation. Valid values are

nextIndex, uniqueName.

l object The function target type. Valid values all begin with
fnm.db. and end with one of these: fp, mpFlow,
elineFlow, flow, erp, satop, md, ma, esa. An example is
fnm.db.mpFlow. In template version 1.4, all objects
support only the name nextIndex, but esa also
supports uniqueName.

arg Located inside a <function> tag, it has no attributes. Its

contents can be a String, Integer, or another
parameter using %.

tag1 Description
l attribute

substitution Located inside a <command> tag, it defines the exact

command syntax that will be exported to the output
configuration file; parametrized with the values
selected by the operator for the specified parameters.
The contents of a <substitution> tag are taken as one
sole command and exported in one line in the output
configuration file.
Only one <substitution> tag allowed per <command>
tag.

l suppressAllIfParamsAreNull Omits the literal part of the substitution tag's

command if its parameter values are all empty. Valid
values are true and false. Default value is false.

Supported <default> Keywords

The <default> tag supports these keywords:

Name Object Input args Return Meaning

args

nextIndex fnm.db.fp l slotIndex Integer Next available flow

l portIndex point index based on
the selected slot or
port.
l Range: [1..max]
l Applicable for:
FSP 150EG-X
FSP 150EG-Mx
Note:
To access FP on LAG
use these values:
l slotIndex=254
l portIndex=lagIndex

Name Object Input args Return Meaning

args

nextIndex fnm.db.mpFlow Integer Next available MP flow

index based on the
selected network
element.
l Range: [1..max]
l Applicable for:
FSP 150EG-X
FSP 150EG-Mx

nextIndex fnm.db.elineFlow Integer Next available Eline

flow index based on
selected network
element.
l Range: [1..max]
l Applicable for:
FSP 150EG-X
FSP 150EG-Mx

nextIndex fnm.db.flow l slotIndex Integer Next available flow

l portIndex index based on the
slot or port value.
l Range: [1..max]
l Applicable for:
FSP 150-GE[...]
FSP 150CC-XG[...]
FSP 150CCf-825
Note:
To access Flow on LAG
use these values:
l slotIndex=254
l portIndex=lagIndex

nextIndex fnm.db.erp Integer Next available ERP

index based on the
selected network
element.
l Range: [1..max]
l Applicable for:
FSP 150EG-X
FSP 150-GE[...]
FSP 150CC-XG[...]

Ensemble Controller R15.3 Administrator Manual - Issue: A 277

Adtran Configuring Ensemble Controller

Name Object Input args Return Meaning

args

nextIndex fnm.db.satop slotIndex Integer Next available SATOP

index based on the
slot value where the
PWE card is located.
l Range: [1..max]
l Applicable for:
FSP 150EG-X
FSP 150-GE[...]
FSP 150CC-XG[...]

nextIndex fnm.db.md Integer Next available MD

index based on the
selected network
element.
l Range: [1..max]
l Applicable for:
FSP 150EG-X
FSP 150-GE[...]
FSP 150CC-XG[...]
FSP 150CCf-825

nextIndex fnm.db.ma mdIndex Integer Next available MA NET

index based on the
selected MD index
value.
l Range: [1..max]
l Applicable for:
FSP 150EG-X
FSP 150-GE[...]
FSP 150CC-XG[...]
FSP 150CCf-825

Ensemble Controller R15.3 Administrator Manual - Issue: A 278

Adtran Configuring Ensemble Controller

Name Object Input args Return Meaning

args

nextIndex fnm.db.esa slotIndex Integer Next available ESA

index based on the
selected slot index.
l Range: [1..max]
l Applicable for:
FSP 150EG-X
FSP 150-GE[...]
FSP 150CC-XG[...]
FSP 150CCf-825
Note:
FSP 150EG-X always
has slotIndex=255,
which means that it is
not exposed in the
template.

uniqueName fnm.db.esa esaName Boolean Check if the used ESA

name is unique
across the network
element.
l True - CLI
generation can be
proceeded
l False - validation
message is shown
as tooltip -
Warning: Name
already in use.
Applicable for:
FSP 150EG-X
FSP 150-GE[...]
FSP 150CC-XG[...]
FSP 150CCf-825

fnm.db.elineFlow serviceName Uniqueness of

fnm.db.flow fnm.db.elineFlow and
fnm.db.flow is
applicable for FSP
150EG-Mx
where the name of
the service ide5ntifies
the object.

Ensemble Controller R15.3 Administrator Manual - Issue: A 279

Adtran Configuring Ensemble Controller

Rules
These rules must be observed to edit a template to a valid format.
1. All elements require a start tag and an end tag.
2. The root tag of a template is <template> embracing its content.
3. Inside the <template> tag can be one <header> and multiple <cli-command>, <command>
and <fragment> tags.
4. The <header> tag is the first tag after the <template> tag.
5. The <header> tag must contain <neType>, <category>, <applyMode>, <version> and
optionally <summary> and <comment>.
6. NE commands must be inside either a <cli-command> or <fragment> tag and are copied to
the output configuration file unchanged.
7. Each literal NE command must be in a separate line.
8. A <param> tag must be located inside a <command> tag.
9. A <param> tag requires the attributes <display>, <name> and <block>. Other attributes are
optional.
10. A <fragment> tag requires a <block> attribute.
11. A template requires exactly one <neType> tag inside the <header> tag. This element contains
one or more NE types to which this template applies, separated by commas. Alternatively,
the value "ANY" is valid. The case is ignored on those keywords.
12. All <neType> tags used in a template outside the <header> tag must be consistent with the
<neType> tag defined inside the <header> tag. No new types can be defined in the <neType>
tag outside the <header> tag.
13. Parameters with the same name in the same command cannot have the same <neType>
value defined as indicated in this example, which is invalid then:

14. For reserved parameters, which are the ones starting with "fnm", Rule Parameters with the
same name in the same command cannot have the same <neType> value defined as
indicated in this example, which is invalid then: applies as well for parameters in different
commands.

Ensemble Controller R15.3 Administrator Manual - Issue: A 280

Adtran Configuring Ensemble Controller

15. A template requires exactly one <category> tag inside of which one of these categories
must be given: Service Provisioning, Bulk Configuration.
16. A template of <category> Bulk Configuration requires the <applyMode> Delta.
17. A template requires exactly one <applyMode> tag.
18. Each template requires the <version> tag specifying the correct version number.
l With the Ensemble Controller release 8.2, the template versions 1.0 and 1.1 have been
supported.
l Ensemble Controller 8.4 additionally supports the template version 1.2.
l Ensemble Controller 9.1 additionally supports the template version 1.3.
l Ensemble Controller 9.2 additionally supports the template version 1.4.
19. A template can contain at most one <summary> tag.
20. A template summary must be at most 200 characters long.
21. The <neType>, <category>, <applyMode>, <version>, <summary>, <comment> and <fragment>
tags cannot include other tags or exist inside other tags.
22. The <optional> and <blockOptionality> attributes can be assigned the values true or false.
23. The order-related attributes <blockOrder> and <paramOrder> affect only the relevant
ordering of the different blocks and parameters inside the form. The ordering in the resulting
output configuration file will be dictated by the ordering in the source template.
24. The <blockOrder> and <paramOrder> attributes can take any value in the natural numbers
domain.
25. When using the <blockParent> attribute, the maximum allowed nesting depth of blocks is
five.
26. The values of the attributes cannot contain the " (double-quote) character.
27. The <name> attribute in the <param> and <block> tags cannot contain the space character.
28. The <name> attribute of a parameter must be unique inside a command. In the case of
global parameters the name must be unique in the whole document.
29. The reserved <param> names fnm.neName, fnm.neIpAddress, fnm.serviceEnd,
fnm.trailServiceEnd and fnm.erp.trailServiceEnd can exist at most once in a valid template
file.
30. With the <conveyanceType> attribute, a parameter can be “locked”, which means that its
value will be the same across all loaded templates and its modification will only be possible
on the initial template containing the locked parameter. This attribute is valid only when the
attributes <copyFrom> and <name> have the same value, and the attribute <scope> is
“global”.
31. If the <conveyanceType> attribute is not present, the default meaning is "not locked".
32. The optional <regexp> attribute can only be applied to <param> tags with the <type> ‘String’
or ‘Integer’. The <regexp> value must be a valid Java regular expression as defined in
http://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html.
33. All <param> tags require exactly one <type> tag.
34. The <type> tag requires one of these options: String, Integer, Enum or Composite.
35. If the <type> tag has the Enum value then the corresponding parameter requires at least
one <token> tag.
36. If the <param> tag is of type Enum, it cannot be locked. That is, the <conveyanceType>
attribute cannot be set to "locked".
37. A <token> tag can only be defined for a <param> tag of type Enum.

Ensemble Controller R15.3 Administrator Manual - Issue: A 281

Adtran Configuring Ensemble Controller

38. The <token> tag can contain the <function> attribute. If used, then the <function> attribute
must be the only attribute used by the <token> tag. For bulk configuration, the <function>
attribute is not available.
39. Only one <substitution> tag can exist inside a <command> tag.
40. A <substitution> tag can contain at most one literal command.
41. The content of the <substitution> tag can see a parameter value by concatenating the %
symbol with the value of the <name> attribute (%paramName) of the associated parameter
as this example indicates:
Example: To get the parameter value “admin-state unassigned”, the <substitution> tag
requires this string:
<substitution>admin-state %adminstate</substitution>
By using double underscores surrounding <name> attributes (__%paramName__), strings
can be combined as this example indicates:
Example: To get the parameter value “configure port eth_port-1-2”, the <substitution> tag
requires this string:
<substitution>configure port eth_port-__%lineCard__-__%accPort__</substitution>
The endpoints specified in the template have to match the device AIDs. For
example,

l GE201, GE201se, GE206, and GE206f have AIDs in the format Flow <shelf
Index>-<slot Index>-<port Index>-<flow Index>
l GE206V, XG210, and GE110 have AIDs in the format FLOW-<NE Index>-
<shelf Index>-<slot Index>-<port Index>-<flow Index>

Configuring Sync Assurance and the

Ensemble Fiber Director Server
Installing the Map Library in Linux 282
Installing and Configuring the Sync Assurance Application in Linux 284
Installing the Ensemble Fiber Director Server in Linux 308
Installing Ensemble Fiber Editor 310
Installing the Local Geographical Map-Tile Server in Linux 311
Ensemble Fiber Director Mobile Application 313

Installing the Map Library in Linux

Complete these steps to install the map library in a Linux operating system.
To install the map library, use the applicable information as follows:
l To use the Sync Assurance application, see Installing and Configuring the Sync Assurance
Application in Linux.
l To use the Ensemble Fiber Director Server, see Installing the Ensemble Fiber Director Server in
Linux.

Ensemble Controller R15.3 Administrator Manual - Issue: A 282

Adtran Configuring Ensemble Controller

l To use the Ensemble TAPI Agent, see the TAPI Integration Manual.
l To use a map-tile server, see Installing the Local Geographical Map-Tile Server in Linux.

Requirement to Install the Map Library

The map library supports these Red Hat Enterprise Linux operating system versions:
l 7.8, and 7.9
l 8.6, and 8.8

Procedure to Install the Map Library

See one of these sections according to the Ensemble Controller version, and then complete the
steps to install the map library:

Version 14.1 or Earlier

1. From the Ensemble Controller installation CD, copy the TAR file appropriate for your
Ensemble Controller version to a temporary directory:

Ensemble Controller Version TAR File

Up to 12.3. fiber-map-sys-libs-[...].tar

13.1 to 14.1 linux_client_lib_bundle-v[x.x.x].tar

2. Change the working directory to the one that you just created and unpack it, for example:
tar -xf linux_client_lib_bundle-v[x.x.x].tar
3. As a super-user, run the install.sh installation script, for example:
sudo ./install.sh
4. At the prompt, type y to start the installation process.
5. After a successful installation, you can remove the temporary directory.
6. Restart the Ensemble Controller Server as described in Starting the Ensemble Controller
Server.

Version 14.2 or Later

1. As a super-user, install the RPM file:
sudo yum install <rpm_name>.
Where <rpm_name> is a name from the list: libX11, libX11-common, libXau, libxcb, libXext,
libXScrnSaver, nspr, nss-softokn-freebl, nss-util.
2. At the prompt, type y to start the installation process.
3. Repeat these steps for all nine RPM files listed in step 1.

Ensemble Controller R15.3 Administrator Manual - Issue: A 283

Adtran Configuring Ensemble Controller

4. Restart the Ensemble Controller Server as described in Starting the Ensemble Controller
Server.

Installing and Configuring the Sync

Assurance Application in Linux
Complete this procedure to install a Sync Assurance application in:
l The Linux operating system where you also installed the Ensemble Controller Server.
–or–
l A different independent Linux system.

The Sync Assurance application does NOT yet support High Availability.
However, if Ensemble Controller uses high availability, you can install the Sync
Assurance application on any of the Ensemble Controller Servers that the
high-availability cluster includes. Also, you must then configure the Sync
Assurance application to communicate with all Ensemble Controller Servers
available in that high-availability cluster, as described in Connecting the Sync-
Assurance Applications with the Ensemble Controller.

You use the Sync Assurance application to provide synchronization monitoring and assurance
for the managed network. It includes these child assurance modules:
l GNSS Assurance: The GNSS module provides monitoring and assurance for GNSS services.
You need a GNSS Assurance service if you want to:
o View historical receivers and its satellites in the GNSS Assurance / Historical Map window.
o Perform GNSS installation acceptance tests.
o Perform long term analysis to identify or troubleshoot GNSS problems in your network.
For more information about the GNSS Assurance, see the Synchronization Management
Guide.
l PTP (Time And Phase) Assurance: The TPA module provides monitoring and assurance for
time and phase services. You need a PTP (Time And Phase) Assurance service if you want to:
o Monitor long term Syncjack test results (TIE data).
o Perform long term quality analysis over historical collected TIE data.
o Perform Online Quality Metrics analysis, and generate TCA alarms if configured thresholds
are crossed.
For more information about Syncjack testing and PTP Assurance, see the Synchronization
Management Guide.
l SNT (Streaming Network Telemetry): The SNT module is a service that allows collection and
storage of long-term performance monitoring data. It can efficiently collect near real time
PM data from up to 1000 supported OSA devices. The system collects PM data via streaming
telemetry protocol, for example gNMI, and uses API for PM data analysis. You need the SNT
service if you want to use the Timing Quality Compliance functionality of the Sync Assurance
application. For more information about SNT and Timing Quality Compliance, see the
Synchronization Management Guide.

Ensemble Controller R15.3 Administrator Manual - Issue: A 284

Adtran Configuring Ensemble Controller

Requirements to Install the Sync Assurance Application 285

Procedure to Install the Sync Assurance Application 286
Stopping the Sync Assurance Application 290
Starting the Sync Assurance Application 290
Health Check and Database Backup for Sync Assurance Applications 291
Automatic Database Backups 292
Restoring the Database from a Backup File 292
Connecting the Sync-Assurance Applications with the Ensemble Controller 298
Enabling Machine-Learning Based Alarms for GNSS 298
Creating Custom GNSS Scripts 298
Changing the Database Password of the Sync Assurance Applications 307
Configuring Streaming Network Telemetry Service 308

Requirements to Install the Sync Assurance Application

l The Sync Assurance and Ensemble Controller version numbers must be the same, for
example:
o Ensemble_Controller_for_Linux_v11.3.1-B6493.tar
– and –
o SyncAssurance_v11.3.1-B6493.tar.gz

l The Sync Assurance supports these Linux versions:

o 7.8 and 7.9
o 8.6 and 8.8

l You have super-user access.

l The SELinux status must be Permissive that is, SElinux = Permissive.
l You installed Docker CE 20.10.x, where x is 10 or later, on the destination system and created a
Docker swarm.
After you install Docker, you must NOT change the firewalld service status.

l If you nevertheless change the firewalld service status, for example, from inactive to active or
the other way around, or you reload the firewall configuration (firewall-cmd --reload) while
active, communication to the Docker services fails.
To recover the firewalld service status, complete these steps:

1. Restart the docker service:

systemctl restart docker.service
2. Verify that the system restarts all containers:

Ensemble Controller R15.3 Administrator Manual - Issue: A 285

Adtran Configuring Ensemble Controller

docker container ls
This is an example for a possible command output:

CONTAINER ID IMAGE COMMAND CREATED STATUS

5840c1cab368 ...gnss- "/bin/sh -c 'exec 4 minutes Up 4 minutes

collector:... ./…" ago (healthy)

f223043f0538 ...gnss-data- "/bin/sh -c 'exec 4 minutes Up 4 minutes

access:... ./…" ago (healthy)

l The Sync Assurance application uses the TCP port 8093 for network communication.
You do NOT have to open this TCP port because the Docker daemon opens it
automatically.

l You installed the map library appropriate for your Ensemble Controller version as described
in Installing the Map Library in Linux.
l For PTP Assurance only – you have installed or configured one or more File Servers to be used
by the PTP assurance TIE raw data collection.
o The file servers are used by:
o The Syncjack capable devices, to upload the TIE raw data files, generated by the
configured Syncjack Probes.
o The PTP Assurance application, which collect the raw data files, as part of the PTP
Assurance monitoring process.

o In case you have selected FTP as your preferred protocol to transfer the TIE raw data files:
o We recommend using Vsftpd service which It is the default FTP server in the Ubuntu,
CentOS, Fedora, NimbleX, Slackware and RHEL Linux distributions.
Find more information here: https://security.appspot.com/vsftpd.html
o You must avoid using FTP servers running on Windows platform, and specifically avoid
using FileZilla server.

Procedure to Install the Sync Assurance Application

1. From the Ensemble Controller (ENC) installation medium, copy the SyncAssurance_vX.X.X-
Bxxxx.tar.gz file in the directory /opt/adva.
2. Set the working directory to /opt/adva:
cd /opt/adva/
3. Untar the SyncAssurance_vX.X.X-Bxxxx.tar.gz file:

Ensemble Controller R15.3 Administrator Manual - Issue: A 286

Adtran Configuring Ensemble Controller

tar -zxvf SyncAssurance_vX.X.X-Bxxxx.tar.gz

This will create the Sync Assurance directory structure.

4. Set the working directory to /opt/adva/SyncAssurance:

cd /opt/adva/SyncAssurance
5. Only for Sync Assurance 15.2.1 or later- run the enc_token_generate.sh script:

a. Make sure that ENC 15.2 is running.

b. Execute the enc_token_generate.sh script:
./enc_token_generate.sh [<ENC server IP address>]
<ENC server IP address> - optional attribute: IP address of ENC server that the system
should acquire the token from. Enter this address if you use Sync Assurance on a
separate server.
c. Verify if the operation was successful:
l Display the list of secrets:
docker secret ls
l Verify if the process created the synca-enc-http-token secret.

6. Execute the deploy.sh script:

./deploy.sh --enc-ip <ENC primary server IP address> \
[--enc-ip-2 ENC secondary server IP address] \
[--gnss-enable true|false] \
[--gnss-custom-device-enable true|false] \
[--tpa-enable true|false]
[--snt-enable true|false]

a. The <ENC primary server IP address> is the only mandatory parameter that you
must specify. However, if you configure Ensemble Controller in a high availability
configuration, you must specify the IP addresses for both the primary and the secondary
ENC Server.
The IP address that you specify for the --enc-ip and eventually for the --
enc-ip-2 parameter:

l Must be an address other than localhost or 127.0.0.1

l Must belong to a network interface that is reachable from the

outside world.

b. The --gnss-enable, --tpa-enable, and --snt-enable parameters specify the Sync

Assurance application stacks that the system is to deploy.
Stack is an object that contains all the services that an application
contains. This guide uses both terms interchangeably.

Ensemble Controller R15.3 Administrator Manual - Issue: A 287

Adtran Configuring Ensemble Controller

If you do not specify the --<stack-name>-enable parameters, the system deploys GNSS
and PTP (Time And Phase) Assurance applications. If you want to deploy only one
application stack, use only the relevant parameter.
c. If set to true, the --gnss-custom-device-enable parameter deploys an additional gnss
service “gnss_custom-worker”, which supports third-party GNSS-capable devices.
d. If set to true, the --snt-enable parameter deploys an additional “snt” service that allows
the Streaming Network Telemetry PM data collection from supported Softsync devices.
You need to enable snt service to use the Timing Quality Compliance functionality. The
default value is false.

7. Verify that all requested Sync Assurance application stacks are running:
docker stack services <stack-name>
For the <stack-name>, type the relevant stack:
l rproxy (mandatory proxy application)
l gnss
l tpa
l snt
See Command Output Example for GNSS Docker Services for a possible gnss command
output. REPLICAS of all listed services should equal x/x, where x>0.

Ensemble Controller R15.3 Administrator Manual - Issue: A 288

Adtran Configuring Ensemble Controller

Command Output Example for a GNSS Service

Table 13: Command Output Example for GNSS Docker Services

ID NAME MODE REPLICAS IMAGE PORTS

1f051giosjun gnss_collector replicated 1/1 adva/gnss-collector:11.3.1-B6493

9oe4nruidacg gnss_timescaledb replicated 1/1 timescale/timescaledb:1.0.0-pg10 *:5433-

>5432/tcp

hxjzft83ypzs gnss_machine- replicated 1/1 adva/gnss-machine-learning:11.3.1-B6493

learning

kksqb3omfbj3 gnss_data-access replicated 1/1 adva/gnss-data-access:11.3.1-B6493

o74pm467ag75 gnss_zookeeper replicated 1/1 zookeeper:3.4.14

rpw91raq7qid gnss_db-backup replicated 1/1 prodrigestivill/postgres-backup-local:10

z0ly9m08kesw gnss_kafka replicated 1/1 wurstmeister/kafka:2.12-2.2.0

Ensemble Controller R15.3 Administrator Manual - Issue: A 289

Adtran Configuring Ensemble Controller

Stopping the Sync Assurance Application

Complete these optional steps to stop the Sync Assurance application.
1. Set the working directory to /opt/adva/SyncAssurance:
cd /opt/adva/SyncAssurance
2. Stop the Sync Assurance application:
./SyncAssurance-ctl.sh stop

Starting the Sync Assurance Application

Complete these optional steps to start the Sync Assurance application.
1. Set the working directory to /opt/adva/SyncAssurance:
cd /opt/adva/SyncAssurance
2. Only for Sync Assurance 15.2.1 or later- run the enc_token_generate.sh script:

a. Make sure that ENC 15.2 is running.

3. Execute the deploy.sh script:

Ensemble Controller R15.3 Administrator Manual - Issue: A 290

Adtran Configuring Ensemble Controller

l Must be an address other than localhost or 127.0.0.1

l Must belong to a network interface that is reachable from the

outside world.

b. The --gnss-enable, --tpa-enable, and --snt-enable parameters specify the Sync

Assurance application stacks that the system is to deploy.
Stack is an object that contains all the services that an application
contains. This guide uses both terms interchangeably.

4. Verify that all requested Sync Assurance application stacks are running:
docker stack services <stack-name>
For the <stack-name>, type the relevant stack:
l rproxy (mandatory proxy application)
l gnss
l tpa
l snt
See Command Output Example for GNSS Docker Services for a possible gnss command
output. REPLICAS of all listed services should equal x/x, where x>0.

Health Check and Database Backup for Sync Assurance

Applications
You can generate a health-check report or perform a database backup for each supported
Assurance applications. The required scripts are located in the gnss, tpa, or snt directories in
/opt/adva/SyncAssurance:
l ../gnss/ healthcheck_gnss.sh
l ../tpa/ healthcheck_tpa.sh
l ../snt/ healthcheck_snt.sh

Ensemble Controller R15.3 Administrator Manual - Issue: A 291

Adtran Configuring Ensemble Controller

healthcheck_<application Generates the healthcheck_<application name>_

name>.sh YYYY-MM-DD__HH-MM-SS.tar.gz file, which contains
log and configurations files of the corresponding
application, and some basic information about the
system status.

db_backup_<application name>.sh Generates the fnm_sync_pm-<application name>-

YYYY-MM-DD__HH-MM-SS.sql.gz file, which contains
the database-backup file (dump file).

If required, execute the relevant script.

Automatic Database Backups

Sync Assurance provides the db-backup service to periodically generate database backups for
all supported applications: PTP (Time And Phase) Assurance, GNSS, and SNT in these time
frames:
l Daily backup file generated at 01:00 UTC for GNSS.
l Daily backup file generated at 04:00 UTC for PTP (Time And Phase) Assurance.
l Daily backup file generated at 07:00 UTC for SNT.
l For each daily, weekly, and monthly time frame 2 backup files are available, one related with
the current (in progress) day, week, and month and one from the previous day, week, and
month.

The backup files are stored on the server where the Sync Assurance application runs, in the
directory /var/lib/docker/volumes/<application name>_db-backup
The <application name> can be tpa, gnss, or snt.
We strongly recommend that you copy database backup files to an external system.

Restoring the Database from a Backup File

Complete these steps to revert the database to a previous state from a database-backup file
that you created before.
1. Execute the relevant Docker command according to the application database that you
want to restore:
docker stack services <stack-name>
For the <stack-name>, type gnss, tpa, or snt.
See Command Output Example for GNSS Docker Services – Replicas 1/1 for a possible gnss
command output.
2. Note down the REPLICAS numbers for all running services that access the database:
l Any service with a name that ends with “collector”.
l Any service with a name that ends with “data-access”.

Ensemble Controller R15.3 Administrator Manual - Issue: A 292

Adtran Configuring Ensemble Controller

l Any service with a name that ends with “db-backup”.

a. Before you start the restore operation, you must stop these services. To stop the services,
execute these Docker commands:
docker service scale <stack-name>_[gnmi_]collector=0
docker service scale <stack-name>_data-access=0
docker service scale <stack-name>_db-backup=0
If you restore the GNSS database, and you use the optional gnss_
custom-worker service, also note down the REPLICA number of that
service, and then stop it using this command: docker service scale
gnss_custom-worker=0.
If you restore TPA database, also note down the REPLICA number of tpa_
online-qm service, and then stop it using command: docker service
scale tpa_online-qm=0.

b. Execute this Docker command to list the number of the services that still run for PTP (Time
And Phase) Assurance, GNSS, or SNT:
docker stack services <stack-name>
c. Verify that the system stopped the services that have access to the database, which
means REPLICAS = 0/0. See Command Output Example for GNSS Docker Services –
Replicas 0/0 for a possible GNSS-stack command output after the services stopped.

3. Set the working directory to /opt/adva/SyncAssurance/<application name>

4. Execute the db_restore script:
./db_restore_<application name>.sh <backup_file>
You must run the restore script on the server where the Sync Assurance
application runs.

5. To restart the database service, complete these steps:

a. Execute this Docker command to stop the database service for the relevant database
that you want to restore:
docker service scale <stack-name>_timescaledb=0
b. Execute this Docker command to list the services that run for PTP (Time And Phase)
Assurance, GNSS, or SNT:
docker stack services <stack-name>
c. Verify that the system stopped the relevant database service, which means
REPLICAS = 0/0. See these examples:
l [root@tlv-s-nms-vm02 ~]# docker stack services tpa
ID NAME MODE REPLICAS IMAGE PORTS
kmkejkafdxis tpa_timescaledb replicated 0/0 adva/synca-
timescaledb:1.7.3-pg10 *:5439->5432/tcp
l [root@tlv-s-nms-vm02 ~]# docker stack services gnss
ID NAME MODE REPLICAS IMAGE PORTS

Ensemble Controller R15.3 Administrator Manual - Issue: A 293

Adtran Configuring Ensemble Controller

coe3ct4t8q20 gnss_timescaledb replicated 0/0 adva/synca-

timescaledb:1.7.3-pg10
l [root@tlv-s-nms-vm02 ~]# docker stack services snt
ID NAME MODE REPLICAS IMAGE PORTS
qqdjq6ow7ibd snt_timescaledb replicated 0/0 adva/synca-
timescaledb:2.9.1-pg14

d. Execute this Docker command to start the database service for the relevant database
that you want to restore:
docker service scale <stack-name>_timescaledb=1
e. Execute this Docker command to list the services that run for PTP (Time And Phase)
Assurance, GNSS, or SNT:
docker stack services <stack-name>
f. Verify that the system restarted the relevant database service, which means
REPLICAS = 1/1. See these examples:
l [root@tlv-s-nms-vm02 ~]# docker stack services tpa
ID NAME MODE REPLICAS IMAGE PORTS
kmkejkafdxis tpa_timescaledb replicated 1/1 adva/synca-
timescaledb:1.7.3-pg10 *:5439->5432/tcp
l [root@tlv-s-nms-vm02 ~]# docker stack services gnss
ID NAME MODE REPLICAS IMAGE PORTS
coe3ct4t8q20 gnss_timescaledb replicated 1/1 adva/synca-
timescaledb:1.7.3-pg10
l [root@tlv-s-nms-vm02 ~]# docker stack services snt
ID NAME MODE REPLICAS IMAGE PORTS
qqdjq6ow7ibd snt_timescaledb replicated 1/1 adva/synca-
timescaledb:2.9.1-pg14

6. Execute these Docker commands to restart the services that you stopped in Step 2 before
you restored the database:
docker service scale <stack-name>_[gnmi_]collector=<no of replicas noted
down in step 2>
docker service scale <stack-name>_data-access=<no of replicas noted down in
step 2>
docker service scale <stack-name>_db-backup=<no of replicas noted down in
step 2>
If relevant: docker service scale gnss_custom-worker=<no of replicas noted down
in step 2>
If relevant: docker service scale tpa_online-qm=<no of replicas noted down in
step 2>
7. Verify that the services have access to the started database, which means that the replica
numbers must be equal to the ones noted down in Step 2.
docker stack services <stack-name>

Ensemble Controller R15.3 Administrator Manual - Issue: A 294

Adtran Configuring Ensemble Controller

See Command Output Example for GNSS Docker Services – Replicas 1/1 for the command
output example.
8. To clear the database backup condition, complete these steps (this step is only relevant for
GNSS and PTP (Time And Phase) Assurance):
a. Set the working directory to /opt/adva/SyncAssurance/<stack-name>
b. Execute the ./db_force_clear_db_backup_permission_<stack-name>.sh script.
c. Verify that the output is as follows:
db backup permission cleared SUCCESS
If the output looks different, contact Technical Services.

Ensemble Controller R15.3 Administrator Manual - Issue: A 295

Adtran Configuring Ensemble Controller

Command Output Examples for GNSS Service Replicas

Table 14: Command Output Example for GNSS Docker Services – Replicas 1/1
ID NAME MODE REPLICAS IMAGE PORTS

1f051giosjun gnss_collector replicated 1/1 adva/gnss-collector:11.3.1-B6493

9oe4nruidacg gnss_timescaledb replicated 1/1 timescale/timescaledb:1.0.0-pg10 *:5433-

>5432/tcp

hxjzft83ypzs gnss_machine-learning replicated 1/1 adva/gnss-machine-learning:11.3.1-B6493

kksqb3omfbj3 gnss_data-access replicated 1/1 adva/gnss-data-access:11.3.1-B6493

o74pm467ag75 gnss_zookeeper replicated 1/1 zookeeper:3.4.14

rpw91raq7qid gnss_db-backup replicated 1/1 prodrigestivill/postgres-backup-local:10

z0ly9m08kesw gnss_kafka replicated 1/1 wurstmeister/kafka:2.12-2.2.0

Table 15: Command Output Example for GNSS Docker Services – Replicas 0/0
ID NAME MODE REPLICAS IMAGE PORTS

1f051giosjun gnss_collector replicated 0/0 adva/gnss-collector:11.3.1-B6493

9oe4nruidacg gnss_timescaledb replicated 1/1 timescale/timescaledb:1.0.0-pg10 *:5433-

>5432/tcp

hxjzft83ypzs gnss_machine-learning replicated 1/1 adva/gnss-machine-learning:11.3.1-B6493

kksqb3omfbj3 gnss_data-access replicated 0/0 adva/gnss-data-access:11.3.1-B6493

o74pm467ag75 gnss_zookeeper replicated 1/1 zookeeper:3.4.14

Ensemble Controller R15.3 Administrator Manual - Issue: A 296

Adtran Configuring Ensemble Controller

ID NAME MODE REPLICAS IMAGE PORTS

rpw91raq7qid gnss_db-backup replicated 0/0 prodrigestivill/postgres-backup-local:10

z0ly9m08kesw gnss_kafka replicated 1/1 wurstmeister/kafka:2.12-2.2.0

Ensemble Controller R15.3 Administrator Manual - Issue: A 297

Adtran Configuring Ensemble Controller

Connecting the Sync-Assurance Applications with the

Ensemble Controller
In the fnm.properties file, which is located in the Ensemble Controller installation directory, add
the IP address of the server where the Sync Assurance applications run to this property:
com.adva.nlms.mediation.synchronization.assurance.cluster.host=<SYNCA_SERVER_
IP_ADDRESS>
If the Ensemble Controller and the Sync Assurance application run on the same system, then
the <SYNCA_SERVER_IP_ADDRESS> can be localhost.
For general information about how to edit the fnm.properties file, see Editing the fnm.properties
File.

Enabling Machine-Learning Based Alarms for GNSS

In the fnm.properties file, which is located in the Ensemble Controller installation directory, set
this property to true:
com.adva.nlms.mediation.synchronization.gnss.assurance.machine.learning.alarm
s.enabled
For general information about how to edit the fnm.properties file, see Editing the fnm.properties
File.
This property specifies whether Ensemble Controller can raise and clear GNSS machine-
learning (ML) alarms that the GNSS Assurance ML service produces. By default, this property is
disabled (set to false).
If you set the property to false:
l Ensemble Controller cannot raise ML alarms.
l After the Ensemble Controller Server starts, the system clears all previously raised ML alarms.

Creating Custom GNSS Scripts

The GNSS Assurance application requires custom scripts to monitor the third-party custom
GNSS devices after you import these devices to your network. This section describes the
required parameters for a valid custom script.

Supported Files and Script Formats 298

System-Provided Custom GNSS Help Files 301
Custom Script Business Logic 302
Post-Creation Steps 307

Supported Files and Script Formats

Ensemble Controller supports any Linux-executable file or the script formats that are listed in
this table. You define the script format in the first line of the script.

Ensemble Controller R15.3 Administrator Manual - Issue: A 298

Adtran Configuring Ensemble Controller

Table 16: Supported File and Script Formats

Script Format File Suffix First Script Line

Python py #!/usr/local/bin/python

pyw #!/usr/local/bin/python3

Unix script sh #!/bin/sh

bash #!/bin/bash

Java source java #! /opt/java/openjdk/bin/java --source 11

You can also use a Java 11 executable JAR file, but you must first convert the JAR file to a Linux-
executable file as described in these steps:
1. Create an executable Java JAR file, for example custom_script.jar, and then copy the JAR file
to a Linux machine.
2. On the target Linux machine, type these commands:
$ echo "#! /opt/java/openjdk/bin/java -jar" > custom_script
$ cat custom_script.jar >> custom_script
$ chmod +x custom_script
If you use one of the script formats described in Table 16 in a text file, make
sure that you save the file in the Unix End Of Line format (LF). Take special
care also if you create or edit the file in a non-Linux environment. For
example, when you edit the script file in Windows, the system uses the
Windows EOL (CR LF) format. However, in Linux where you execute the script,
the system cannot correctly interpret this Windows format.

This figure shows a Python script example:

Ensemble Controller R15.3 Administrator Manual - Issue: A 299

Adtran Configuring Ensemble Controller

Ensemble Controller R15.3 Administrator Manual - Issue: A 300

Adtran Configuring Ensemble Controller

System-Provided Custom GNSS Help Files

The Sync Assurance server installation (gnss option) includes these custom GNSS help files
located in the /opt/adva/SyncAssurance/gnss/customGnssHelpFiles/ directory:

Ensemble Controller R15.3 Administrator Manual - Issue: A 301

Adtran Configuring Ensemble Controller

Custom GNSS Help Files Description

custom_gnss_device_ssh_ An example CLI-based python script that demonstrates

script.py how to monitor a specific GNSS device. The device uses an
SSH connection that runs CLI commands.

custom_gnss_device_ An example JSON result string, which is an example of the

script_result_json.txt returned python script.

custom_gnss_device_ The JSON result schema definition for a successful device

script_result_json_ collection.
schema.txt

custom_gnss_device_ The JSON result schema definition for a failed device

script_failure_result_json_ collection.
schema.txt

import_2_custom_gnss_ The Ensemble Controller (ENC) Client uses this example

devices_to_enc.xml XML file to discover and add two custom GNSS devices to
the ENC-managed network. The GNSS Assurance
application monitors those devices.

Custom Script Business Logic

The script that you create must automatically complete these operations when you run it. Write
the code accordingly. The script:
1. Opens a connection, for example, a CLI-based SSH connection, or HTTPS connection to the
custom GNSS device.
2. Uses the associated CLI connection properties and credentials to connect to the device. The
system passes these device parameters to the script processor, using the process
environment variables, and makes the parameters available for the processor to read from
inside the script.
l neIpAddress
l port
l user
l password
l connectTimeout
l readTimeout
3. Executes the relevant commands to obtain the GNSS telemetry data from the device.
4. Parses the returned data, and then translates the data into the JSON string. The JSON string
must conform to this JSON schema definition if successful:

{"$schema":"https://json-schema.org/draft/2019-09/schema",

"title": "List Of GNSSPortHolderDTO",

Ensemble Controller R15.3 Administrator Manual - Issue: A 302

Adtran Configuring Ensemble Controller

"description": "contains a list of GNSS ports, each with its own reported visible
satellites information in a specific time for a managed GNSS capable network
device",

"type":"array",

"items":

"description": "contains GNSS port and visible satellites information for a single
GNSS Reciever Port at a specific time for the GNSS Assurance application",

"type":"object",

"properties":{

"portIdentity":{

"type":"object",

"properties":{

"neIpAddress":{"description": "IP Address of the monitored device",

"type":"string"},

"portAid":{"description": "unique identity of the monitored GNSS port in this

device", "type":"string"}

"required": [ "neIpAddress", "portAid"]

"portData":{

"type":"object",

"properties":{

"adminState":{"type":"integer"},

"agc":{"description": "automatic gain control reported by the port in percentage",

"type":"integer","minimum": 0, "maximum": 100},

"antennaCableLength":{"type":"integer"},

"antennaStatus":{"type":"integer"},

"cnoMask":{"description": "carrier-to-noise density(C/No) mask configured for the

port. satellites with lower C/No are not used by the
reciever","type":"integer","minimum": 0, "maximum": 55},

"coordinateAltitude":{"description": "calculated altitude in meters",

"type":"integer"},

"coordinateLatitude":{"description": "calculated latitude in degrees, minutes,

seconds (DMS) notation. e.g. N32:11:32.23", "type":"string"},

"coordinateLongitude":{"description": "calculated longitude in degrees, minutes,

seconds (DMS) notation. e.g. E034:53:05.29", "type":"string"},

Ensemble Controller R15.3 Administrator Manual - Issue: A 303

Adtran Configuring Ensemble Controller

"delayOption":{"type":"integer"},

"delayValue":{"type":"integer"},

"elevationMask":{"type":"integer"},

"gnssSystem":{"description": "configured constellations for the port. described via

bitmap. bit positions from lsb: gps=0, glonass=1, beidou=2, galileo=3, sbas=4,
qzss=5", "type":"integer"},

"hdop":{"type":"integer"},

"horizontalAccuracy":{"type":"integer"},

"installationType":{"description": "Installation Type of GNSS Antenna. 1=full sky

view, 2= limited sky view", "type":"integer"},

"numTrackingSatellites":{"description": "number of used satellites",

"type":"integer"},

"numVisibleSatellites":{"description": "number of visible satellites",

"type":"integer"},

"operationalState":{"description":"current operational state of the GNSS receiver.

1=normal, 2=outage", "type":"integer"},

"pdop":{"type":"integer"},

"pdopMask":{"type":"integer"},

"ppsGenCondition":{"description": "if number of used satellites drops below this

number the GNSS will not produce PPS output and will be marked as red/Failed",
"type":"integer"},

"ppsGeneratedFlag":{"type":"integer"},

"satMin1Threshold":{"description": "if number of used satellites drops below this

number the GNSS result is suspected to be degraded and will be marked as
yellow/Degraded","type":"integer"},

"satMin2Threshold":{"type":"integer"},

"satellitesUsableFlag":{"type":"integer"},

"secondaryState":{"type":"integer"},

"selfSurveyControl":{"type":"integer"},

"selfSurveyPeriod":{"type":"integer"},

"selfSurveyPositionAccuracy":{"type":"integer"},

"selfSurveyProgress":{"description":"sulf survey progress in percentage",

"type":"integer","minimum": 0, "maximum": 100},

"spoofingLocationDifference":{"type":"integer"},

"spoofingLocationThreshold":{"type":"integer"},

"spoofingPpsDifference":{"type":"integer"},

"spoofingPpsThreshold":{"type":"integer"},

Ensemble Controller R15.3 Administrator Manual - Issue: A 304

Adtran Configuring Ensemble Controller

"tdop":{"type":"integer"},

"vdop":{"type":"integer"},

"verticalAccuracy":{"type":"integer"}

"required": [ "adminState", "gnssSystem", "elevationMask", "coordinateLatitude",

"coordinateLongitude", "coordinateAltitude", "operationalState",
"numTrackingSatellites", "numVisibleSatellites"]

"portVisibleSatellites":{

"type":"array",

"items":{

"type":"object",

"properties":{"azimuth":{"description": "reproted sattelite azimuth

angle","type":"integer"},

"cno":{"description": "reproted satellite carrier-to-noise density(C/No)",

"type":"integer"},

"elevation":{"description": "reproted satllite elevation angle", "type":"integer"},

"health":{"description": "reported satellite health: N/A=1, OK=2, WEAK=3, DEAD=4,

NO_DATA_MODULATION=5","type":"integer"},

"inUse":{"description": "is reported satellite used by the reciever for location

and time calculations: true=1, false=2","type":"integer"},

"sv":{"description": "reported satellite id", "type":"integer"},

"svType":{"description": "reproted satellite constellation: gps=1, glonass=2,

beidou=4, galileo=8, sbas=16, qzss=32", "type":"integer"}

"required": [ "azimuth", "cno", "elevation", "health", "inUse", "sv", "svType"]

"required": ["portIdentity"]

The script might encounter a problem and therefore retrieve no results from the device. If so,
the script must then create a JSON string that conforms to this failed collection JSON
schema definition:

Ensemble Controller R15.3 Administrator Manual - Issue: A 305

Adtran Configuring Ensemble Controller

"$schema": "http://json-schema.org/draft-07/schema#",

"title": "GNSS Collection Error",

"description": "contains GNSS collection failure reason",

"type": "object",

"properties":{

"error": {"description": "collection failure reason", "type": "string"}

"required": ["error"]

5. Writes the JSON result to the standard output. This example shows the generated JSON
string based on the defined JSON schema in Step 4.

{"portIdentity": {

"portAid": "GNSS-1",

"neIpAddress": "192.168.178.210"

"portData": {

"adminState": 1,

"gnssSystem": 3,

"elevationMask": 5,

"coordinateLatitude": "N32:11:32.23",

"coordinateLongitude": "E034:53:05.29",

"coordinateAltitude": 107.0,

"operationalState": 1,

"numVisibleSatellites": 18,

"numTrackingSatellites": 18

"portVisibleSatellites": [

{"sv": 1, "cno": 46, "health": 2, "azimuth": 315, "elevation": 28, "svType": 1},

{"sv": 3, "cno": 41, "health": 2, "azimuth": 263, "elevation": 16, "svType": 1},

{"sv": 8, "cno": 48, "health": 2, "azimuth": 245, "elevation": 58, "svType": 1},

{"sv": 10, "cno": 45, "health": 2, "azimuth": 53, "elevation": 27, "svType": 1},

{"sv": 11, "cno": 48, "health": 2, "azimuth": 310, "elevation": 55, "svType": 1},

Ensemble Controller R15.3 Administrator Manual - Issue: A 306

Adtran Configuring Ensemble Controller

{"sv": 14, "cno": 47, "health": 2, "azimuth": 116, "elevation": 70, "svType": 1},

{"sv": 21, "cno": 45, "health": 2, "azimuth": 113, "elevation": 28, "svType": 1},

{"sv": 22, "cno": 44, "health": 2, "azimuth": 277, "elevation": 35, "svType": 1},

{"sv": 27, "cno": 48, "health": 2, "azimuth": 190, "elevation": 44, "svType": 1},

{"sv": 32, "cno": 52, "health": 2, "azimuth": 63, "elevation": 60, "svType": 1},

{"sv": 40, "cno": 40, "health": 2, "azimuth": 145, "elevation": 47, "svType": 1},

{"sv": 41, "cno": 42, "health": 2, "azimuth": 115, "elevation": 26, "svType": 1},

{"sv": 66, "cno": 52, "health": 2, "azimuth": 15, "elevation": 52, "svType": 2},

{"sv": 67, "cno": 51, "health": 2, "azimuth": 257, "elevation": 59, "svType": 2},

{"sv": 68, "cno": 42, "health": 2, "azimuth": 229, "elevation": 12, "svType": 2},

{"sv": 81, "cno": 50, "health": 2, "azimuth": 120, "elevation": 78, "svType": 2},

{"sv": 82, "cno": 50, "health": 2, "azimuth": 334, "elevation": 45, "svType": 2},

{"sv": 88, "cno": 37, "health": 2, "azimuth": 142, "elevation": 24, "svType": 2}]

6. Closes the connection to the device.

Post-Creation Steps
After you create the valid custom script according to the described Custom Script Business
Logic, add it to the Sync Assurance Settings window as described in the Synchronization
Management Guide.

Make sure that the relevant communication ports that the script uses, for
example port 22 for SSH, are open for the outgoing connection from the Sync
Assurance server towards the monitored GNSS devices.

Changing the Database Password of the Sync Assurance

Applications
Complete this optional procedure to change the database password of the Sync Assurance
Applications.
1. Set the working directory to /opt/adva/SyncAssurance/<application-name>.
The <application-name> is tpa, gnss, or snt.

2. Execute the db_pw_change_<application-name>.sh script:

./db_pw_change_<application-name>.sh '<new-password>'
Password has to meet the following requirements:

Ensemble Controller R15.3 Administrator Manual - Issue: A 307

Adtran Configuring Ensemble Controller

l Enclosed in single quotes.

l Have 1 to 995 characters.
l Can contain only these alphanumeric characters: a to z; A to Z; 0 to 9.
l Can contain only these special characters: ` ~ ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ / < > , . ; ? : |.
This script updates the database password and stops all services of the
specific application.

3. To restart all application services, execute the top level deploy.sh script. See Procedure to
Install the Sync Assurance Application.

Configuring Streaming Network Telemetry Service

Configure Streaming Network Telemetry (SNT) service to use TLS/ mTLS secure connection
between SNT stack and devices:

The mTLS secure connection is currently not supported by OSA SoftSync

devices.

1. Insert these files in /opt/adva/SyncAssurance/snt/ssl/ directory:

l gnmi-collector-client-ca.crt - CA certificate used by gnmi collector client to verify the
authenticity of devices.
l gnmi-collector-client.key - private key used by the gnmi collector client (required only for
mTLS).
l gnmi-collector-client.crt - gnmi collector client certificate (required only for mTLS).

2. Set the working directory to /opt/adva/SyncAssurance/snt:

cd /opt/adva/SyncAssurance/snt
3. Execute the docker_create_secrets_from_certificate_files.sh script:
./docker_create_secrets_from_certificate_files.sh
The script removes the SNT stack in case it was already deployed. It also removes the
certificate/key files from /opt/adva/SyncAssurance/snt/ssl/ directory after processing
them.
4. To restart all application services, execute the top level deploy.sh script, see Procedure to
Install the Sync Assurance Application.

Installing the Ensemble Fiber Director Server

in Linux
Complete this procedure to install the Ensemble Fiber Director server in a Linux operating
system.

Ensemble Controller R15.3 Administrator Manual - Issue: A 308

Adtran Configuring Ensemble Controller

You need the Ensemble Fiber Director server if you want to use the fiber plant management
feature. For more information, see the Ensemble Fiber Director User Manual.

Requirements to Install the Ensemble Fiber Director Server 309

Procedure to Install the Ensemble Fiber Director Server 310

Requirements to Install the Ensemble Fiber Director

Server
l Only install the Ensemble Fiber Director version that is included in the Ensemble Controller
installation CD. Other versions might not be supported.
l The minimal supported Ensemble Controller version is 11.1.
l Ensemble Fiber Director supports these Linux versions:
o 7.8 and 7.9
o 8.6 and 8.8

l You have super-user access.

l The SELinux status must be Permissive that is, SElinux = Permissive.
l You installed Docker CE 20.10 on the destination system and created a Docker swarm.
After you install Docker, you must NOT change the firewalld service status.

1. Restart the docker service:

systemctl restart docker.service
2. Verify that the system restarts all containers:
docker container ls
This is an example for a possible command output:

CONTAINER ID IMAGE COMMAND CREATED STATUS

600db3b12914 adva/geoserver: ... "/usr/local/ 4 minutes Up 4

tomcat/t…" ago minutes
(healthy)

9347b47b410c adva/postgis: ... "docker- 4 minutes Up 4

entrypoint.s…" ago minutes
(healthy)

Ensemble Controller R15.3 Administrator Manual - Issue: A 309

Adtran Configuring Ensemble Controller

l Ensemble Fiber Director uses these TCP ports:

o TCP ports 10080 and 10443 for the communication between the Ensemble Controller and
the Ensemble Fiber Director server.
o TCP port 25432 for the communication between Ensemble Fiber Editor and the Ensemble
Fiber Director server.
You do NOT have to open these TCP ports because the Docker daemon
opens them automatically.

l You installed the map library appropriate for your Ensemble Controller version as described
in Installing the Map Library in Linux.

Procedure to Install the Ensemble Fiber Director Server

1. From the Ensemble Controller installation CD, copy the FiberDirector_for_Linux-vX.X.X.tgz
package to a temporary directory and unpack it.
2. Change the working directory to the one that you just created.
3. Only for Red Hat Enterprise Linux 8.x:

a. In the firewalld script, open these ports:

firewall-cmd --zone=public --permanent --add-port=25432/tcp
firewall-cmd --zone=public --permanent --add-port=10080/tcp
firewall-cmd --zone=public --permanent --add-port=10443/tcp
b. Reload the firewalld configuration:
firewall-cmd –-reload

4. Run the install.sh installation script with super-user privileges, for example:
sudo ./install.sh
5. If prompted:
l Type y or yes to run the Ensemble Fiber Director server automatically within this
installation process.
l Type n or no if you want to do additional reconfigurations manually before the
application is started.
6. After successful installation, you can remove the temporary directory.

Installing Ensemble Fiber Editor

Ensemble Fiber Editor is used to manage fiber plant data that Ensemble Fiber Director uses to
visualize it in the Ensemble Controller. It is a user-friendly way to configure and set up the fiber-
optic network infrastructure.
For information about how to install Ensemble Fiber Editor, see the Ensemble Fiber Director User
Manual, Installing Ensemble Fiber Editor.

Ensemble Controller R15.3 Administrator Manual - Issue: A 310

Adtran Configuring Ensemble Controller

For general information about the related fiber plant management feature, see the Ensemble
Fiber Director User Manual.

Installing the Local Geographical Map-Tile

Server in Linux
If the Ensemble Controller Client does not have an outside world internet connection, the GNSS
applications or the Ensemble Fiber Director server will appear without a geographical map tile.
To overcome this, you can install and run a local intranet-accessible tile server that your
Ensemble Controller Clients can connect to in a Linux operating system. This procedure
describes the steps.
If the Ensemble Controller Client has an internet connection, the Client uses the system-
provided tile server and default settings to display the geographical map tile. If you want to
change to a different tile server than the default, the steps in this procedure also apply.

l For security reasons, https web pages do only load secure https
subresources. For details, see Chrome Security Concern.
l The Ensemble Controller Client supports the tile servers that have an URL x,y,z
format, for example:
http://<ip>/<tiles-name>/{z}/{x}/{y}{r}.png
l If you plan to use a high number of maps, to avoid performance issues, we
recommend that you install the map-tile server on a different computer
that is separate from the computer where you installed the Ensemble
Controller Server.

1. You can obtain the tile server and geographical maps from any provider that supports the
x,y,z format. This table lists some known provider website examples.

Websites Remark

https://openmaptiles.org/docs/ Recommended.

Docker Version: https://switch2osm.org/serving-tiles/using-a- Alternative.

docker-container/

https://knowledgebase.hyperlearning.ai/en/articles/centos-7-
open-street-map-tile-server#leaflet
The Ensemble Controller uses a leaflet whose default projection is
EPSG:3857. This is a Spherical Mercator projection coordinate
system that web services such as OpenStreetMap use. EPSG:3857
projection is also known as Google Mercator or Web Mercator.

2. After the download, follow the website instructions to install the tile server.

Ensemble Controller R15.3 Administrator Manual - Issue: A 311

Adtran Configuring Ensemble Controller

3. After the installation, open the tile-server installation description. Make a note of the map-
specific information that follows, which you will need in a later step to edit the fnm.properties
file.
l The URLs in x,y,z format.
l The maxZoom value.
l Optional: The license attribution of the geographical map-tile provider requirements.
4. In the Ensemble Controller installation directory, open the fnm.properties file.
5. In the fnm.properties file, navigate to these tile-server related parameters:

This Tile Server settings section defines the tile servers for the map to provide a street or a
satellite view. Depending on the map that you purchase, you can configure either
parameter or both. If you miss the opportunity to configure a parameter that your map
supports, Ensemble Controller will display a gray background instead of the relevant map
information.
6. Use the information that you noted in Step 4, and then edit the relevant parameter in the
fnm.properties file as follows:

a. Replace the URL included in the TileServerLayer parameter with the URL from the map
that you installed.
b. If your map requires the TileServerAttribution parameter, add the appropriate value from
the map that you installed.
c. Change the maxZoom value to the appropriate value from the map that you installed. If
the maxZoom value for your map is not available, specify a value of 17 to 20.
7. Save the fnm.properties file.
8. Restart the Ensemble Controller Server as described in Starting the Ensemble Controller
Server.

Chrome Security Concern

For security reasons, a Chrome browser ensures that HTTPS web pages load only secure HTTPS
subresources. By default, the browser blocks mixed pages of insecure HTTP pages on HTTPS
pages.
If you have internet access for the default map tile server, open web server port 443. See
Configuring Server and Client Communication Ports.
If you do not have internet access, but you want to install or already installed a local map-tile
server, the tile server must support HTTPS connections. If your installed map-tile server does not
support HTTPS connections, complete these steps:
1. We recommend that you use the NGINX reverse proxy for the proxy server to support an
HTTPS endpoint on the map-tile server. See https://documentation.maptiler.com/hc/en-
us/articles/360020949718-MapTiler-Server-behind-Nginx.
This example shows an NGINX configuration to support an HTTPS endpoint:

Ensemble Controller R15.3 Administrator Manual - Issue: A 312

Adtran Configuring Ensemble Controller

server {

listen 4650 ssl;

server_name localhost;
ssl_certificate C:/DevProjects/RePro/sslcert/server.crt;
ssl_certificate_key C:/DevProjects/RePro/sslcert/server.key;
location / {proxy_pass http://localhost:3650;

}
}

2. Create the ssl keystore and ssl certificate. See Using Customer Certificates.
3. In the fnm.properties file, replace the URL included in the TileServerLayer parameter with the
URL from the map that you installed.

Ensemble Fiber Director Mobile Application

Prerequisites for Running the EFD Mobile Application 313
Installing the EFD Mobile Application 313
Running, Stopping, or Uninstalling the EFD Mobile Application 314

Prerequisites for Running the EFD Mobile Application

On the Linux system, start the docker container for the EFD mobile application.
l You installed Docker CE 20.10 on the destination system.
l Ports 7443 and 8443 must be open. See "For Red Hat Enterprise Linux 7.x and 8.x" in Steps to
Installing Ensemble Controller in Linux for more information.

Installing the EFD Mobile Application

First obtain the EFD-mobile-vXX.X.X-BXXXX.tgz package, which contains the applicable docker
container image and scripts.
During installation, the process automatically gathers and then stores the certificates in the
/opt/adva/certs directory. When you use custom certificates, point to this directory and make
sure the certificates are valid. The EFD Mobile App must have the proper server.key and
server.crt files to start.
1. Unzip the EFD-mobile-vXX.X.X-BXXXX.tgz package (tar -zxvf EFD-mobile-v15.2.1-B0001.tgz).
2. Run the installefd_mobile.sh script (./installefd_mobile.sh).
3. Enter the correct ENC Master Server IP address.

Ensemble Controller R15.3 Administrator Manual - Issue: A 313

Adtran Configuring Ensemble Controller

4. Enter the correct ENC Slave Server IP address. If you do not configure high availability, this
server IP address can be the same as the Master IP address.

After successful installation, the EFD-mobile-app will be located in the local docker registry and
scripts in the /opt/adva/efd_mobile directory.

Running, Stopping, or Uninstalling the EFD Mobile

Application
To run, stop, or uninstall the efd-mobile-app, in the /opt/adva/efd_mobile directory run the
applicable script:
l run.sh
l stop.sh
l uninstallefd_mobile.sh

For example:

./run.sh

To change the ENC Server address, stop the application, edit the docker-stack.yml, and then run
the EFD mobile app.
The EFD mobile application is available at this link:
https://IP_address_of_server_with_docker_container:7443/efd/login

Consolidating Ensemble Controller

Servers
You can export database content from one Ensemble Controller Server and import it to another
Ensemble Controller Server. This is useful if you want to merge two independent servers into one.
The steps in these topics apply to both, Windows and Linux systems, unless otherwise stated.

Terminology 315
Requirements to Consolidate Servers 315
Prerequisite Steps for the Servers 315
Starting the ENC Migration Tool 316
Command Content Description 317
Overview of the Command Sequence 322
Exporting Database Content from the Source Server 323
Importing Database Content to the Destination Server 324
Post-Migration Steps After the Import 326

Ensemble Controller R15.3 Administrator Manual - Issue: A 314

Adtran Configuring Ensemble Controller

Terminology
l The Ensemble Controller Server that you use to export data is the source server.
l The Ensemble Controller Server that you use to import data is the destination server.

Requirements to Consolidate Servers

l The source and destination servers must have the same software version.
l Verify that both, the source and destination servers are up and running.
l Verify that you have the login credentials available for both, the source and destination
servers.

Prerequisite Steps for the Servers

1. In both, source and destination servers, verify the database consistency as follows:
a. In the Ensemble Controller Client Networks tree pane, right-click the Network root, and
then select Check DB Consistency.
After the system finishes the database verification, the DB Consistency dialog box
appears.
b. In the DB Consistency dialog box, Results area, click Show Details to verify the list for any
error messages.
c. Export the DB consistency results to a file, if required:
i. Click Export.
ii. In the Save As dialog box, select the location and file name.
iii. Click Save.
d. If error messages display, in the tree pane, right-click the Network root, and then select Fix
DB Inconsistency.
e. Wait for this operation to complete.
After the system completes, the DB Consistency dialog box appears.
f. Click Show Details to verify whether the system fixed the errors.
g. If required, repeat the steps to clear remaining errors.
h. Repeat the steps for the other server.
2. Backup the database of both, source and destination servers, as follows:
a. In the Ensemble Controller Settings, select System, and then Immediate Database
Backup.
b. Repeat this step for the other server.

Ensemble Controller R15.3 Administrator Manual - Issue: A 315

Adtran Configuring Ensemble Controller

Starting the ENC Migration Tool

1. Navigate to the Ensemble Controller.../bin installation directory.
2. According to your operating system, run the appropriate script file as administrator:

Operating System Script File

Windows migrateENC.bat

Linux migrateENC.sh

The ENC Migration Tool opens in a command-line shell.

3. Type help, and then press Enter to show a list of supported commands.

These commands are the same for Windows and Linux.

However, Windows does not support the automatic tab-completion functionality. That is, if
you type the starting letters of a command, and then press Tab, the Migration Tool in Linux
automatically expands the command or displays a list of commands that start with the
letters that you typed.
For more information about the commands, see Command Content Description.
4. To continue, see the appropriate topic:
l To export database content, see Exporting Database Content from the Source Server.
l To import database content, see Importing Database Content to the Destination Server.

Ensemble Controller R15.3 Administrator Manual - Issue: A 316

Adtran Configuring Ensemble Controller

Command Content Description

Each command that the ENC Migration Tool supports, contains a certain set of objects. The
system collects the object information in files and saves them to the Ensemble
Controller.../var/migration installation directory.

Command Content or Generated File Remark or Link

Included to more
Objects information

export-all Export report export-all-YYYY_MM_DD-hh_mm_ Contains

ss.log information
about the
export phases
and results.

Global SNMP snmp_properties_global.json The system

properties uses these
files only for
validation
purposes. It
Global HTTP http_properties_global.json
does not use
properties
this data for
the import.

Networks subnetwork.json
Included
Network ne.json Attributes for
Elements Network Exports

Links links.json Included

Attributes for
Link Exports

export- Export report export-network-YYYY_MM_DD-hh_ Contains

network mm_ss.log information
about the
export phases
and results.

Global SNMP snmp_properties_global.json The system

properties uses these
files only for
validation
purposes. It
Global HTTP http_properties_global.json
does not use
properties
this data for
the import.

Ensemble Controller R15.3 Administrator Manual - Issue: A 317

Adtran Configuring Ensemble Controller

Command Content or Generated File Remark or Link

Included to more
Objects information

Networks subnetwork.json
Included
Network ne.json Attributes for
Elements Network Exports

export-links Export report export-link-YYYY_MM_DD-hh_mm_ Contains

ss.log information
about the
export phases
and results.

Links links.json Included

Attributes for
Link Exports

export- Export report export-servicetree-YYYY_MM_DD-hh_ Contains

servicetree mm_ss.log information
about the
export phases
and results.

Service tree servicetree.json Included

groups, Attributes for
subgroups, Service Tree
customer Exports
groups, and
customers

export- Export report export-tracked-services-YYYY_MM_ Contains

tracked- DD-hh_mm_ss.log information
services about the
export phases
and results.

OCS service services/OCS/* Includes all

parameters OCS service
parameters.

ODS service services/ODS/* Includes all

parameters ODS service
parameters.

Ensemble Controller R15.3 Administrator Manual - Issue: A 318

Adtran Configuring Ensemble Controller

Command Content or Generated File Remark or Link

Included to more
Objects information

OCS service services/ocsTrackedServicesData.json

data with
export and
import
Included
structure
Attributes for
ODS service services/odsTrackedServicesData.json Tracked Service
data with Exports
export and
import
structure

import- Import report import-network-YYYY_MM_DD-hh_ Contains

network mm_ss.log information
about the
import phases
and results.

Networks

Network
Elements

import-links Import report import-link-YYYY_MM_DD-hh_mm_ Contains

ss.log information
about the
import phases
and results.

Links

import- Import report import-servicetree-YYYY_MM_DD-hh_ Contains

servicetree mm_ss.log information
about the
import phases
and results.

Service tree
groups,
subgroups,
customer
groups, and
customers

Ensemble Controller R15.3 Administrator Manual - Issue: A 319

Adtran Configuring Ensemble Controller

Command Content or Generated File Remark or Link

Included to more
Objects information

import- Import report import-tracked-services-YYYY_MM_ Contains

tracked- DD-hh_mm_ss.log information
services about the
import phases
and results.

OCS service
parameters

ODS service
parameters

OCS service
data with
export and
import
structure

ODS service
data with
export and
import
structure

Included Attributes for Network Exports

If you export networks, the system generates the files subnetwork.json and ne.json that include
these attributes:
l Name and identity.
l Location in the Network tree.
l Graphical position in the Topology Graph master layout. The user layout is not taken into
account.
l Network element identifier name.
l Physical location text.
l Contact person name.
l User text.
l Description text.
l Node-specific SNMP configuration settings.
l Node-specific HTTP configuration settings.
l Ethernet crypto settings.
l Custom fields.
l Centralized Control Plane information.

Ensemble Controller R15.3 Administrator Manual - Issue: A 320

Adtran Configuring Ensemble Controller

For unmanaged objects, the files additionally include these attributes:

l Ports
l Cross-connects
l Handover ports

The system does NOT export these network attributes. You must rediscover them after the
import to the destination server:
l Shelves
l Modules
l Resources
l Intra-NE connections
l Traffic engineering links
l Regular actions

Included Attributes for Link Exports

If you export links, the system generates the file links.json that includes these attributes:
l Starting network element and ending network element.
l Link type.
l Link name.
l Source endpoint name and target endpoint name.
l Link ports.
l Link OSC ports.
l Bandwidth capacity.
l Custom fields.

Included Attributes for Service Tree Exports

If you export the Services tree, the system generates the file servicetree.json and exports all
groups, subgroups, customer groups, and customers with these attributes:
l Names.
l Graphical position in the Topology Graph for groups, subgroups, and customer groups.
l Customer contact information.
l Custom fields.

Included Attributes for Tracked Service Exports

If you export tracked WDM services, the system generates the files
services/ocsTrackedServicesData.json and services/odsTrackedServicesData.json. These files
let the system export ODS and OCS services with these attributes to import and rebuild the
services with similar parameters on the destination server, for example:
l Location in Services tree that is, relative to the same parent group, subgroup, or customer.
l Service name.

Ensemble Controller R15.3 Administrator Manual - Issue: A 321

Adtran Configuring Ensemble Controller

l Service alternate name.

l Administrative state.
l Customer name.
l Remarks.
l Service type.
l Protection type.
l Service endpoints.
l Service intermediate points and links.
l Flags: Handover.

Overview of the Command Sequence

This procedure emphasizes the commands in the sequence that you must follow to export and
import Ensemble Controller database content. It is a brief command overview with links to more
information. The Summarized Command Sequence picks up on and repeats only the
commands in the required sequence to present the overall end-to-end procedure. This section
does not cover important information, for example, about Requirements to Consolidate Servers
or Prerequisite Steps for the Servers.
1. To export database content from the source server, in the source server ENC Migration Tool,
type the appropriate command. For information about the supported commands and their
effects, see Command Content Description.
For details about how to export database content, see Exporting Database Content from the
Source Server.
2. To import the database content to the destination server, complete the steps as follows.
Importing networks or links might be time consuming. It depends on the size of the imported
networks and the server performance. For example, the system might approximately require
up to 2 hours to import an amount of 10,000 network elements or links.

a. In the destination server ENC Migration Tool, type import-network.

After the import completes, the Ensemble Controller automatically starts the inventory
polling to discover the imported objects.
b. Restart the Ensemble Controller Client.
c. Wait for the inventory polling to finish.
d. After the inventory polling completes, in the destination server ENC Migration Tool, type
import-links.
e. After the script completes the link import, type import-servicetree.
f. After the script completes the service-tree import, type import-tracked-services.
For details about how to import database content, see Importing Database Content to the
Destination Server.
3. To remove the trapsink registration that still originates from the source server, from the
imported network elements in the destination server, in the destination server ENC Migration
Tool, type remove-trapsink.
For details about how to remove the trapsink registration, see Post-Migration Steps After the
Import.

Ensemble Controller R15.3 Administrator Manual - Issue: A 322

Adtran Configuring Ensemble Controller

Summarized Command Sequence

These steps show only the commands in the required sequence to give you a brief overview of
the overall end-to-end procedure. The commands are covered in more detail in Overview of
the Command Sequence.
1. export-all
2. import-network
Before you continue, wait for the discovery phase to fully complete.
3. import-links
4. import-servicetree
5. import-tracked-services
6. remove-trapsink

For the overall migration to be complete, you must successfully perform this command
sequence.
If errors occur for any of the commands, you can restart commands individually. We
recommend that you restart commands pairwise that is, if you need to restart an export
command, also restart the related import command, for example export-links and import-links.

Exporting Database Content from the Source

Server
The export process is subject to these limitations:
l The system does not export network elements that you remove from the Ensemble Controller
database, or links where you remove the network element endpoints, while you run the export
process.
l The system does not export peer network elements. Peer network elements are closely
related to main network elements in the Ethernet area, and the system can discover peers
only after it discovered the main element. That is, after you export and import the main
element, the system automatically discovers the related peer element if it exists in the
destination server.

1. Make sure that you meet the Requirements to Consolidate Servers.

2. Complete the steps in Prerequisite Steps for the Servers.
3. In the source server, start the ENC Migration Tool as described in Starting the ENC Migration
Tool.
4. In the command-line shell, type the appropriate export command according to the objects
that you want to export. For information about the commands and the objects that they can
export, see Command Content Description.
5. Confirm the command if prompted.
After the system finishes the export, the ENC Migration Tool shows a corresponding message.
The files that the system generates from the export are saved to the Ensemble
Controller.../var/migration installation directory.

Ensemble Controller R15.3 Administrator Manual - Issue: A 323

Adtran Configuring Ensemble Controller

6. To verify any export phases and results, you can view the export LOG file that the system also
saved to the Ensemble Controller.../var/migration installation directory.
7. If your source server uses the Centralized Control Plane to manage network elements, you
must stop it after the export. Change to the root user and type either command:
l ni.server stop
–or–
l /opt/adva/fsp_nm_ni/sbin/ni.server stop

8. Proceed with the steps to import the database content that you exported from the source
server, to the destination server as described in Importing Database Content to the
Destination Server.

Importing Database Content to the

Destination Server
Requirements to Import Database Content
The import procedure as follows, assumes that:
l You already exported the relevant database content that you will need for the import, from
the source server as described in Exporting Database Content from the Source Server.
l You stopped the Centralized Control Plane in the source server if existing as described in Step
7 in Exporting Database Content from the Source Server.
l You meet the Requirements to Consolidate Servers.
l You completed the steps in Prerequisite Steps for the Servers.

Procedure to Import Database Content

1. If you import network elements that use HTTPS for the REST protocol such as FSP 3000 C or
FSP 150-XG480, in the Overview tab, REST/HTTP Configuration area, TLS Certificate field, select
Accept Any. For details, see the User Manual, Configuring REST, HTTP, or HTTPS on Network
Level.
If you do NOT set this parameter, the destination server cannot discover the network
elements that use HTTPS, and a corresponding message displays in the import LOG file. The
system saves the import LOG file to the Ensemble Controller.../var/migration installation
directory after the import completes.
2. In the destination server, disable link discovery as follows.
This prevents the links that you import, from conflicting with the discovered links in the
destination server. If you do NOT complete these steps to disable link discovery, the system
does not start the import process and a corresponding message with corrective
information displays.

a. From the Ensemble Controller Settings, select Configuration, and then Network Properties.
b. In the Network Properties window, from the left menu, select Topology & Links.

Ensemble Controller R15.3 Administrator Manual - Issue: A 324

Adtran Configuring Ensemble Controller

c. In the Topology & Links page, clear both options:

l Enable Automatic Discovery of Topology and OL Assignments to Links
l Enable Automatic Discovery of Topology and Port Assignments to Links (LLDP)
d. Click OK.
3. From the source server .../var/migration installation directory, copy the export files that
the system generated to the destination server in the same .../var/migration directory.
4. In the destination server, start the ENC Migration Tool as described in Starting the ENC
Migration Tool.
5. According to the command that you used to export objects, in the command-line shell, type
the appropriate import command:
l If you used export-all or export-network, type import-network to first import the networks
and network elements, and then in a later step, you must still import the links.
l If you used export-links, type import-links.
l If you used export-servicetree, type import-servicetree.
l If you used export-tracked-services, type import-tracked-services.
Importing networks or links might be time consuming. It depends on the size of the imported
networks and the server performance. For example, the system might approximately require
up to 2 hours to import an amount of 10,000 network elements or links.
For more information about the commands, see Command Content Description.
For an overview of the command sequence, see Overview of the Command Sequence.
6. Confirm the command if prompted.
l After you confirm the import command, the system verifies the uniqueness of identifiers,
such as link name, source endpoint, source link port, and so on, against the content that
already exists in the destination server database. The system updates the database
accordingly, and reports any import phases and results in the LOG file that is saved to the
Ensemble Controller.../var/migration installation directory.
l If you import unmanaged network elements, and the name or IP address match with a
network element that already exists in the destination server, then the system replaces
the unmanaged network element with the one that is already available, and updates the
links between the existing network elements.

l If you import network elements that the Centralized Control Plane managed in the source
server, then the system adds these network elements also to the Centralized Control
Plane in the destination server.
After the import completes, the ENC Migration Tool shows a corresponding message, and
the imported objects show in the destination server Ensemble Controller Client. The
Ensemble Controller automatically starts the inventory polling to discover the imported
network elements and any related objects such as modules, shelves, ports, and also peers

Ensemble Controller R15.3 Administrator Manual - Issue: A 325

Adtran Configuring Ensemble Controller

for Ethernet network elements if available. Peer network elements are closely related to main
network elements in the Ethernet area, and the system can discover peers only after it
discovered the main element.
7. Restart the Ensemble Controller Client.
8. You must wait for the inventory polling to finish.

a. Verify the Networks tab tree pane for any network element icons that show as white
boxes. These white boxes indicate that the inventory polling for these network elements
has not finished yet.
b. After all icons recover, you can proceed with the steps in this procedure as follows.
9. According to the command that you used in Step 5 to import objects, decide:
l If you used the import-network command, you must still import the links. Proceed with
Step 10.
l If you used these commands, you completed the procedure:
o import-links
o import-servicetree
o import-tracked-services

10. In the ENC Migration Tool, type import-links.

11. Confirm the command if prompted.
The system imports the links as described in Step 6.
After the import completes, the ENC Migration Tool shows a corresponding message.
The LOG file that the system generates from the import is saved to the Ensemble
Controller.../var/migration installation directory.
12. If required, you can view the import LOG file to verify any import phases and results.
13. Proceed with the post-migration steps that you must complete after you finished the import
of the database content to the destination server. See Post-Migration Steps After the Import.

Post-Migration Steps After the Import

Complete these steps to finalize the consolidation of two Ensemble Controller Servers.
If you do NOT complete these steps, the network elements that you imported to the destination
server, are managed by both the source and destination servers.

Requirement for the Post-Migration Steps

The steps in the procedure as follows, assume that you already imported database content to
the destination server as described in Importing Database Content to the Destination Server.

Procedure for the Post-Migration Steps

1. Remove the trapsink registration that still originates from the source server, from the
imported network elements in the destination server.

Ensemble Controller R15.3 Administrator Manual - Issue: A 326

Adtran Configuring Ensemble Controller

a. In the destination server, start the ENC Migration Tool as described in Starting the ENC
Migration Tool.
b. In the ENC Migration Tool, type remove-trapsink.
c. Confirm the command if prompted.
The system removes the source server IP address from all network elements that you
imported. After the system completes to remove all IP addresses, the ENC Migration Tool
shows a corresponding message.
The system automatically adds the destination server IP address to the imported
network element trapsink tables while Ensemble Controller discovers them.

2. Uninstall the source server as described in Uninstalling Ensemble Controller.

Accessing Management Tools

This section provides details about how to access these management tools to configure and
monitor network elements using Ensemble Controller.
If you use Ensemble Controller in an high-availability configuration, the respective Ensemble
Controller menu items to access the FSP Element Manager, the WEB Manager, and the CLI client
are not available in slave mode.

Command Line Interface 327

WEB Manager 329
Element Manager 341

Command Line Interface

Using a Secure Protocol 327
Using an Insecure Protocol 328
Configuring CLI Launch Commands 328

Using a Secure Protocol

If you use the command line interface (CLI) to access network elements (NEs), Ensemble
Controller (ENC) by default uses a secure protocol provided that:
l You installed a secure shell server, for example CopSSH, which is an implementation of
OpenSSH for Windows. For information about how to install CopSSH, see Installing CopSSH.
CopSSH offers both SSH client and server functionality, and you can use it to remotely
administer Windows systems.
l You specified the path for the secure protocol in the fnm.properties file, as described in
Configuring CLI Launch Commands.

Ensemble Controller R15.3 Administrator Manual - Issue: A 327

Adtran Configuring Ensemble Controller

You can specify the appropriate program to access a secure shell client also in the application
bar user menu > User Settings > Browsers tab > Secure Shell (SSH) Path field. The settings you
specify in the Browsers tab take priority, and the system does no longer take the settings from
the fnm.properties file into account.

Using an Insecure Protocol

You can install the Ensemble Controller Client on a Windows or Linux operating system (OS). To
use an insecure protocol that applies globally, you must:
l Specify the full command line for that client on the Ensemble Controller Server by editing the
fnm.properties file according to your OS.
l Locate the CLI client on the Ensemble Controller Client exactly as specified in the
fnm.properties file.

For information about how to specify the (insecure) client command line on the Ensemble
Controller Server, see Configuring CLI Launch Commands.
You can also determine insecure protocols on network element (NE) level. You specify the
respective NE types that are to use the insecure Telnet CLI in the fnm.properties file by adding
them to the property com.adva.fnm.option.useCLIOverTelnet.
You can specify the appropriate program to access an insecure shell client also in the
application bar user menu > User Settings > Browsers tab > Insecure Shell Path field. The settings
you specify in the Browsers tab take priority, and the system does no longer take the settings
from the fnm.properties file into account.

Configuring CLI Launch Commands

Complete these steps to globally configure launch commands for the secure or insecure CLI
client in the fnm.properties file.
After you complete this procedure, the Browsers window that you can open in the application
bar user menu > User Settings, displays the corresponding command values specified as
predefined values in the respective Secure or Insecure Shell Path field.
1. Shut down the Ensemble Controller (ENC) Server as described in Stopping the Ensemble
Controller Server.
2. Open the fnm.properties file for the relevant Ensemble Controller Server by using a text
editor, for example WordPad. The fnm.properties file is located in the Ensemble Controller
installation directory C:\Program Files\ADVA Optical Networking\FSP Network
Manager.
3. In the fnm.properties file, identify the relevant parameter to edit, according to your operating
system (OS), and whether you want to use a secure or insecure protocol:

Ensemble Controller R15.3 Administrator Manual - Issue: A 328

Adtran Configuring Ensemble Controller

Protocol CLI Parameters

Type
Windows Linux

Secure com.adva.fnm.security.ssh.CL com.adva.fnm.security.ssh.CL

I_WINDOWS I_LINUX

Insecure com.adva.fnm.security.CLI_ com.adva.fnm.security.CLI_

WINDOWS LINUX

4. If the number sign <#> is in front of the parameter, remove it.

5. After the equal sign <=>, enter the relevant command as these examples show:
l Example parameter values for the secure protocol:
o com.adva.fnm.security.ssh.CLI_WINDOWS=C:\\Program Files
(x86)\\PuTTY\\putty.exe
o com.adva.fnm.security.ssh.CLI_LINUX=/usr/bin/xterm -e
/usr/kerberos/bin/putty

l Example parameter values for the insecure protocol:

o com.adva.fnm.security.CLI_WINDOWS=cmd /K start telnet
o com.adva.fnm.security.CLI_LINUX=/usr/bin/xterm -e
/usr/kerberos/bin/telnet

For an overview of these parameters maintained in the fnm.properties file, see Graphical
User Interface Options.
To type the path to the application, ALWAYS use slashes “/” even for
Windows commands.

6. Save, and then close the fnm.properties file.

7. Restart the Ensemble Controller server as described in Starting the Ensemble Controller
Server.
8. If the operating system is Windows 10, open Control Panel > Programs and Features > Turn
Windows features on or off.
9. Scroll down, and then select Telnet Client.
10. Click OK.

WEB Manager
You can use the WEB Manager to access and manage network elements through the web
interface from the Ensemble Controller Client. The WEB Manager opens in the default web
browser or a web browser that you can specify in the application bar user menu > User Settings
> Browsers tab:

Ensemble Controller R15.3 Administrator Manual - Issue: A 329

Adtran Configuring Ensemble Controller

To globally specify a web browser, see the fnm.properties file located in the Ensemble Controller
installation directory (C:\Program Files\ADVA Optical Networking\FSP Network Manager) and
edit the property com.adva.fnm.security.browser_<operating system>. For more information
about this property, see Security Options.
See these topics for more details about the WEB Manager:

Single Sign-On Support (SSO) 330

HTTP or HTTPS Communication 338

Single Sign-On Support (SSO)

To seamlessly open the WEB Manager from the Ensemble Controller Client, you can use the
method of SSO.
If you use the method of SSO, you must no longer enter any network element login and
password credentials to open the WEB Manager.
Ensemble Controller supports SSO for those network elements that also have this support.

Scenarios That Support SSO

For SSO to work, the Ensemble Controller user account and password must be the same as the
network element user account and password. For information about how to create a user
account for Ensemble Controller with the same exact login credentials as the network element
account, see Users Tab.
With this requirement in mind, this table outlines the scenarios that support SSO.

No. Scenario Description For details, see ...

1. RADIUS-defined The system always l Establishing a Single Sign-

accounts synchronizes RADIUS- On Connection
defined accounts so that l Setting Up RADIUS
the network element and Authentication This topic
Ensemble Controller share provides instructions about
the same user accounts how to create a RADIUS
and passwords. account for centralized
authentication for both,
Ensemble Controller and
network element.
2. Manual user You must manually Establishing a Single Sign-On
account and synchronize all user Connection
password accounts and passwords
adaption so that they are the same
on both, the network
element and Ensemble
Controller for all users who
want to use SSO.

Ensemble Controller R15.3 Administrator Manual - Issue: A 330

Adtran Configuring Ensemble Controller

No. Scenario Description For details, see ...

3. No RADIUS or If you neither use RADIUS or Establishing an SSO

TACACS+, and no TACACS+ nor do you Connection Using Fallback
manual user manually synchronize user Passwords
account or accounts and passwords,
password you can use the fallback-
adaption user password
configuration.

4. Token-based If you use SSO through an Establishing an SSO

authentication ad hoc account, you can Connection Using an Ad-Hoc
with user account use RADIUS and RSA Local Network Element
and password SecureID. You cannot use Account
adaption SSO with a fallback
password as described in
No 3., because passwords
change every minute.

5. Standard WEB If you cannot meet the User Manual

Manager use requirements for the
scenarios no. 1-3, for
example, user accounts or
passwords do not match or
communication fails,
Ensemble Controller opens
the default login page for
the network element in the
WEB Manager.

Establishing a Single Sign-On Connection

Complete the steps in this section to establish a single sign-on (SSO) connection for:
l Ensemble Controller Server and Client
l Network element
l Communication ports
l Protocols
–and–
l Used interfaces

For a better overview, the required steps are diagrammed in Figure 19.
The information is based on the use cases no. 1 and 2 described in Scenarios That Support SSO.

Ensemble Controller R15.3 Administrator Manual - Issue: A 331

Adtran Configuring Ensemble Controller

Figure 19: Diagram for the SSO Connection Procedure

1. "Sent SSO action to server"

The Ensemble Controller Client (GUI) sends a request to the Server.
2. "Initial HTTPS communication to NE"
The Ensemble Controller Server sends a "Hello" message to the network element.
3. "Return signed certificate"
The network element returns a signed certificate to the Ensemble Controller Server.
4. "Return Certificate to user for acceptance"
The Ensemble Controller Server sends the certificate to the Client (GUI) for the user to take
further actions.
In the Examine Server Certificate dialog, click the appropriate button:

Button Description

Accept Click to permanently store the certificate on the server. Once

accepted, this certificate is also accepted for all other users in the
system. Ensemble Controller stores the file with the accepted
certificate in the installation directory .../ssocerts according to your
operating system and thus enables SSO support for that network
element.

Accept Click to temporarily store the certificate in the Ensemble

Temporary Controller Client cache. That is, Ensemble Controller removes the
certificate from the server when you close the Ensemble Controller
Client.

Ensemble Controller R15.3 Administrator Manual - Issue: A 332

Adtran Configuring Ensemble Controller

Button Description

Reject Click to disable the SSO support for that network element. Ensemble
Controller does not accept the certificate and thus raises a respective
security event (SSO-SEC: "NE certificate has been rejected by <user
name>"). The event displays in the tab pane, Security tab. The WEB
Manager login page opens.

Cancel Click to stop and to not open the web interface. You can also use X
Close to exit the window.

5. "If certificate accepted open SSO with user and password"

After you select Accept, you start SSO through user and password authentication towards
the Ensemble Controller Server.
6. "Sent login/ pass to NE"
The Ensemble Controller Server sends an HTTPS request to the network element with
password and user name to get a token for the SSO authentication.
Port 443 is used for the communication between the Ensemble Controller Server and the
network element.
7. "Return Authentication Token"
The network element sends a token response to the Ensemble Controller Server.
8. "Return Authentication Token to GUI"
The Ensemble Controller Server sends a token back to the Client.
9. "Send Authentication Token to WEB Browser"
10. "Access NE with Authentication Token"
The Ensemble Controller Client opens the web browser using token authentication towards
the network element without any user or password information. Port 443 is used for the
communication between the web browser and the network element.
For an overview of communication ports used by the Ensemble Controller Server or Client
and network element, see Communication Ports.

Establishing an SSO Connection Using Fallback Passwords

This section is based on the standard single sign-on (SSO) procedure described in Establishing
a Single Sign-On Connection and adds the option of using fallback passwords if you use the
web interface to log into the Network Element Director (NED).
The network element fallback-user password-management tool manages fallback passwords
detailed in Fallback Solution if the Network Element Connection Fails.

Requirements to Use SSO With Fallback Passwords 334

Procedural Description 335

Ensemble Controller R15.3 Administrator Manual - Issue: A 333

Adtran Configuring Ensemble Controller

Requirements to Use SSO With Fallback Passwords

l To use SSO with fallback passwords, in the fnm.properties file, edit these two properties:
o Set the property com.adva.fnm.option.SSOviaFBP to true.
o Remove the number sign # at the beginning of the property
com.adva.fnm.option.FallbackNEUserID, and then specify the name of the fallback
user that the system uses to log into the network element in the fallback case.
The fallback user name must be different from the one that you specify
for the SNMP communication to the network element. If the names are
identical, the password setting for the fallback user will fail.

For information about how to edit properties in the fnm.properties file, see Editing the
fnm.properties File.
l These network elements support SSO with a fallback password if they have the stated
software version:

Network Element Required

Software
Version

FSP 150CC-GE206V 11.1.1

FSP 150-XG210

FSP 150-XG210C

FSP 150-XG116Pro

FSP 150-XG116Pro-H

FSP 150-XG118Pro-SH

FSP 150-XG120Pro

FSP 150-XG120Pro-SH 11.5.1

FSP 3000R7 15.1.2

l You must configure the relevant network elements to use SNMPv3 authentication and privacy
for communication to Ensemble Controller as described in the User Manual.
l To use SSO with fallback passwords, you need to have the permission SSO NE Login through
Fallback Password. This permission is by default granted only to the role of an administrator
because the system automatically grants administrative user rights on the network element.
The administrator sets permissions and corresponding user roles in the Security Manager. To
open the Security Manager, in the Ensemble Controller (ENC) Settings, select Security, and
then Security Manager.
For more information about user roles and allocated privileges, see Roles and Allocated
Actions.

Ensemble Controller R15.3 Administrator Manual - Issue: A 334

Adtran Configuring Ensemble Controller

Procedural Description
This procedure describes how you can establish an SSO connection using fallback passwords
for the Ensemble Controller Server and Client, and network element (NE), including
communication ports, protocols, and used interfaces. For a better overview, the required steps
are diagrammed in Figure 20.
The information is based on the use case no. 3 described in Scenarios That Support SSO.
Figure 20: Diagram of the SSO Connection Procedure Through Fallback Password

1. Steps P1 to P2 are part of the network element fallback password management procedure. It
happens already after network element discovery to establish the fallback user, which has a
one-time password.
2. Steps T1 to T10 are part of the SSO feature.
l Step T1 is triggered later when the user requests the Web Manager option the first time.
l With Step T6, the token request is modified to take the user and the one-time password
managed by the network element fallback password procedure instead of the values for
the actual user of the Ensemble Controller Client.
3. If the SSO feature fails, the Web Manager opens the default login page for the network
element in the web browser.

Establishing an SSO Connection Using an Ad-Hoc Local Network

Element Account
This section describes an extension of the standard single sign-on (SSO) procedure described
in Establishing a Single Sign-On Connection.
The extended SSO procedure contributes to log into the Network Element Director (NED) if you
use RADIUS and RSA SecureID. You usually use the web interface to log into the NED. Whenever
you log into the NED, Ensemble Controller uses SNMP to create a special temporary local ad-hoc
user account (AHA).

Ensemble Controller R15.3 Administrator Manual - Issue: A 335

Adtran Configuring Ensemble Controller

Requirements to Use SSO With Ad-Hoc Accounts

l To enable SSO with ad-hoc accounts, in the fnm.properties file, set the property
com.adva.fnm.option.SSOviaAHA to true.
For information about how to edit properties in the fnm.properties file, see Editing the
fnm.properties File.
l These network elements support the extended SSO procedure if they have the stated
software version:

Network Element Required

Software
Version

FSP 150CC-GE206V 11.1.1

FSP 150-XG210

FSP 150-XG210C

FSP 150-XG116Pro

FSP 150-XG116Pro-H

FSP 150-XG118Pro-SH

FSP 150-XG120Pro

FSP 150-XG120Pro-SH 11.5.1

FSP 3000R7 16.2.1

l You must configure the relevant network elements to use SNMPv3 authentication and privacy
for communication to Ensemble Controller as described in the User Manual.
l You must enable the Single Sign-On 2-Factor flag on the relevant network elements.
l To use the extended SSO procedure, you need to have the permission SSO NE Login through
Temporary Account. This permission is by default granted only to the role of an administrator
because the system automatically grants administrative user rights to the ad-hoc accounts
that it creates on the network element.
The administrator sets permissions and corresponding user roles in the Security Manager. To
open the Security Manager, in the Ensemble Controller (ENC) Settings, select Security, and
then Security Manager. For more information about user roles and allocated privileges, see
Roles and Allocated Actions.

Procedural Description
This procedure describes how you can establish an SSO connection using an ad-hoc account
for the Ensemble Controller Server and Client, and the network element (NE), including
communication ports, protocols, and used interfaces. For a better overview, the required steps
are diagrammed in .
The information is based on the use case no. 4 described in Scenarios That Support SSO.

Ensemble Controller R15.3 Administrator Manual - Issue: A 336

Adtran Configuring Ensemble Controller

Diagram for the SSO Connection Procedure Through Ad-Hoc Account

1. Ensemble Controller Client to Server: Go to NE through Web Manager action.

The Ensemble Controller user wants to access the NED without another login.
2. Ensemble Controller Server to NE: Configure local user (and password) on NE.
A local user with the same or a similar name as the Ensemble Controller user is temporarily
added to the local user NE database. Ensemble Controller reuses the original login
password, which ensures that it changes all the time. FSP 3000R7 NEs accept user names in
the local database only with 10 characters.
l The system prefixes the Ensemble Controller user name with an underscore, for example:
_encUser. If the name exceeds 10 characters, for example: EnsembleControllerUser, the
system additionally truncates the name to include 10 characters only, for example: _
EnsembleC
l If the system fails to create a user as described, it abandons the SSO login procedure.

3. NE to Ensemble Controller Server: Local user (and password) confirmed by NE.

4. Ensemble Controller Server to NE: Initial HTTPS communication to NE.
Steps 4 to 7 are only taken place once, upon first contact.
5. NE to Ensemble Controller Server: Return signed certificate.
6. Ensemble Controller Server to Client: Present certificate to the user for acceptance (options:
accept, accept temporary, reject, cancel).
7. Ensemble Controller Client to Server: If certificate is accepted by the Ensemble Controller
user, confirm.
8. Ensemble Controller Server to NE: Token request: Send local user and password to NE (with
flag: Don’t ask RADIUS!).
A token request with special flag is sent asking to be locally authenticated.
9. NE to Ensemble Controller Server: Return authentication token.
If successful, the token is returned by the NE.

Ensemble Controller R15.3 Administrator Manual - Issue: A 337

Adtran Configuring Ensemble Controller

10. Ensemble Controller Server to Client: Return authentication token.

11. Ensemble Controller Client to Web Browser: Send authentication token to Web Browser.
12. Browser to NE: Access NE with authentication token.
SSO completed. The Ensemble Controller user is logged in to the NE.
The name displayed on the NE is the same as the Ensemble Controller user name.
13. Ensemble Controller Server to NE: Remove local user from NE.
The local NE user account is removed after one hour of inactivity. Additionally, the encrypted
user password is removed from the Ensemble Controller database.
14. NE to Ensemble Controller Server: Local user removal confirmed by NE.

Disabling a Single Sign-On Connection

To permanently disable a single sign-on (SSO) connection, complete these steps.
1. In the fnm.properties file, edit this property:
com.adva.fnm.option.ssoDisabled.device.types
2. At the beginning of the property name, remove the number symbol (#).

3. After the equal sign (=), specify the NE types that you want to disable an SSO connection for.
Use one of these methods:
l Enter NE types separated by a semicolon (;), for example
com.adva.fnm.option.ssoDisabled.device.types=FSP 150-GE114SH;FSP 150-
XG210;FSP 150-XG418.
l For all device types, enter ANY.

For more information about how to edit the fnm.properties file, see Editing the fnm.properties
File.

HTTP or HTTPS Communication

The Ensemble Controller Server can use HTTP or HTTPS to communicate between the browser
opened on the client computer and the web server in the network element.
If no direct IP connectivity exists between the browser and the web server, which means the
Ensemble Controller Server uses two different networks for the clients and the DCN without
routing in between, you must configure a proxy server for the HTTP or HTTPS traffic using either of
these options:
l Configuring the Ensemble Controller-Internal HTTP Proxy that is installed as a service
automatically during the Ensemble Controller installation process.
–or–
l Configuring a Standard HTTP or HTTPS Proxy Server that has access to both networks, for
example the server that runs the Ensemble Controller Server process.

Configuring the Ensemble Controller-Internal HTTP Proxy

The Ensemble Controller-internal HTTP proxy, which is installed as a service during the Ensemble
Controller installation process, is a standard web-reverse proxy. The system disables this proxy
by default. To enable it, use either of the options described as follows.

Ensemble Controller R15.3 Administrator Manual - Issue: A 338

Adtran Configuring Ensemble Controller

If you upgrade your Ensemble Controller, and you require the HTTP proxy
service to run, you must re-enable it.

Editing the Property in the fnm.properties File 339

Configuring the Service in the Services Window 339

Editing the Property in the fnm.properties File

1. In the fnm.properties file, set this property to yes. See Editing the fnm.properties File.
com.adva.nlms.mediation.server.proxy.startModule

After you set the property to yes, the HTTP proxy service starts or stops automatically
whenever the Ensemble Controller Server starts or stops.

By default the proxy uses the port 9090.

2. If required, you can use this property to change the proxy port:
com.adva.nlms.mediation.server.proxy.port

Configuring the Service in the Services Window

1. Go to Start > Control Panel > Administrative Tools > Services.
2. In the Services window, right-click ADVA: Http Proxy, and then select one of these options
relevant for your needs:
l Select Start to enable the proxy service only for this one session that is, you must repeat
this step every time you log into Ensemble Controller if you want the service to run.
–or–
l Select Properties to configure the service to automatically start every time you log in.

a. In the ADVA: Http Proxy Properties window, Startup type field, select Automatic.
b. In the Service status field, verify the status. If required, select Start to start the service.
After you start the service, the status changes to Running.
c. Select Apply, and then OK to confirm your settings, or Cancel.

Configuring a Standard HTTP or HTTPS Proxy Server

1. Select the Windows Start icon, for example for Windows 10.
2. To start a search, type proxy.
3. From the search results, select Change proxy settings.

Ensemble Controller R15.3 Administrator Manual - Issue: A 339

Adtran Configuring Ensemble Controller

The Proxy settings window displays:

Consider that the proxy server must be used ONLY to access network
elements.
Therefore, we recommend that you use an automated configuration script
as described in Step 4, in which you can select only networks with network
elements. This guarantees accurate DCN IP networks.
Avoid using the setting options Automatically detect settings or Manual
proxy setup. They could lead to a misconfiguration and thus to a proxy-
server overload.

4. Proceed with one of these configuration methods:

l Automatic proxy setup
o Select Automatically detect settings to turn this feature on or off. After you enable it,
the system automatically detects proxy settings, which might not be appropriate in

Ensemble Controller R15.3 Administrator Manual - Issue: A 340

Adtran Configuring Ensemble Controller

any case.
o (Recommended) Select Use setup script to turn this feature on or off. After you enable
it, you can configure the proxy by means of a proxy auto-configuration (PAC) script.
The Windows operating system (OS) provides the example PAC script nmsproxy.pac
located in the Ensemble Controller installation directory C:\Program Files\ADVA
Optical Networking\FSP Network Manager\ws\webapps\proxy\nmsproxy.pac
You can use this example script as basis and adapt it in accordance with your
network structure. Enter the IP address of the Ensemble Controller Server where the
proxy is located including the port and the path to the PAC file. The address format is
http://<ENC Server IP address>:<port>/<PAC file path>

l Manual proxy setup

Select Use a proxy server to turn this feature on or off. After you enable it, edit these fields:

Field Description or Steps

Address Type the Ensemble Controller Server IP address where the proxy is
located.

Port Type the port that the proxy uses.

Use the proxy Type the IP addresses of the proxy servers that you want to
server except exclude. It is important that you exclude the ones that do not
for addresses contain managed elements to protect the proxy server from
that start with ... overloading and eventually crashing.

5. After you enable one of the configuration methods, disable the other options.
6. Click Save for both configuration options. For each option, you have a separate Save button.

Element Manager
To access the Element Manager from the Ensemble Controller client, complete these
procedures:

Installing the Element Manager 341

Enabling the SNMP Forwarder Service 342

Installing the Element Manager

1. Download the ElementManager.tar file from Customer Portal and copy it to Ensemble
Controller installation directory, for example: /opt/adva.
2. Untar the element manager file:
tar -xvf ElementManager.tar
3. Run eminstall script:
./eminstall

Ensemble Controller R15.3 Administrator Manual - Issue: A 341

Adtran Configuring Ensemble Controller

Enabling the SNMP Forwarder Service

To open the Element Manager from the Ensemble Controller Client to manage FSP 1500 devices,
you must enable the SNMP Forwarder service described as follows. By default, the SNMP
Forwarder service is disabled.

If you upgrade your Ensemble Controller, and you require the SNMP Forwarder
service to run, you must re-enable it.

Enabling the SNMP Forwarder Service in Windows

To enable the SNMP Forwarder service in Windows, use either of these options:

Running the Script File 342

Configuring the Service in the Services Window 342

Running the Script File

To start the SNMP Forwarder service, in the Ensemble Controller installation bin directory, run the
StartSnmpForwarder.bat script file.
To stop the service, run the StopSnmpForwarder.bat script file.

Configuring the Service in the Services Window

1. Go to Start > Control Panel > Administrative Tools > Services.
2. In the Services window, right-click ADVA: SNMP Forwarder, and then select one of these
options relevant for your needs:
l Select Start to enable the service only for this one session that is, you must repeat this
step every time you log into Ensemble Controller if you want the service to run.
–or–
l Select Properties to configure the service to automatically start every time you log in.

a. In the ADVA: SNMP Forwarder Properties window, Startup type field, select Automatic.
b. In the Service status field, verify the status. If required, select Start to start the service.
After you start the service, the status changes to Running.
c. Select Apply, and then OK to confirm your settings, or Cancel.

Enabling the SNMP Forwarder Service in Linux

To start the SNMP Forwarder service, at the command prompt, type:
./snmpforwarder.sh start
Additional Options:
l To stop the service, type:
./snmpforwarder.sh stop

Ensemble Controller R15.3 Administrator Manual - Issue: A 342

Adtran Configuring Ensemble Controller

l To verify the SNMP Forwarder status, type:

./snmpforwarder.sh status

Fault Management
This chapter discusses topics that contribute to manage faults and if required correct
malfunctions in the network.

Enabling Logging of Service Affected Alarms in the Ensemble Controller Database 343
Enabling and Configuring Event Logging to External CSV File 343
Installing the OSA WinSTS Tool 345

Enabling Logging of Service Affected Alarms

in the Ensemble Controller Database
To enable logging of service affected alarms in the Ensemble Controller (ENC) database, edit
the parameter
com.adva.nlms.mediation.event.storeServiceOperStateChangeAlarms
in the fnm.properties file as described in the Editing the fnm.properties File section in the
Administrator Manual. These values are supported:
l yes - service affected alarms are stored in the Ensemble Controller database.
l no - (by default) service affected alarms are not stored in the Ensemble Controller database.

Enabling and Configuring Event Logging to

External CSV File
In addition to the Ensemble Controller (ENC) global event database, continuous logging of
events to an external comma separated values (CSV) file can be enabled, sorted by Ensemble
Controller detection time. This makes it possible to export events into other archiving tools.
If event properties are updated (correlated), a new line is added to the CSV file. The CSV file is
stored in the Ensemble Controller installation directory under var\log. It is created automatically
and named eventlog.csv.
The maximum size for this file can be specified, and when the file reaches this size, Ensemble
Controller creates a backup, eventlog.csv.<n>. It then clears the eventlog.csv file, and continues
logging in it. The number of such backups that Ensemble Controller is to create before starting
to overwrite old backups is configurable as well.
The file log4j2.xml governs whether event logging is done to an external CSV file or not. Also,
properties allow for configuring the way in which the external CSV file is presented. The xml file is
located in the Ensemble Controller installation directory.

Ensemble Controller R15.3 Administrator Manual - Issue: A 343

Adtran Configuring Ensemble Controller

Only alter properties in the log4j2.xml file that are described in this procedure.

1. Navigate to the Ensemble Controller installation directory.

2. Identify the log4j2.xml file and open it with a suitable editor, for example Windows Notepad.
3. Identify this section in the xml file:

4. Enable or disable logging to the external CSV file:

a. In the '# Ensemble Controller CSV event logger' section, identify the entry
CSVEventLogger.
b. To enable event logging to the external CSV file, edit that line so it reads as follows:
<Logger name=”CSVEventLogger” level=”on” as suggested in the header of the new
log4j2.xml file.
c. To disable event logging to the external csv file, edit that line so it reads as follows:
<Logger name=”CSVEventLogger” level=”off”
5. If appropriate, in the 'Appenders' section, adapt property values to configure the external
CSV file as required:
a. To set the number of backups and the maximum size of the external CSV file, identify
these properties (in bold below):
<Appender name="csveventlog" type="RollingFile"
fileName="$(logdir)/eventlog.csv"
filePattern="$(logdir)/eventlog.csv.%i"
append="true" >
<Layout type="PatternLayout" pattern="%m" />
<DefaultRolloverStrategy max="10" />
<SizeBasedTriggeringPolicy size="1mb" />
</Appender>

Ensemble Controller R15.3 Administrator Manual - Issue: A 344

Adtran Configuring Ensemble Controller

l Type the maximum number of backups after the equal sign (=) of the property
“<DefaultRolloverStrategy max="10" />”.
l Type the maximum size of the external CSV file after the equal sign (=) of the property
“<SizeBasedTriggeringPolicy size="1mb" />”.

b. To apply a time policy, add a <Policies> tag and the respective property tags to the
'Appender' structure as indicated in this example:
<Appender name="csveventlog" type="RollingFile"
fileName="${logdir}/eventlog.csv"
filePattern="${logdir}/eventlog_%d{yyyy-MM-
dd}.csv.%i" append="true" >
<Layout type="PatternLayout" pattern="%m" />
<DefaultRolloverStrategy max="10" />
<Policies>
<SizeBasedTriggeringPolicy size="1mb" />
<TimeBasedTriggeringPolicy interval="1"/>
</Policies>
</Appender>

l Type the maximum number of intervals after the equal sign (=) of the property
“<TimeBasedTriggeringPolicy interval="1"/>”.
This value determines how often the file is created (1=every day/month, 2=every
second day/month, …).
l To create a new file every day or month, you can adapt the ‘filePattern’ attribute
accordingly:
-> per day: filePattern=…{yyyy-MM-dd})
-> per month: filePattern=…{yyyy-MM})

6. Save the file and exit the editor.

Installing the OSA WinSTS Tool

The OSA WinSTS tool is a synchronization analysis tool that is used on Windows operating
systems (OS) to process and analyze long term 'time interval error' (TE TIE) test results (raw
data) exported beforehand.

Ensemble Controller R15.3 Administrator Manual - Issue: A 345

Adtran Configuring Ensemble Controller

For information about exporting raw data files, see the Synchronization Management Guide,
Exporting Long-Term Test Results.
Complete these steps to install the OSA WinSTS tool in Windows.
1. Download the WinSTS.zip file from the Customer Portal, and extract it to a folder of your
choice.
2. Double-click the setup.exe file in the WinSTS.net\V<version number>\Install folder.
The WinSts setup wizard displays:

3. Select Next.

Ensemble Controller R15.3 Administrator Manual - Issue: A 346

Adtran Configuring Ensemble Controller

4. The 'Select Installation Folder' wizard page opens:

5. Follow the instructions in this window and click Next.

The 'Confirm Installation' wizard page opens:

6. Click Next to start the installation or Cancel to abort the action.

The 'Installation Complete' wizard page opens:

Ensemble Controller R15.3 Administrator Manual - Issue: A 347

Adtran Configuring Ensemble Controller

7. Click Close.
8. You can now view exported WinSTS files as described in the Synchronization Management
Guide, Viewing Exported OSA WinSTS Files.

Ensemble Controller R15.3 Administrator Manual - Issue: A 348

Adtran Maintaining Ensemble Controller

Chapter 4
Maintaining Ensemble
Controller
This chapter describes how to maintain Ensemble Controller.

Adding or Removing Ensemble Controller Features 349

Changing the Database Password 356
Verifying the Ensemble Controller Server by Using the Healthcheck Script 358
Considerations When Replacing FSP 3000R7 Network Elements 359
Locking Client Upgrades or Downgrades 359
Customizing Network Element Icons 359
Updating Ensemble Controller Database Information 360
Upgrading Ensemble Controller 365
Upgrading Sync Assurance in Linux 380
Upgrading Ensemble Fiber Director in Linux 387
Uninstalling Ensemble Controller 387
Uninstalling Linux Applications 390
Uninstalling the Sync Assurance Application 390

Adding or Removing Ensemble

Controller Features
To add or remove Ensemble Controller features, the maintenance mode application is used.

Adding Features to the Ensemble Controller 350

Removing Features from the Ensemble Controller 353

Ensemble Controller R15.3 Administrator Manual - Issue: A 349

Adtran Maintaining Ensemble Controller

Adding Features to the Ensemble Controller

Complete these steps to add features to the installed Ensemble Controller by means of the
maintenance mode application:
1. In the Ensemble Controller installation directory, Change_Ensemble Controller folder, start
the Change Ensemble Controller.exe file. The Maintenance Mode window opens:

2. Select Add Features.

Ensemble Controller R15.3 Administrator Manual - Issue: A 350

Adtran Maintaining Ensemble Controller

3. Click Next. The Add Features window opens:

4. Click Next. The Choose Install Set window opens:

Before you select ENC Client without automatic updates, first verify whether
you removed the ENC Client feature. If not, remove it as described in
Removing Features from the Ensemble Controller, and then resume this
procedure. Ensemble Controller supports only either one of the clients.

Ensemble Controller R15.3 Administrator Manual - Issue: A 351

Adtran Maintaining Ensemble Controller

5. Select the additional features to install, and then click Install. A status bar and status
messages indicate progress. The installation continues as illustrated:

After the installation completes, the Installation Complete window displays:

6. Click Done to complete the procedure.

Ensemble Controller R15.3 Administrator Manual - Issue: A 352

Adtran Maintaining Ensemble Controller

Removing Features from the Ensemble

Controller
Complete these steps to remove features from the installed Ensemble Controller by means of
the maintenance mode application:
1. In the Ensemble Controller installation directory, Change_Ensemble Controller folder, start
the Change Ensemble Controller.exe file. The Maintenance Mode window opens:

2. Select Remove Features.

Ensemble Controller R15.3 Administrator Manual - Issue: A 353

Adtran Maintaining Ensemble Controller

3. Click Next. The Remove Features window opens:

4. Click Next. The Choose Product Features window opens:

5. Select the features that you want to remove, and then click Uninstall.
The Ensemble Controller Server automatically shuts down independently from the selected
features. The Post Uninstall Process window appears indicating the Ensemble Controller
service termination:

Ensemble Controller R15.3 Administrator Manual - Issue: A 354

Adtran Maintaining Ensemble Controller

6. Click OK to continue. A status bar and status messages indicate progress while uninstalling.
After the uninstall procedure completes, the Uninstall Complete window displays. If there are
installation remnants that could not be removed by the uninstall process, they are listed
including their location as illustrated:

7. Make note of the installation remnants. Delete the folders and their contents manually after
you finish this procedure.
8. Click Done to complete the procedure.
9. Restart the server as described in Starting the Ensemble Controller Server.

Ensemble Controller R15.3 Administrator Manual - Issue: A 355

Adtran Maintaining Ensemble Controller

Changing the Database Password

Complete these steps to change the database password for Windows and Linux.
After you complete this procedure, the new password takes immediate effect that is, server and
database will communicate using the new password from the moment that the password
change completes and the server restarts.
1. Depending on your operating system, navigate to either of these script files located in the
bin folder of the respective Ensemble Controller installation directory:
l In Windows, double-click the nmsadmin.bat file.
l In Linux, type ./nmsadmin.sh in the command line.

The nmsadmin script file opens:

With each command that you type, press ENTER to activate the command.

2. Type Y to select Change Database Password:

Enter letter and press enter:

DB password change

Database running

Password file not found

Ensemble Controller R15.3 Administrator Manual - Issue: A 356

Adtran Maintaining Ensemble Controller

Initiating default authentication...

User adva authenticated with default password

Please enter new database password (attempt 1 of 4):

l If you change the password for the first time, you are asked to enter only the new
password.
l If you change the password again, you are asked to enter the current, and then the new
password:

Please enter current database password (attempt 1 of 4):

Password valid for user adva

Please enter new database password (attempt 1 of 4):

Please enter it again:

3. Type the new password when prompted, and then repeat it.
The password must contain a minimum of 8 characters to be valid. This password rule is
specified by default in the server preferences. If required, you can change it as appropriate.
For information about how to change password characteristics and other security-related
parameters, see Editing Security Parameters.
l If the repeated password does not match or is invalid, you can repeat it three more times
as indicated in brackets. If you exceeded the allowed attempts, follow the instructions to
restart the procedure.

l When the system declares the entered new password valid, the password change action
completes by restarting the server:

Security properties loaded from db

New password is valid

Password updated

Database password change complete

Restarting server...

4. As prompted, press any key to continue and the action finalizes.

Ensemble Controller R15.3 Administrator Manual - Issue: A 357

Adtran Maintaining Ensemble Controller

Verifying the Ensemble Controller

Server by Using the Healthcheck
Script
If you run the healthcheck script, Ensemble Controller creates a health report, which is useful for
Technical Services when analyzing and troubleshooting problems.
See the relevant section for information about how to run the healthcheck script according to
your operating system:
l For Windows
l For Linux

For Windows
1. Right-click the healthcheck_nms.bat file located in: C:\Program Files (x86)\ADVA
Optical Networking\FSP Network Manager\bin
2. Select Run as administrator.
3. Follow further instructions on the screen.
When complete, Ensemble Controller created a ZIP file and stored it in the same location
that is C:\Program Files (x86)\ADVA Optical Networking\\FSP Network
Manager\bin
It is named according to this example:
healthreport_MGN-N-SINAD_2017_06_29_14_11_26.zip

For Linux
1. As a root level user, run the healthcheck_nms.sh file located in: /opt/adva/fsp_nm/bin/
2. Follow further instructions on the screen.
When complete, Ensemble Controller created a GZ file and stored it in the same location
that is /opt/adva/fsp_nm/bin/
It is named according to this example:
healthcheck_fspnap05_20170526_1555.tar.gz

Ensemble Controller R15.3 Administrator Manual - Issue: A 358

Adtran Maintaining Ensemble Controller

Considerations When Replacing

FSP 3000R7 Network Elements
When you replace FSP 3000R7 network elements, and then restart the Ensemble Controller
Server, the software loses SNMP communication to the Ensemble Controller. After you replace
the network element, the software generates a new engineID (password) based on the shelf
serial number. The new engineID causes a mismatch between the passwords that the
Ensemble Controller uses and the FSP 3000R7 network element password.
To refresh the FSP 3000R7 password after replacement, right-click the network element, and
then select Reset SNMP Session to reset the SNMP session.
After the SNMP session resets, you can restart the Ensemble Controller Server as described in
Starting the Ensemble Controller Server.

Locking Client Upgrades or

Downgrades
Under normal operation, you are prompted to upgrade or downgrade your client upon logging
in if your current Ensemble Controller Client version is older than or incompatible with the
Ensemble Controller Server. However in certain situations, upgrade or downgrade of the client
installation package needs to be locked, for example during an Ensemble Controller Server
upgrade.
To lock upgrades or downgrades of the Ensemble Controller Client, manually delete or move
the client installation package from this client repository on the server:
ENC Installation Directory\ws\webapps\clientUpdate

You need to have full administrator permissions on your computer to delete

the client installation package from the designated folder.

Customizing Network Element Icons

To display the function of an individual network element, you can change its icon. This icon then
displays in the Topology Graph and Topology Map for all clients attached to this server. For
more information about how to change the network element icon, see the User Manual,
Configuring the Network Element Identity.
Complete these steps to customize and place your network element icons.
1. On the Ensemble Controller Server, go to the folder
<InstallLocation>\ws\webapps\customimages\netypes.

Ensemble Controller R15.3 Administrator Manual - Issue: A 359

Adtran Maintaining Ensemble Controller

Each network element type has its own folder.

When you install Ensemble Controller, it creates a network element folder
structure. Keep this structure exactly as it is. Do not delete or rename the
folders. The client can read the custom icons from their respective folders
only if you maintain the original structure.

2. Navigate to the folder of the network element type that you want to provide an icon image
for.
3. Add icon images that conform to these guidelines:
l File type: PNG, JPG, GIF. Avoid the use of animated GIFs or use only sparingly.
l Image size: The default dimensions are width=40 and height=26 pixels, but any size
displays correctly if the width and height are within the minimum (10) and maximum (64)
pixels. If the image width or height is too small or too large, the image will display, but the
software will scale it to fit and will likely appear distorted.
l Quantity: The Ensemble Controller supports up to 64 image files per network element
type folder.

4. You might need to reselect the targeted network element or its subnet before the new icon
will appear in the Overview tab’s selector. There is no need to restart the mediation server or
the client.

Updating Ensemble Controller

Database Information
To keep the Ensemble Controller database updated, you have these options:
l Keep Alive Polling, see the User Manual
l Database Update Actions
l Discovery Polling

You can specify these update actions to take place automatically, at regular intervals or
instantly. By default only keep alive polling is enabled for such regular execution, this action is
considered important for ease of management. For the other update actions, the usefulness of
each of them depends on the network element types in your networks, the network element
software releases and what operation routines you will be carrying out.
Enabling these functions is done with the recurring actions tool. For information about
configuring recurring actions, see the User Manual, Specifying Recurring Actions.

Database Update Actions 361

Immediate Database Backup 363
Restoring the Ensemble Controller Database 363
Setting the Number of Database Backup Files Allowed to be Created 365

Ensemble Controller R15.3 Administrator Manual - Issue: A 360

Adtran Maintaining Ensemble Controller

Database Update Actions

The Ensemble Controller maintains a mirror image of some of the network element SNMP MIB
objects in its management database. There are four mechanisms that keep this database up
to date:
l By traps: If an SNMP trap is received, the appropriate objects are updated in the database.
l By 'keep alive polling': The 'keep alive polling' reads original traps from the log located on the
NE and then updates the appropriate objects in the database accordingly.
l By polling: Objects can be polled manually, upon user request. If changes are detected,
polling generates appropriate events in the same way as if these changes were indicated by
SNMP traps.
l Immediately: In the Ensemble Controller Settings, select System, and then Immediate
Database Backup.

These mechanisms are normally sufficient to keep the database up to date. If you for some
reason need to update the database by other means, the Ensemble Controller offers five
separate, manual actions to poll the Network Element or read a file, and thus update the
database.

Status Check
This action updates the information about current alarms and protection status. This can for
example be: loss of signal on an interface or a protection status change.

Configuration Check
This action causes the Ensemble Controller to update its information with regard to any
configuration changes on the Network Element. This can for example be: protection
configuration or configuration of data rate.

Inventory Check
This action causes the Ensemble Controller to verify the NE inventory for changes and applies
those changes to the management database if they are not destructive, for example adds new
modules to the database but does not remove absent modules from the database.
The information in the Network Element Properties window, Shelves and Modules tabs with the
exception of channel assignment, service name and protection status is updated.
Status, configuration or inventory updates must be done by manual polling at the individual
Network Element level. Select the NE and click ”NE Status” from the Networks ribbon menu (Ctrl +
F1), which as well updates alarm/ events, or ”NE Configuration”.
To indicate that an update is ongoing, the Network Element icon changes in the tree pane. For
more information on all kinds of NE icons and symbols, see the User Manual.
For FSP 3000R7, the inventory polling also triggers service discovery based on any tunnels that
are on the NE, with network and client ports being In-Service on both source and destination
NEs.

Ensemble Controller R15.3 Administrator Manual - Issue: A 361

Adtran Maintaining Ensemble Controller

Discovery Polling
Discovery Polling attempts to detect undiscovered NEs present in the network. If detected,
automatic discovery for the NE is triggered, which includes trapsink registration if the process
completes.
The IP address AND NEType of the NE to be discovered must be configured. If the NEType is
missing or a mismatch with the NEType detected at the polled IP address, then the discovery is
aborted and the NE remains in the undiscovered state. To discover this NE nevertheless, it has to
be deleted and added again as described in the User Manual, Adding Network Elements to a
Subnetwork.
The user would then need to manually change NEType by modifying the subnetwork.
The polling interval can be regulated in the recurring actions tool. For information about
configuring recurring actions, see the User Manual.

Immediate Database Backup

Immediate database backup immediately updates the database. For more information, see
Immediate Database Backup.

Backing Up or Restoring the Ensemble Controller

Database
Under certain circumstances, the Ensemble Controller (ENC) database can become corrupted.
This can for example happen if an Ensemble Controller Server workstation power failure occurs
in the middle of a transaction.
In such situations it is necessary to restore to a previous backup. Backups should not be made
by copying directly from the backup database file. This is because the backup database would
be corrupted if a transaction took place during the copying.
Ensemble Controller offers services to make a controlled database backup and restore.
Backups should be made regularly, and the service is hence offered together with the
automated recurring actions. For information about recurring actions, see the User Manual.
Ensemble Controller supports multiple database backup files. The number of backup files is
configurable through a properties file. The names have a timestamp appended to the name.
For compliance with the high availability functionality the last database backup file is stored in
two copies, one file is named dbfnm.tar.gz and the other is named dbfnm yyyy-mm-dd
hh.mm.ss.tar.gz. If you have redundant Ensemble Controller Servers, the backup file will
automatically be moved and restored on the slave server.

To perform Ensemble Controller database backup or restore, you need to have

full user rights on the FTP/ SFTP server - that is read/ write/ modify/ delete.

Ensemble Controller R15.3 Administrator Manual - Issue: A 362

Adtran Maintaining Ensemble Controller

Immediate Database Backup

This operation creates a binary database backup and a textual database backup. The textual
database backup is used to manually restore the database, as described in Restoring the
Ensemble Controller Database. The binary database backup is used by the high-availability
feature to transfer the database between the master and slave servers.
Complete these steps to immediately back up the database:
1. From the Ensemble Controller application bar Settings menu, select System, and then
Immediate Database Backup.

If this is the master high-availability server, the Immediate Database Backup dialog box
shows Automatic high availability synchronization enabled.
2. To manually synchronize the dumped database from the master to the slave server, select
Automatic high availability synchronization.
3. Click Yes to continue, or Cancel to exit the backup operation.
See the message pane for any operation results.
Ensemble Controller saves the binary backup file dbfnm.tar.gz and the textual backup file
dbfnm.sql to the var\db.backup folder in the installation directory. Older backup files have
the date and time in the file name.
4. Copy the backup files to a location associated with a regular backup process.

Restoring the Ensemble Controller Database

This procedure provides the steps to restore previous or current database files and to upgrade
to a newer Ensemble Controller version. Pay attention to the requirements according to your
intended use.

General Requirements 363

Requirements When Upgrading to a Newer Ensemble Controller Version 364
Procedure to Restore the Database in Linux 364
Procedure to Restore the Database in Windows 364

General Requirements
1. Move the database file you want to restore to the Ensemble Controller installation directory
var/db.backup folder.

Ensemble Controller R15.3 Administrator Manual - Issue: A 363

Adtran Maintaining Ensemble Controller

2. To preserve the backup file currently located in the var/db.backup folder, move it to a
different location.

Requirements When Upgrading to a Newer Ensemble

Controller Version
1. If you use this procedure to upgrade to a newer Ensemble Controller version and you wish to
use the reports of the current version, additionally preserve the report files by moving them
to a different location. They are stored in Ensemble Controller installation directory
.../ws/webapps/reportdb.
2. After you complete the restore procedure in this section, move the preserved records back
into their previous Ensemble Controller directories as appropriate.

Procedure to Restore the Database in Linux

1. Shut down the Ensemble Controller Server as described in Stopping the Ensemble Controller
Server.
2. At the command prompt, type:
opt/adva/fsp_nm/bin/restoreDB

3. Start the Ensemble Controller Server as described in Starting the Ensemble Controller Server.

After a launch, the server starts inventory, status and configuration polling for
each NE. If the network has a large number of NEs, the process can take 24
hours to complete the polling and stabilize the server.

Procedure to Restore the Database in Windows

1. Open the restoreDB.bat file located in the Ensemble Controller installation bin folder, and
then follow the prompt commands.
If UAC is enabled, you must run the CMD shell as administrator.

2. To run a CMD shell, follow these steps:

a. Click Start.
b. In the search field, type CMD. Do not press Enter yet.
c. After the search is complete, CMD will display under Programs.
d. Right-click the CMD icon, and then select Run as administrator.
e. Use the CD command and change to the Ensemble Controller installation bin directory.
f. Type restoreDB, and then press Enter.

Ensemble Controller R15.3 Administrator Manual - Issue: A 364

Adtran Maintaining Ensemble Controller

Ignore the error message isAdmin.vbs not found.

3. Start the Ensemble Controller Server as described in Starting the Ensemble Controller Server.

Setting the Number of Database Backup Files

Allowed to be Created
To set this parameter, you need to edit the property
com.adva.fnm.option.databasebackupfilesnumber in the fnm.properties file.
For information about editing the properties in the fnm.properties file, see Editing the
fnm.properties File.

Upgrading Ensemble Controller

Successfully Upgrading Ensemble Controller 365
Requirements to Upgrade Ensemble Controller 367
Reconfiguring Properties for RADIUS or TACACS+ Configurations 368
Enhancing the Database Password Encryption Security 368
Upgrading High Availability Servers 369
Retaining a Customized fnm.properties File 370
Overview of the Upgrade Procedure Steps 371
Upgrading Ensemble Controller in Windows 371
Upgrading Ensemble Controller in Linux 377
Enhancing the User Password Encryption After an Upgrade to Version 14.1 or Later 379

Successfully Upgrading Ensemble Controller

To successfully upgrade to a later Ensemble Controller version, you must have the minimum
installed software version on your system. That is, a certain target release requires a certain
current release. See Figure 21 for an overview of the upgrade sequence that you must follow for
a given current version that you installed.

Ensemble Controller R15.3 Administrator Manual - Issue: A 365

Adtran Maintaining Ensemble Controller

Figure 21: Supported Version-Upgrade Sequences

Color Legend:

Tested and supported upgrade path.

Contact Adtran Technical Support for upgrade path

details. See Technical Services.

Unsupported upgrade path.

Ensemble Controller R15.3 Administrator Manual - Issue: A 366

Adtran Maintaining Ensemble Controller

Always upgrade the Ensemble Controller Server and all of the Ensemble
Controller Clients that use this server at the same time.

Requirements to Upgrade Ensemble

Controller
l If you upgrade to an Ensemble Controller version before 12.1, for example from 10.x to 11.x, you
must enter a new license key.
You can find the licensee name and key printed on a sheet of paper that is included in the
shipment. We will send the license information to you electronically if you request it.
l If you upgrade to the Ensemble Controller version 12.1, Call Adtran to ensure that you are
provided with a set of feature licenses that are equivalent to those you used in previous
versions.
With the Ensemble Controller version 12.1, the Embedded License Server manages any
required licenses that you must order from the Adtran Customer Focus Team. For more
information, see The Embedded License Server.
If you already have used the Embedded License Server before the Ensemble Controller
version 12.1, make sure your Embedded License Server holds either:
o The basic license, for example ENC-SERVER-R12.x, for the target release.
–or–
o An upgrade license for the target release plus a basic license for the previous release.
l Before you upgrade from the Ensemble Controller version 12.x, 13.x, 14.x, or 15.x make sure your
Embedded License Server holds one of these basic licenses plus the needed upgrade
licenses:

Basic License Needed Upgrade Licenses

ENC-SERVER-R15.x -

ENC-SERVER-R14.x ENC-SERVER-U-R15.x

ENC-SERVER-R13.x o ENC-SERVER-U-R14.x and

o ENC-SERVER-U-R15.x

ENC-SERVER-R12.x o ENC-SERVER-U-R13.x,
o ENC-SERVER-U-R14.x and
o ENC-SERVER-U-R15.x

For information about how to verify the licenses that the Embedded License Server currently
provides for your Ensemble Controller device, see the User Manual.

Ensemble Controller R15.3 Administrator Manual - Issue: A 367

Adtran Maintaining Ensemble Controller

Reconfiguring Properties for RADIUS or

TACACS+ Configurations
With each upgrade, Ensemble Controller overwrites the fnm.properties file. As a result, any
RADIUS or TACACS+ servers that you configured in the fnm.properties file might no longer be
available with respect to a centralized login authentication. Therefore, you must reconfigure the
required server in the fnm.properties file.
l For information about how to configure RADIUS servers in the fnm.properties file, see Setting
Up RADIUS Authentication.
l For information about how to configure TACACS+ servers in the fnm.properties file, see Setting
Up TACACS+ Authentication.

If required, you can disable the login authentication through RADIUS or TACACS+ in the security
server preferences as described in Setting Authentication Parameters.

Enhancing the Database Password

Encryption Security
After you upgrade your Ensemble Controller to 15.2 without uninstalling the existing version as
the sections that follow describe, you can enhance the database password encryption
algorithm from the potentially insecure MD5 to the secure SHA256.
With a clean installation to 15.2, which means that any previous Ensemble Controller version
does not exist on the system, the database password is already configured to use the SHA256
encryption algorithm.
See one of these sections according to the version you upgraded, and then complete the steps
to enhance the password security:

Any 13.x Version Upgraded to 13.3 or Later 368

Any Supported Version Before 13.1 Upgraded to 13.3 or Later 369

Any 13.x Version Upgraded to 13.3 or Later

Both the Adtran and the root user passwords currently use the MD5 encryption algorithm. To
enhance the passwords to use the SHA256 algorithm, run the nmsadmin script file. According to
your system, the script file is located here:
l Windows: C:\Program Files (x86)\ADVA Optical Networking\FSP Network
Manager\bin
l Linux: /opt/adva/fsp_nm/bin

To enhance the Adtran user password, in the nmsadmin script file:

1. Type Y, which starts the Change Database Password option.
2. Type a new password as requested.

Ensemble Controller R15.3 Administrator Manual - Issue: A 368

Adtran Maintaining Ensemble Controller

3. Type V to exit the script.

After you change the password in the nms home directory /opt/adva/fsp_nm, the
dbaccess.txt file displays.
4. Copy the dbaccess.txt file to the server that now hosts the standby server.

To enhance the root user password, in the nmsadmin script file:

1. Type Q, which starts the Query DB option.
fnm-#
2. Type this command:
alter user root with password ‘new_password_here’;

Specify the new password by replacing new_password_here, for example:

alter user root with password ‘MyNewPassword#123’;

3. Type exit to exit the Query DB option.

4. Type V to exit the script.

Any Supported Version Before 13.1 Upgraded to 13.3 or

Later
The Adtran user password currently uses the MD5 encryption algorithm. The root user password
by default uses SHA256 already. Complete these steps to enhance the Adtran password to also
use the SHA256 algorithm.
1. Run the nmsadmin script file. According to your system, the script file is located here:
l Windows: C:\Program Files (x86)\ADVA Optical Networking\FSP Network
Manager\bin
l Linux: /opt/adva/fsp_nm/bin

2. Type Y, which starts the Change Database Password option.

3. Type a new password as requested.
4. Type V to exit the script.
After you change the password in the nms home directory /opt/adva/fsp_nm, the
dbaccess.txt file displays.
5. Copy the dbaccess.txt file to the server that hosts the standby server.

Upgrading High Availability Servers

For information about how to upgrade servers that run in a high-availability configuration, see
either of these sections:

Ensemble Controller R15.3 Administrator Manual - Issue: A 369

Adtran Maintaining Ensemble Controller

l Upgrading Ensemble Controller Servers that Use Standard High Availability

l Upgrading Streaming Replication High Availability

Retaining a Customized fnm.properties File

These upgrade scenarios determine whether you manually must take actions to save changed
properties in the fnm.properties file, or Ensemble Controller automatically takes care of it.

Upgrading an Existing Ensemble Controller Version 370

Upgrading by Installing a New Ensemble Controller Version 370

Upgrading an Existing Ensemble Controller Version

If you customized the fnm.properties file to suit your system requirements, and then you
upgrade your Ensemble Controller to a newer version without uninstalling the existing version as
the sections that follow describe, the system automatically:
l Backs up the customized fnm.properties file.
l Identifies the changes in the fnm.properties file.
l Merges the changes to the new fnm.properties file that comes with the upgrade.
l Saves the original ADVA-delivered fnm.properties file that includes the standard release
values to a different name, and thus preserves that file.

With the release version 12.3, the default value for the property
jms.transportProtocol changed from nio to nio+ssl. Therefore, if you
upgrade to the version 12.3, ensure that in the fnm.properties file, you change
the jms.transportProtocol to nio+ssl after you finish the upgrade. For more
information about this property, see Properties for Configuring the Java
Messaging System (JMS).

Upgrading by Installing a New Ensemble Controller

Version
If you customized the fnm.properties file, and then you completely uninstall the existing
Ensemble Controller version to perform a clean installation of the newer version, you must
manually take care of the steps to save changed properties and merge them into the new
fnm.properties file as follows:
1. Before you uninstall the existing Ensemble Controller version as described in Uninstalling
Ensemble Controller, save the customized fnm.properties file to a directory outside of the
Ensemble Controller installation files.
2. After you install the new Ensemble Controller version as described in Installing Ensemble
Controller, paste the customized fnm.properties file that you saved in Step 1, in the Ensemble
Controller backup installation directory.
3. In the Ensemble Controller bin installation directory, use the relevant file:
l For Linux, start the propup.sh file.
l For Windows, start the propup.bat file.

Ensemble Controller R15.3 Administrator Manual - Issue: A 370

Adtran Maintaining Ensemble Controller

The propup file includes these parameter options that you can use to process the file as
required:

Parameter Description

-? The description about the usage of this file.

-i <inputfile> The customized fnm.properties file to be transferred. Defaults to

backup/fnm.properties.

-o <targetfile> The new fnm.properties file where the properties from the customized
fnm.properties file are merged.

-b <backupfile> The file that preserves the original ADVA-delivered fnm.properties file.
Defaults to <targetfile>.org.

-d <propertyId> The identifier in the header of the file followed by the revision. Defaults
to fnm.properties.

-l number The number of lines to be preserved for the footer at the end of the
file. Defaults to 3.

Overview of the Upgrade Procedure Steps

Complete these steps to successfully upgrade Ensemble Controller in this sequence:
1. Copy these files to a secure location for future use:
l ENC Installation Directory\fnm.properties
l ENC Installation Directory\log4j2.xml
l ENC Installation Directory\ws\webapps\reportdb\*
l ENC Installation Directory\CustomProducts\*
l ENC Installation Directory\dbaccess.txt
2. Upgrade Ensemble Controller according to your operating system:
l Upgrading Ensemble Controller in Windows
l Upgrading Ensemble Controller in Linux
Alternatively, see Restoring the Ensemble Controller Database for information about how to
upgrade Ensemble Controller by restoring a previous or current database backup file.
Before you upgrade, the installation script backs up the current Ensemble
Controller Server database to the Ensemble Controller installation directory
/var/db.backup/preupgrade. No manual backup is needed.

Upgrading Ensemble Controller in Windows

Complete these steps to upgrade the Ensemble Controller software version in a Windows
system.

Ensemble Controller R15.3 Administrator Manual - Issue: A 371

Adtran Maintaining Ensemble Controller

Requirements 372
Restriction 372
Procedure to Upgrade in Windows 372

Requirements
l You are informed about Antivirus Software.
l You must follow the upgrade sequence for a given current Ensemble Controller version that
you installed. See Figure 21 for an overview of the version upgrade sequence.
l You have full administrator permissions on your local personal computer. Verify, and if
necessary, modify your computer account settings: go to Start > Control Panel >User
Accounts > Manage User Accounts.
l On the computer where Ensemble Controller is installed, ensure that the system
automatically manages the paging file for virtual memory. At a minimum, set the paging file
to be equal to the system physical memory.

Restriction
DO NOT change your system type from a 32-bit Windows version to a 64-bit
version while the Ensemble Controller is up and running.

If such a system change is necessary, complete these steps:

1. Back up your Ensemble Controller database. Choose from these options:
l The recurring Database Backup action that you configure in Ensemble Controller initiates
regular backups. For information about how to configure recurring actions, see the
Ensemble Controller User Manual.
l In the Ensemble Controller Settings > System > Immediate Database Backup, you can
create immediate backups. For more information about how to start an immediate
backup, see Immediate Database Backup.
l The NMSAdmin script option [J] - Backup Database initiates immediate backups.

2. Uninstall Ensemble Controller as described in Uninstalling Ensemble Controller.

3. Reinstall Ensemble Controller as described in Installing Ensemble Controller in Windows.
4. Restore the Ensemble Controller database as described in Restoring the Ensemble
Controller Database.

Procedure to Upgrade in Windows

1. To start your Ensemble Controller Client, in the tree pane Networks tab, right-click the
Network root.
2. Fix database inconsistencies, see User Manual, Fixing Database Inconsistencies.
3. Close all Ensemble Controller Client applications.

Ensemble Controller R15.3 Administrator Manual - Issue: A 372

Adtran Maintaining Ensemble Controller

4. Use the Windows Task Manager to look for and, if necessary, terminate any running fnm.exe
process.
5. From the Salesforce Customer Portal, copy these scripts to the Ensemble Controller
installation scripts directory, for example: C:\Program Files (x86)\ADVA Optical
Networking\FSP Network Manager\scripts
l printDBInconsistenciesPostgres.bat
l printDBInconsistenciesPostgres.sql

6. To start a CMD shell, in the Windows start menu field, type cmd.
7. Change to the Ensemble Controller scripts installation directory, for example: C:\Program
Files (x86)\ADVA Optical Networking\FSP Network Manager\scripts
8. In the CMD shell, run printDBInconsistenciesPostgres.bat to verify basic database
inconsistencies.
An error-free output displays, as shown in Error-free Output of Database Validation
Verification.
The system displays additional data after the colon to show inconsistencies.
9. Proceed only if the database validation succeeds. If validation fails, contact Adtran
Technical Services for support.
10. Shut down the ENC server as described in Procedure for Stopping the Server in Windows.
11. Install the new Ensemble Controller version as described in Installing Ensemble Controller.
The upgrade installation process begins with this Upgrade window:

12. Click Next.

Ensemble Controller R15.3 Administrator Manual - Issue: A 373

Adtran Maintaining Ensemble Controller

The Choose Install Set window opens.

If you already have used the Embedded License Server before the
Ensemble Controller version 12.1 and you now want to upgrade to 12.1 or
later, you must upgrade the Embedded License Server to the version that
we deliver with the Ensemble Controller version 12.1 before you can use
Ensemble Controller 12.1.

13. Select one ENC option or both ENC Server and ENC Client. If your system also includes the
Embedded License Server, also select it.
14. Click Install.
The wizard starts the upgrade installation process.
15. Complete the wizard steps, and then click Next to continue through the wizard.
The upgrade process is almost complete when the Post Install Upgrade window opens:

Ensemble Controller R15.3 Administrator Manual - Issue: A 374

Adtran Maintaining Ensemble Controller

16. Click Next.

The Installation Complete window opens and displays this information:

17. Click Done to exit the upgrade installation wizard.

18. If you selected the Embedded License Server in Step 13, before you proceed with this
procedure, first prepare and enable the Embedded License Server as described in Preparing
and Enabling the Embedded License Server.
19. Restart your computer to complete the upgrade process.
20. After your computer restarts, verify that all services are running as described in Verifying
Services in Windows.

Ensemble Controller R15.3 Administrator Manual - Issue: A 375

Adtran Maintaining Ensemble Controller

After an upgrade, your computer can take longer than usual to restart. During this time, the
software rejects any client-login attempts.
The system upgrades the database. See the var\log dbupgrade.lo file for these messages:
l This is the message that displays when Ensemble Controller starts to upgrade the
database:
INFO - ======================================================================

INFO - DATABASE UPGRADE HAS BEEN STARTED AND THIS PROCESS CAN TAKE A WHILE TO
COMPLETE. PLEASE WAIT FOR THE DATABASE UPGRADE COMPLETION MESSAGE BEFORE
CONTINUING.

INFO - ======================================================================

The upgrade process might take some time to finish. The length of time
depends on:

o The database size.

o The upgrade path based on the number of how many intermediate

Ensemble Controller versions you bypassed.

o The server performance.

l This is the message that displays when Ensemble Controller completes to upgrade the
database:
INFO - ======================================================================

INFO - DATABASE UPGRADE HAS BEEN FINISHED.

INFO - ======================================================================

21. On computers where only Ensemble Controller Clients are installed, follow these steps to
update the client:
a. Uninstall the previous Ensemble Controller Client versions as described in Uninstalling
Ensemble Controller.
b. Next, install the target version of the Ensemble Controller Client as described in Installing
Ensemble Controller.

22. After the server restarts, open the Ensemble Controller Client as described in Logging Into
the Ensemble Controller Client.
23. Open the cleanPostgresAfterUpgrade script to clean up old PostgreSQL folders. The script is
located in the Ensemble Controller bin installation directory, for example: C:\Program Files
(x86)\ADVA Optical Networking\FSP NetworkManager\bin
24. Optional: After you upgrade to the Ensemble Controller version 15.2, you have these
additional options to optimize the system:
l To customize your client to personal needs, see the User Manual.
l To enhance the database password encryption algorithm, see Enhancing the Database
Password Encryption Security.

Ensemble Controller R15.3 Administrator Manual - Issue: A 376

Adtran Maintaining Ensemble Controller

Upgrading Ensemble Controller in Linux

Complete these steps to upgrade the Ensemble Controller software version in a Linux system.

Requirements to Upgrade in Linux 377

Restriction to Upgrade in Linux 377
Procedure to Upgrade in Linux 378

Requirements to Upgrade in Linux

Area Requirement Description

Version You must follow the upgrade sequence for a given current Ensemble
Upgrade Controller version that you installed. See Figure 21 for an overview of the
Sequence version upgrade sequence.

Sync Assurance If your Ensemble Controller installation is configured to use Sync

Assurance, you must:
l Stop the Sync Assurance application before you upgrade Ensemble
Controller.
l First complete the Ensemble Controller upgrade procedure, and then
also upgrade the Sync Assurance application.
l Make sure that Sync Assurance and Ensemble Controller have the
same software version. Otherwise, the applications cannot
interchange appropriate data formats.

Restriction to Upgrade in Linux

If you want to upgrade your Red Hat Enterprise Linux version, for example from 6.x to 7.x, you
must also upgrade your Ensemble Controller. First upgrade the Red Hat Enterprise Linux, and
then afterwards as second step upgrade your Ensemble Controller as described in Procedure
to Upgrade in Linux, not the other way around.
Otherwise, if you want to keep your current Ensemble Controller version, upgrade your Red Hat
Enterprise Linux version as planned, and then for the Ensemble Controller, complete these steps:
1. Back up your Ensemble Controller database. Choose from these options:
l The recurring Database Backup action that you configure in Ensemble Controller initiates
regular backups. For information about how to configure recurring actions, see the
Ensemble Controller User Manual.
l In the Ensemble Controller Settings > System > Immediate Database Backup, you can
create immediate backups. For more information about how to start an immediate
backup, see Immediate Database Backup.
l The NMSAdmin script option [J] - Backup Database initiates immediate backups.

2. Uninstall Ensemble Controller as described in Uninstalling Linux Applications.

Ensemble Controller R15.3 Administrator Manual - Issue: A 377

Adtran Maintaining Ensemble Controller

3. Reinstall Ensemble Controller as described in Installing Ensemble Controller in Linux.

4. Restore the Ensemble Controller database as described in Restoring the Ensemble
Controller Database > Procedure to Restore the Database in Linux.

Procedure to Upgrade in Linux

1. Switch to the root user:
su -
2. From the Salesforce Customer Portal, copy these scripts to the Ensemble Controller
installation scripts directory:
l printDBInconsistenciesPostgres.sh
l printDBInconsistenciesPostgres.sql.

3. Run the printDBInconsistenciesPostgres.sh script to verify basic database

inconsistencies.
An error-free output displays, as shown in Error-free Output of Database Validation
Verification.
The system displays additional data after the colon to show inconsistencies.
4. Proceed only if the database validation succeeds. If validation fails, contact Adtran
Technical Services for support.
5. Shut down the ENC server as described in Procedure for Stopping the Server in Linux.
6. Copy the Ensemble Controller installation file to a directory on your local hard drive.
7. Unpack the tar archive:
tar xf <tar archive name>
8. Start the installation program:
./install
9. Follow the instructions that the system displays during this process.
10. If you upgrade step by step and have not yet installed the final version, repeat Step 2
through Step 9.
11. After the installation completes, you must wait until the system upgrades the database. See
the dbupgrade.log file, which is located in var\log, for these messages:
l This is the message that displays when Ensemble Controller starts to upgrade the
database:
INFO - ======================================================================

INFO - DATABASE UPGRADE HAS BEEN STARTED AND THIS PROCESS CAN TAKE A WHILE TO
COMPLETE. PLEASE WAIT FOR THE DATABASE UPGRADE COMPLETION MESSAGE BEFORE
CONTINUING.

INFO - ======================================================================

The upgrade process might take some time to finish. The length of time
depends on:

Ensemble Controller R15.3 Administrator Manual - Issue: A 378

Adtran Maintaining Ensemble Controller

o The database size.

o The upgrade path based on the number of how many intermediate

Ensemble Controller versions you bypassed.

o The server performance.

l This is the message that displays when Ensemble Controller completes to upgrade the
database:
INFO - ======================================================================

INFO - DATABASE UPGRADE HAS BEEN FINISHED.

INFO - ======================================================================

12. Start the Ensemble Controller as described in Logging Into the Ensemble Controller Client.
13. Open the cleanPostgresAfterUpgrade script to clean up old PostgreSQL folders.
The script is located in /opt/adva/fsp_nm/bin.
14. Optional: After you upgrade to the Ensemble Controller version 15.2 or later, you have these
additional options to optimize the system:
l To customize your client to personal needs, see the User Manual, User Settings.
l To enhance the database password encryption algorithm, see Enhancing the Database
Password Encryption Security.

Enhancing the User Password Encryption

After an Upgrade to Version 14.1 or Later
Any Ensemble Controller version earlier than 14.1 uses a DSA encryption algorithm for user
passwords. After you upgrade Ensemble Controller to version 15.2, you must enhance the
encryption algorithm from the potentially insecure DSA to the secure SHA512. Ensemble
Controller will automatically change the encryption algorithm to SHA512 in these cases:
l Changing the user password.
l Logging in to the upgraded Ensemble Controller.

For all new users created since Ensemble Controller version 14.1, system uses
SHA512 algorithm.

To determine which users still need to enhance their user passwords, verify the date of the last
login for each account. If this date is later than the 14.1 upgrade date, the algorithm for this user
account changes to SHA512. We recommend that you migrate every user account to use the
secure algorithm. For accounts that do not meet the upgrade conditions, manually change the
password, or if necessary, delete the account.

Ensemble Controller R15.3 Administrator Manual - Issue: A 379

Adtran Maintaining Ensemble Controller

For remote authentication, the system verifies whether the same user name also exists with the
local account. Only if the passwords for both accounts are the same, the system will
automatically change the algorithm of the local account. If the passwords do not match, the
system leaves the local account unchanged and you must manually change those passwords.

Upgrading Sync Assurance in Linux

Complete these steps to upgrade the Sync Assurance application in Linux.

Requirements to Upgrade Sync Assurance 380

Procedure to Upgrade Sync Assurance 381
Procedure to Upgrade Sync Assurance 15.1 to 15.2 including GNSS and TPA Raw Data
Migration 382

Requirements to Upgrade Sync Assurance

Area Requirement Description

Application Upgrade Make sure that you first upgrade Ensemble Controller
Sequence before you upgrade the Sync Assurance application.

Version Upgrade Sequence Sync Assurance supports only incremental upgrades, for
example from 13.1 to 13.2, or also from 12.3 to 13.1 as long as
they are consecutive.
NOTICE: If you upgrade from 12.3 to 13.1, and you use PTP
(Time And Phase) Assurance, the upgrade process
deletes the time interval error data and also the database
backup files because they are incompatible with the new
13.1 release.

Ensemble Controller R15.3 Administrator Manual - Issue: A 380

Adtran Maintaining Ensemble Controller

Area Requirement Description

ATTENTION:
If you upgrade from 13.2 to 13.3, the upgrade process
deletes both GNSS and TPA databases, and also the
backup files. To preserve the data, before you start the
upgrade, manually backup the GNSS and TPA databases.
For both applications, run the db_backup_<application
name>.sh scripts located in
/opt/adva/SyncAssurance/<application name>.
We strongly recommend that you copy the database
backup files to an external system. After the upgrade
procedure completes, you can restore the databases. See
Restoring the Database from a Backup File.

ATTENTION:
If you upgrade from 15.1 to 15.2, the upgrade process
deletes both GNSS and TPA databases, and also the
backup files. To preserve the data, before you start the
upgrade, manually backup the GNSS and TPA databases.
For both applications, run the db_backup_<application
name>.sh scripts located in
/opt/adva/SyncAssurance/<application name>.
We strongly recommend that you copy the database
backup files to an external system.

Version Consistency After this procedure and at all times, make sure that Sync
Assurance and Ensemble Controller have the same
software version. Otherwise, the applications cannot
interchange appropriate data formats.

Procedure to Upgrade Sync Assurance

For 15.1 to 15.2 upgrade, follow this procedure Procedure to Upgrade Sync
Assurance 15.1 to 15.2 including GNSS and TPA Raw Data Migration. This special
procedure is related to GNSS and TPA database upgrade. It is designed to
migrate historical GNSS and TPA raw data to the new format. If you upgrade
only SNT service, apply regular procedure. During the regular procedure, the
process deletes GNSS and TPA data.

1. Rename the /opt/adva/SyncAssurance directory to /opt/adva/SyncAssurance.<old_

version_number>

Ensemble Controller R15.3 Administrator Manual - Issue: A 381

Adtran Maintaining Ensemble Controller

2. From the Ensemble Controller installation medium, copy the SyncAssurance_vX.X.X-

Bxxxx.tar.gz file in the directory /opt/adva.
3. Set the working directory to /opt/adva:
cd /opt/adva/
4. Untar the SyncAssurance_vX.X.X-Bxxxx.tar.gz file:
tar -zxvf SyncAssurance_vX.X.X-Bxxxx.tar.gz
This will create the Sync Assurance directory structure.
5. Set the working directory to /opt/adva/SyncAssurance:
cd /opt/adva/SyncAssurance
6. If the current installation contains custom settings in the docker-stack.yml files, you must
apply these settings again in the new docker-stack.yml files. In other words, preserve any
custom changes made in these files:
l /opt/adva/SyncAssurance/gnss/docker-stack.yml
l /opt/adva/SyncAssurance/tpa/docker-stack.yml
l /opt/adva/SyncAssurance/snt/docker-stack.yml
7. Install the Sync Assurance application as described from Step 5 to 6 in Procedure to Install
the Sync Assurance Application.
The upgrade and migration process from 12.2 and earlier release versions deletes all the
database backup files. You cannot use these backup files to restore a release because the
new timescaleDB version installed is incompatible with the old database backup files. Be
sure that you save a copy of the earlier release on another system if you want to revert back
to the previous release.
The upgrade and migration process from 15.1 and earlier release versions deletes GNSS and
TPA database and backup files. You cannot use these backup files to restore data in new
release because the new timescaleDB version installed is incompatible with the old
database backup files. Be sure that you save a copy of the earlier release on another system
if you want to revert back to the previous release. To migrate from 15.1 release while
preserving GNSS and TPA raw data, follow Procedure to Upgrade Sync Assurance 15.1 to 15.2
including GNSS and TPA Raw Data Migration.

Procedure to Upgrade Sync Assurance 15.1 to

15.2 including GNSS and TPA Raw Data
Migration
Follow this procedure only in case of 15.1 to 15.2 Sync Assurance upgrade. It is a special upgrade
procedure that includes upgrading the Timescale DB from timescaledb:1.7.5-pg12 to
timescaledb:2.9.1-pg14 release for GNSS and PTP Assurance applications.
This procedure migrates the GNSS and TPA raw data into the new database. The process does
not migrate the GNSS and TPA aggregated data. The SNT data is not affected by this migration,
since it already uses timescaledb:2.9.1-pg14 for 15.1 SyncAssurance release.
For GNSS and PTP Assurance applications prior to 15.1, follow the regular upgrade procedures up
to 15.1 release (run a set of consecutive upgrades from one release to the next without skipping
any upgrade) before upgrading to 15.2.

Ensemble Controller R15.3 Administrator Manual - Issue: A 382

Adtran Maintaining Ensemble Controller

1. Rename the /opt/adva/SyncAssurance directory to /opt/adva/SyncAssurance.<old_

version_number>.
2. From the Ensemble Controller installation medium, copy the SyncAssurance_v15.2.X-
Bxxxx.tar.gz file in the directory /opt/adva.
3. Set the working directory to /opt/adva:
cd /opt/adva/
4. Untar the SyncAssurance_v15.2.X-Bxxxx.tar.gz file:
tar -zxvf SyncAssurance_v15.2.X-Bxxxx.tar.gz
This will create the Sync Assurance directory structure.
5. Re-deploy SyncAssurance 15.1 in case it has been stopped during ENC upgrade:

a. Set the working directory to /opt/adva/SyncAssurance.<old_version_number>:

cd /opt/adva/SyncAssurance.<old_version_number>
b. Execute the deploy.sh script, see Procedure to Install the Sync Assurance Application.
Depending on the applications you use, start GNSS, TPA or both. Starting gnss_custom-
worker, SNT application or specifying ENC secondary server IP address is not required at
that point.

6. Verify that database services are running, see Procedure to Install the Sync Assurance
Application.
7. Stop all GNSS and TPA services except the database (scale down):

a. To stop the services, execute these Docker commands:

docker service scale <stack-name>_collector=0
docker service scale <stack-name>_data-access=0
docker service scale <stack-name>_db-backup=0
For the <stack-name>, type gnss or tpa.
If you migrate TPA database, stop it using command: docker service
scale tpa_online-qm=0.

b. Execute this Docker command to list the number of the services that still run for PTP (Time
And Phase) Assurance or GNSS:
docker stack services <stack-name>
c. Verify that the system stopped the services that have access to the database, which
means REPLICAS = 0/0. See Command Output Example for GNSS Docker Services –
Replicas 0/0 for a possible GNSS-stack command output after the services stopped.

8. Set the working directory to /opt/adva/SyncAssurance/util/migration/migration_from_15.1_

to_15.2/data:
cd /opt/adva/SyncAssurance/util/migration/migration_from_15.1_to_15.2/data
9. Run the special export script to export data for gnss application, if applicable:
./export.sh gnss
10. Wait for the process to complete.
11. Run the special export script to export data for tpa application, if applicable:
./export.sh tpa

Ensemble Controller R15.3 Administrator Manual - Issue: A 383

Adtran Maintaining Ensemble Controller

12. Wait for the process to complete.

13. Verify that relevant csv files are generated
under /opt/adva/SyncAssurance/util/migration/migration_from_15.1_to_15.2/data
directory. Look for files with the following name structure: pg_data_dump_<stack name>_
<table name>.csv[.gz].
14. If the current installation contains custom settings in the docker-stack.yml files, apply these
settings again in the new docker-stack.yml files. In other words, preserve any custom
changes made in these files:
l /opt/adva/SyncAssurance/gnss/docker-stack.yml
l /opt/adva/SyncAssurance/tpa/docker-stack.yml
l /opt/adva/SyncAssurance/snt/docker-stack.yml

15. Set the working directory to /opt/adva/SyncAssurance.<old_version_number>:

cd /opt/adva/SyncAssurance.<old_version_number>
16. Stop the Sync Assurance application:
./SyncAssurance-ctl.sh stop
17. Make sure that ENC 15.2 is running.
18. Set the working directory to /opt/adva/SyncAssurance:
cd /opt/adva/SyncAssurance
19. Run the enc_token_generate.sh script:
./enc_token_generate.sh [<ENC server IP address>]
<ENC server IP address> - optional attribute: IP address of ENC server from which the token
should be acquired. Enter this address if you use Sync Assurance on a separate server.

From now on, do not restart ENC until you complete step 22 (stop services).
20. Execute the deploy.sh script, see Procedure to Install the Sync Assurance Application.
21. Verify that all required Sync Assurance application stacks are running, see Procedure to
Install the Sync Assurance Application.
The upgrade and migration process from 15.1 deletes all GNSS and TPA
database backup files. You cannot use these backup files to restore a
release because the installed timescaleDB version is incompatible with the
old database backup files. Make sure that you save a copy of the earlier
release on another system if you want to revert back to the previous
release.

22. Stop all GNSS and TPA services except the database (scale down):

a. Execute the relevant Docker command according to the application database that you
want to migrate:
docker stack services <stack-name>
For the <stack-name>, type gnss or tpa
See Command Output Example for GNSS Docker Services – Replicas 1/1 for a possible
gnss command output.
b. Note down the REPLICAS numbers for all running services that access the database:

Ensemble Controller R15.3 Administrator Manual - Issue: A 384

Adtran Maintaining Ensemble Controller

l Any service with a name that ends with “collector”.

l Any service with a name that ends with “data-access”.
l Any service with a name that ends with “db-backup”.

c. To stop the services, execute these Docker commands:

docker service scale <stack-name>_collector=0
docker service scale <stack-name>_data-access=0
docker service scale <stack-name>_db-backup=0
If you migrate the GNSS database, and you use the optional gnss_
custom-worker service, also note down the REPLICA number of that
service, and then stop it using this command: docker service scale
gnss_custom-worker=0.
If you migrate TPA database, also note down the REPLICA number of
tpa_online-qm service, and then stop it using command: docker
service scale tpa_online-qm=0.

d. Execute this Docker command to list the number of the services that still run for PTP (Time
And Phase) Assurance or GNSS:
docker stack services <stack-name>
e. Verify that the system stopped the services that have access to the database, which
means REPLICAS = 0/0. See Command Output Example for GNSS Docker Services –
Replicas 0/0 for a possible GNSS-stack command output after the services stopped.
23. Set the working directory to /opt/adva/SyncAssurance/util/migration/migration_from_15.1_
to_15.2/data:
cd /opt/adva/SyncAssurance/util/migration/migration_from_15.1_to_15.2/data
24. Run the special import script to import data into the gnss application, if applicable:
./import.sh gnss
25. Wait for the process to complete.
26. Run the special import script to import data into the tpa application, if applicable:
./import.sh tpa
27. Wait for the process to complete.
28. To restart the database service, complete these steps:
a. Execute this Docker command to stop the database service for the relevant database
that you want to migrate:
docker service scale <stack-name>_timescaledb=0
b. Execute this Docker command to list the services that run for PTP (Time And Phase)
Assurance or GNSS:
docker stack services <stack-name>
c. Verify that the system stopped the relevant database service, which means
REPLICAS = 0/0. See these examples:
l [root@tlv-s-nms-vm02 ~]# docker stack services tpa
ID NAME MODE REPLICAS IMAGE PORTS

Ensemble Controller R15.3 Administrator Manual - Issue: A 385

Adtran Maintaining Ensemble Controller

kmkejkafdxis tpa_timescaledb replicated 0/0 adva/synca-

timescaledb:1.7.3-pg10 *:5439->5432/tcp
l [root@tlv-s-nms-vm02 ~]# docker stack services gnss
ID NAME MODE REPLICAS IMAGE PORTS
coe3ct4t8q20 gnss_timescaledb replicated 0/0 adva/synca-
timescaledb:1.7.3-pg10

d. Execute this Docker command to start the database service for the relevant database
that you want to migrate:
docker service scale <stack-name>_timescaledb=1
e. Execute this Docker command to list the services that run for PTP (Time And Phase)
Assurance or GNSS:
docker stack services <stack-name>
f. Verify that the system restarted the relevant database service, which means
REPLICAS = 1/1. See these examples:
l [root@tlv-s-nms-vm02 ~]# docker stack services tpa
ID NAME MODE REPLICAS IMAGE PORTS
kmkejkafdxis tpa_timescaledb replicated 1/1 adva/synca-
timescaledb:1.7.3-pg10 *:5439->5432/tcp
l [root@tlv-s-nms-vm02 ~]# docker stack services gnss
ID NAME MODE REPLICAS IMAGE PORTS
coe3ct4t8q20 gnss_timescaledb replicated 1/1 adva/synca-
timescaledb:1.7.3-pg10

29. Execute these Docker commands to restart the services that you stopped in Step 22 before
you imported the database:
docker service scale <stack-name>_collector=<no of replicas noted down in
step 22>
docker service scale <stack-name>_data-access=<no of replicas noted down in
step 22>
docker service scale <stack-name>_db-backup=<no of replicas noted down in
step 22>
If relevant: docker service scale gnss_custom-worker=<no of replicas noted down
in step 22>
If relevant: docker service scale tpa_online-qm=<no of replicas noted down in
step 22>
30. Verify that the services have access to the started database, which means that the replica
numbers must be equal to the ones noted down in Step 22:
docker stack services <stack-name>
See Command Output Example for GNSS Docker Services – Replicas 1/1 for the command
output example.

Ensemble Controller R15.3 Administrator Manual - Issue: A 386

Adtran Maintaining Ensemble Controller

Upgrading Ensemble Fiber Director in

Linux
If you upgrade Ensemble Controller (ENC), you also need to upgrade Ensemble Fiber Director
(EFD). Use only the EFD version that is included in the ENC installation CD. Other versions might
not be supported.
Follow these steps to upgrade EFD along with ENC:
1. Shut down the ENC server as described in Procedure for Stopping the Server in Linux.
2. Shut down the EFD server:
./opt/adva/fiberdirector/stop.sh
3. Upgrade ENC as described in Upgrading Ensemble Controller in Linux. Do not start the ENC
server after the upgrade.
4. Upgrade EFD by over-installation as described in Installing the Ensemble Fiber Director
Server in Linux.
5. Start the EFD server:
./opt/adva/fiberdirector/start.sh
6. Start the ENC server as described in Procedure to Start the Server in Linux.

Uninstalling Ensemble Controller

Complete these steps to uninstall Ensemble Controller (ENC) by using the Maintenance Mode
application.
1. To smoothly uninstall Ensemble Controller, complete these steps first:
a. Remove the previously installed Ensemble Controller Clients as described in Viewing and
Deleting Installed Clients.
b. If your Ensemble Controller uses Streaming Replication High Availability, disable it as
described in Reverting to a Non-Resilient Configuration or Disabling Streaming
Replication High Availability.
2. Save any data and close all open programs.
3. To start the Maintenance Mode application:
l Select Start > Control Panel > Programs and Features > Ensemble Controller.
–or–
l Follow this path: ENC Installation Directory\Change_Ensemble Controller\Change
Ensemble Controller.exe
The Maintenance Mode window opens:

Ensemble Controller R15.3 Administrator Manual - Issue: A 387

Adtran Maintaining Ensemble Controller

4. Select Uninstall Product.

5. Click Next to continue.
The Uninstall Ensemble Controller window opens.

6. Click Next.
The Post Uninstall Process message opens to inform you that the Ensemble Controller
services terminated.
7. Click OK to continue. A status bar and status messages indicate progress while the system
uninstalls the software.

Ensemble Controller R15.3 Administrator Manual - Issue: A 388

Adtran Maintaining Ensemble Controller

After the uninstall procedure completes, the Uninstall Complete window opens.
Any files that the application was unable to remove from your system remain and are listed,
including their locations, as illustrated here:

8. Make a note of the installation directories that the software was unable to remove. Keep this
list nearby until the end of this procedure.
9. Continue with one of these options:

Ensemble Controller R15.3 Administrator Manual - Issue: A 389

Adtran Maintaining Ensemble Controller

l Select Yes, restart my system, and then click Done.

Your computer automatically closes any currently running files or programs, and then
restarts. Any unsaved data is lost.
Continue with these steps:

a. Wait until your computer restarts.

b. Verify whether the installation directories that you noted in Step 8 are still present in
the installation directory. If yes, delete them.
-or-
l Select No, I will restart my system myself, and then click Done.
Continue with these steps:

a. Save and close any currently running files or programs on your computer.
b. Restart your computer.

c. Wait until your computer restarts.

d. Verify whether the installation directories that you noted in Step 8 are still present in
the installation directory. If yes, delete them.

Uninstalling Linux Applications

The Ensemble Controller installation on a Linux operating system includes other applications
that you can install on your system.
Use these commands to uninstall any of these applications, including the Ensemble Controller
itself:

Applications Change to root, and then type this command to

uninstall:

Flexnet Licensing Server /opt/adva/fsp_nm/flexnetls/server/fne.sh uninstall

Centralized Control Plane /opt/adva/fsp_nm_ni/uninstallni.sh

l Flexnet Licensing Server /opt/adva/uninstall-fsp_nm

l Centralized Control Plane
l Ensemble Controller

Uninstalling the Sync Assurance

Application
To uninstall the Sync Assurance application that you install in a Linux system, run the uninstall.sh
script located in the /opt/adva/SyncAssurance directory:
./uninstall.sh
Ensemble Controller R15.3 Administrator Manual - Issue: A 390
Adtran Managing the Centralized Control Plane

Chapter 5
Managing the Centralized
Control Plane
The Centralized Control Plane (CPc) is a management tool that supports path computation or
service provisioning for FSP 3000R7 network elements. The CPc runs as a Docker container.
Each FSP 3000R7 network element has one instance of the CPc that exchanges information with
all other network elements that are connected to that network element. The network elements
recognize the locally-available traffic engineering resources and pass this information to the
CPc. The CP maintains a centralized repository of all the traffic-engineering topology
information.
You can use Ensemble Controller (ENC) to configure the communication channel to the CPc
that is described in this chapter.

CPc is the state-of-the-art version of Control Plane for ENC. Therefore, you
should use CPc for all green-field installations.

An example of how the CPc communicates with the Ensemble Controller Server (ENC Server)
and FSP 3000R7 network elements is shown in this illustration:

Ensemble Controller R15.3 Administrator Manual - Issue: A 391

Adtran Managing the Centralized Control Plane

Minimum Hardware Requirements 392

Setting Up the Centralized Control Plane 393
Configuring a Connection Between Ensemble Controller and the Centralized Control
Plane 393
Configuring Centralized Control Plane High Availability 395
Opening and Viewing the CPc Manager 396
Managing the Centralized Control Plane Server in Linux 407

Minimum Hardware Requirements

The system where you want to install Centralized Control Plane must meet these minimum
requirements:

Disk Drive l 100 GB of dedicated disc space in /var/lib/docker. We recommend to use a

separate partition.
l If you require enhanced performance, we recommend an SSD disk drive.

RAM 20 GB

Ensemble Controller R15.3 Administrator Manual - Issue: A 392

Adtran Managing the Centralized Control Plane

Setting Up the Centralized Control

Plane
l For Windows operating systems, in the fnm.properties file, add this property and set it to true:
com.adva.nlms.mediation.sm.prov.ni.controller
For information about how to edit properties in the fnm.properties file, see Editing the
fnm.properties File. For an overview of all properties, see Server Property Overview.
l For Linux operating systems, see especially Step 6 in Installing Ensemble Controller in Linux.
l In order for the Centralized Control Plane (CPc) to communicate with the agents, you need to
install a signed certificate for the CPc. To do this, run the script /opt/adva/fsp_nm_ni/ni-
install-certificates.sh. Do this step after ENC is fully started. The script requires entering ENC
and CPc credentials.

After you set up the Centralized Control Plane according to your operating system, establish a
connection to Ensemble Controller; see Configuring a Connection Between Ensemble Controller
and the Centralized Control Plane.

Configuring a Connection Between

Ensemble Controller and the
Centralized Control Plane
Complete these steps to establish a connection to the Centralized Control Plane (CPc) and
then access the CPc Manager.

A single CPc can establish and maintain communication sessions with only
one Ensemble Controller.

The CPc Manager manages the CPc, for example, the Manager adds network elements to or
removes elements from the CPc. For information about the CPc Manager, see Opening and
Viewing the CPc Manager.
1. Enable the CPc according to your operating system as described in Setting Up the
Centralized Control Plane.
2. To set other then default credentials for CPc access in the Ensemble Controller application
(step 4), configure them first using script ./ni-change-credentials.sh in directory
/opt/adva/fsp_nm_ni.
3. In the Ensemble Controller application bar Settings, select System, and then Centralized CP.
4. In the Centralized CP Configuration window, Credentials tab, User Name column, select the
relevant user name.

Ensemble Controller R15.3 Administrator Manual - Issue: A 393

Adtran Managing the Centralized Control Plane

a. In the ribbon menu, Options area, click Edit.

–or–

In the Credentials Details Pane, click .

Complete these fields:

Field Description

User Name User name used in step 2. If you have not used script ./ni-change-
credentials.sh, use default user name: admin.

Password Password used in step 2. If you have not used script ./ni-change-
credentials.sh, use default password: chgme.1a.

b. Click to save, or to cancel.

5. Select the Sessions tab, and then the relevant table entry.
The table includes these columns:

Column Description

Current Whether the Ensemble Controller currently connects to the

CPc:
l true - connected
l false - disconnected

IP address The IP address of the CPc.

Protocol The protocol you want to use to connect to the CPc.

Supported values are:
l HTTP
l HTTPS

Port The port you want to use to connect to the CPc. Default
values are:
l HTTP: 8080
l HTTPS: 9443

Last Response Time The time that the CPc last responded. If the CPc
disconnects from Ensemble Controller, no value displays.

CPc Controller Version The software version of the CPc.

Ensemble Controller R15.3 Administrator Manual - Issue: A 394

Adtran Managing the Centralized Control Plane

Column Description

Status The connection status between Ensemble Controller and

the CPc. Supported values are:
l OK
l Not Reachable

WebSocket Connection The WebSocket connection status to the CPc. Supported

values are:
l Connected
l Not Connected

a. In the ribbon menu, Options area, click Edit.

-or-

In the CPc Controller Details Pane, click .

Complete the fields:

Field Description

IP address Type the IP address of the CPc.

HTTP Select the protocol you want to use to connect to the CPc. For details,
protocol see Protocol.

Port According to the selected HTTP protocol, type the port you want to
use to connect to the CPc. For details, see Port.

b. Click to save, or to cancel.

Configuring Centralized Control Plane

High Availability
Ensemble Controller supports the Centralized Control Plane (CPc) only with the standard
version of high availability, and in Linux systems.
1. Configure standard high availability for Ensemble Controller in Linux. See Configuring
Standard High Availability in Linux Systems.
2. For each Ensemble Controller server separately, the primary and secondary server:

Ensemble Controller R15.3 Administrator Manual - Issue: A 395

Adtran Managing the Centralized Control Plane

a. Set up the CPc. See Setting Up the Centralized Control Plane.

The primary and secondary server must have a CPc each. Both the CPc
and the relevant server must be co-located on the same machine.

b. Configure a connection to the CPc. See Configuring a Connection Between Ensemble

Controller and the Centralized Control Plane.

Opening and Viewing the CPc

Manager
The CPc Manager manages the Centralized Control Plane (CPc). For example, the CPc Manager
adds network elements to the CPc or removes them. Complete these steps to use Ensemble
Controller to open the CPc Manager in a web browser.

Requirements to View the CPc Manager 396

Procedure to View the CPc Manager 396
Legacy Links Page 399
Links Page 400
NEs Configuration Page 402
TE Links From CPc Page 405
NEs From CPc Page 407

Requirements to View the CPc Manager

l Configure a connection between Ensemble Controller and the CPc as described in
Configuring a Connection Between Ensemble Controller and the Centralized Control Plane.
l Set up your network to use SNMPv3 and HTTPS:
o For information about how to configure SNMPv3, see the User Manual, Managing SNMP
Profiles.
o For information about how to configure HTTPS, see the User Manual, Configuring REST,
HTTP, or HTTPS on Network Level.

Procedure to View the CPc Manager

1. In the Ensemble Controller tree pane Networks tab, right-click a relevant FSP 3000R7 network
element or a network that contains FSP 3000R7 network elements.
2. From the menu, select CPc Manager.
3. If a message related to the website security certificate displays, click Details, and then Go on
to the webpage even though it states (Not recommended).

Ensemble Controller R15.3 Administrator Manual - Issue: A 396

Adtran Managing the Centralized Control Plane

The login window opens.

4. In the ENC Admin User Name field, type the user name that you use to log in to Ensemble
Controller.

If Ensemble Controller uses RADIUS authentication, use a local account to log in

to CPc Manager.

5. In the Password field, type the password that you use to log in to Ensemble Controller.
6. Click Login or Cancel. The CPc Manager window opens:

Ensemble Controller R15.3 Administrator Manual - Issue: A 397

Adtran Managing the Centralized Control Plane

Table 17: CPc Manager – Main Menu Options

Option Description Link to More
Information

Legacy Links Lists these types of links: Legacy Links Page

l Links from the Ensemble Controller
database that you can migrate to the
network elements.
l Links where you can use SNMP to

create logical-interface control-plane

(LIF-CP) objects on the network
elements that have corresponding TE
links in the CPc.
Links that are based on link-configuration
objects (LCOs) do not display in this table.
Also use this page to migrate links to the
network elements.

Links List links that are based on link Links Page

configuration objects (LCO) from the
Ensemble Controller database and the
CPc. Links that have end-point types other
than optical links (Ols) do not display in
this table.
Also use this page to migrate links from
Ensemble Controller to the CPc, or to
delete them.

Ensemble Controller R15.3 Administrator Manual - Issue: A 398

Adtran Managing the Centralized Control Plane

Option Description Link to More

Information

NEs Configuration Lists the network elements from the NEs Configuration
selected network. The Ensemble Controller Page
database contains these network
elements.
You can also use this page to configure
certain attributes on the network element
in one step, to add more network
elements to the CPc, or to remove them.

TE Links From CPc Lists the traffic-engineering links that the TE Links From CPc
CPc retains. Page

NEs From CPc Lists the network elements that the CPc NEs From CPc Page
manages. You can remove network
elements from the CPc here.

Home Click to return to the welcome screen.

Logout Click to close the CPc Manager.

When you click an option, a tooltip with information about that page displays.

Legacy Links Page

After you select Legacy Links, the Migrate Links to NEs table opens and lists:
l Links from the Ensemble Controller database that can be migrated to the network elements.
l Links where logical-interface control-plane (LIF-CP) objects are created using SNMP on the
network elements, with corresponding TE links in the Centralized Control Plane (CPc).

Links that are based on link-configuration objects (LCOs) do not display in this table.
To migrate links to the network elements, in the first column, select the links you want to migrate,
and then click Migrate.
The Migrate Links to NEs table includes these columns:

Column Description

Link ID The link ID.

Link Name The link name.

Source NE Identifier The name of the starting network element.

Ensemble Controller R15.3 Administrator Manual - Issue: A 399

Adtran Managing the Centralized Control Plane

Column Description

Source NE IP The IP address of the starting network element.

Source CPc Agent The CPc agent status, either enabled or disabled, of the
starting network element. If enabled, you can add the network
element and the CPc can manage it.

Source Endpoint The link end point at the starting point.

Source Connected The module type that connects through the fiber map to the
Module Type link end point at the starting point.

Source Endpoint Type The link-end point type at the starting point.

Destination NE Identifier The name of the ending network element.

Destination NE IP The IP address of the ending network element.

Destination CPc Agent The CPc agent status, either enabled or disabled, of the
ending network element. If enabled, you can add the network
element, and the CPc can manage it.

Destination Endpoint The link end point at the ending point.

Destination Connected The module type that connects using the fiber map to the link
Module Type end point at the ending point.

Destination Endpoint Type The link-end point type at the ending point.

CPc Migration State The status of the migration process of the links.

CPc Migration Case The end point types of the link with details about any migration
results.

Links Page
After you select Links, the Links from Ensemble Controller table opens and lists links that are
based on link-configuration objects (LCO) from the Ensemble Controller database and the
Centralized Control Plane (CPc).
Links that have end point types other than OLs (optical links) do not display in this table.
For information about how to migrate links to or delete them from the CPc, see Migrating Links to
the Centralized Control Plane or Deleting Them.
The Links from Ensemble Controller table includes these columns:

Ensemble Controller R15.3 Administrator Manual - Issue: A 400

Adtran Managing the Centralized Control Plane

Column Description

Migration State The status of the link migration process:

l Local: The link resides in the Ensemble Controller database

and is not yet migrated.

l Synchronized: The link is successfully migrated to the CPc

and the link values are the same for Ensemble Controller
and the CPc.

l Failed: An interim value resulting from a failure to migrate a

link. If you refresh or reopen the page, then this value is
replaced with Out of Sync.

l Out of Sync: The link exists in both Ensemble Controller and

the CPc but:
o The values are not identical.
–or–
o An attempt to update the link in the CPc failed.
–or–
o A link-configuration object (LCO) is updated or deleted
using CLI in the CPc.
o A TE link and corresponding LCOs exist in the CPc. You
created a corresponding link in Ensemble Controller, but
you have not yet migrated it to the CPc.

Link ID The link ID.

Link Name The link name.

Source NE Identifier The name of the starting network element.

Source NE IP The IP address of the starting network element.

Source Endpoint The link end point at the starting point.

Source Connected The module type that connects through the fiber map to the
Module Type link end point at the starting point.

Source Endpoint Type The link-end point type at the starting point.

Destination NE Identifier The name of the ending network element.

Destination NE IP The IP address of the ending network element.

Destination Endpoint The link end point at the ending point.

Destination Connected The module type that connects using the fiber map to the link
Module Type end point at the ending point.

Ensemble Controller R15.3 Administrator Manual - Issue: A 401

Adtran Managing the Centralized Control Plane

Column Description

Destination Endpoint Type The link-end point type at the ending point.

TE Metric The link metric that the CPc needs to allow routing
preferences. The default value is 10, which is set for existing and
newly created links, unless you changed it. The value ranges
from 1 to 10,000.

Shared Risk Link Group The CPc uses this value depending on the needs and design.
By default, this value is not set (empty field). The value ranges
from 1 to 255.

Migrating Links to the Centralized Control Plane or

Deleting Them
Complete this procedure to migrate links that are based on link-configuration objects (LCO) to
the Centralized Control Plane (CPc), and also to delete them.

Requirements to Migrate Links

l You created links in Ensemble Controller between network elements that the CPc manages.
o For information about how to create links in Ensemble Controller, see the User Manual,
Creating or Deleting Links Between Network Elements.
o To have the CPc manage network elements, you must add them as described in
Configure & Add Node To CPc.

Procedure to Migrate Links

1. To migrate links, in the Links Page, Links from Ensemble Controller table, first column, select
the links you want to migrate, and then click Migrate.
2. To delete links, in the first column, select the links you want to delete, and then click Delete.

Result messages for this action appear in the Links page, and also in the Ensemble Controller
message pane.

NEs Configuration Page

After you select NEs Configuration, a table opens that lists the network elements from the
selected network and those that the Ensemble Controller database contains.

Table Description 403

Action Controls 404

Ensemble Controller R15.3 Administrator Manual - Issue: A 402

Adtran Managing the Centralized Control Plane

Table Description

Column Description

ID The CPc Manager internal identifier.

NE Identifier The identifier of the network element.

NE IP The IP address of the network element.

NE Type The network element type.

Mib Variant The variant of the management information base (MIB).

CP Enable State The control plane status, either True or False.

Node Name A name syntax of the network element. Supported values are IP or TID.
Syntax l For FSP 3000R7 network elements that run software version 18.1.1,
only IP is supported and displayed in this column.
l For software version 18.1.2 and higher, IP and TID (system identifier)
are supported.

CP_WDM True or False.

CP_OTN True or False.

LIF_CP Auto- True or False.

Creation

CPc Agent True or False. If True, then the Centralized Control Plane (CPc) can
manage the network element.

Web Interface True or False.

Managed by CPc True or False. If True, then the CPc can manage the network element.
Controller

Polling State l Not scheduled: Migration polling is not scheduled or is not running for
this network element.
l Scheduled: Migration polling is scheduled for this network element.

l Running: Migration polling is currently running on this network

element.

First Sync Time The time when the network element was added to the CPc.

Last Sync Time The time when the last synchronization occurred.

CPc ID The identifier of the network element in the CPc.

Connection to CPc The state of the connection between the CPc and the network
State element (CPc agent).

Ensemble Controller R15.3 Administrator Manual - Issue: A 403

Adtran Managing the Centralized Control Plane

Action Controls
The NEs Configuration page includes these action controls:

Action Control Description

Discover Topology Click to discover links without the need to scan the entire
topology.

Configure & Add Node 1. In the NEs Configuration table, select the relevant network
To CPc elements that you want to configure and add them to the CPc.

2. Click Configure & Add Node To CPc.

The software configures the attributes in one step on the
selected network element. The software:
l Enables the CPc (see the column CP Enable State).
l Enables the Web Interface.
l Creates the CP_WDM object.
l Creates the CP_OTN object.
l Changes the Node Name Syntax to IP.
l Enables the CPc Agent.
3. To visualize which network elements the CPc manages, in the
Ensemble Controller User Settings, set the CPc icon to show;
see the User Manual, General Settings for information.

Remove Node From 1. From the NEs Configuration table, select the relevant network
CPc elements that you want to remove from the CPc.

Ensemble Controller R15.3 Administrator Manual - Issue: A 404

Adtran Managing the Centralized Control Plane

Action Control Description

2. Click Remove Node From CPc.

The software removes the selected network element from
the CPc. The CPc Agent attribute on the network element
remains unchanged.

Sync Connection State Click to synchronize the connection state between the network
element and the CPc.

Refresh Click to reload the page with new data.

TE Links From CPc Page

After links successfully migrate, you can select the main menu option TE Links From CPc. A table
displays that lists the traffic engineering links stored in the Centralized Control Plane (CPc).
The table includes these columns:

Columns Description

Address Type The type of traffic-engineering link address, either Unnumbered or

Numbered traffic engineering.
l An unnumbered traffic-engineering link address contains the parent
router IP and a unique number, usually referred to as link ID, for
example, 192.168.1.1:10001.
l A numbered traffic-engineering link address contains only an IP
address, for example, 10.1.1.1.

Router ID The parent router address that the traffic-engineering link is attached
to.

Peer Router ID The peer router address of the traffic engineering link, which is the router
that the traffic-engineering link points to.

Link ID The node-scope identifier, if it is an unnumbered link.

Peer Link ID The node-scope identifier of a peer, unnumbered link.

Physical Link ID The identifier of the physical termination point that the traffic-
engineering link is attached to. For example, for WDM-layer traffic-
engineering links, the physical link ID refers to OL.

Ensemble Controller R15.3 Administrator Manual - Issue: A 405

Adtran Managing the Centralized Control Plane

Columns Description

SRLC The shared-risk link color (SRLC) is a network-scope unique number that
the CPc assigns to a pair of synchronized traffic-engineering links. The
value is stored in one of the traffic-engineering links within the pair. You
can use SRLC to determine whether two paths do not contain common
intersections, for example.

Peer SRLC The SRLC value assigned to the peer of the applicable traffic-
engineering link.

TE Metric The cost of a traffic-engineering link for a path computation engine.

Layer The layer network that the traffic-engineering link belongs to. You can
consider certain traffic-engineering links as links in a WDM or TDM (OTN)
layer. The layer determines:
l The type of resources that the link advertises.
l The physical termination points that the links can attach to.

Synchronized Whether the traffic-engineering link is synchronized, either true or false.

You can consider the traffic-engineering link as being synchronized if its
peer traffic-engineering link exists in the traffic-engineering topology
database.

OSC Status The operational status of related OSC channels for WDM-layer traffic-
engineering links. Supported values are:
l Unknown: No OSC.
l Down: The OSC has an alarm.
l Up: The OSC is operable.

DP Status The summarized operational status of the data plane for WDM-layer
traffic-engineering links. Supported values are:
l Unknown: The system cannot determine the data plane.
l Down: All data-plane connections are down.
l Up: The data plane is operable.

If this window has many pages, use this page navigator to change pages:

Ensemble Controller R15.3 Administrator Manual - Issue: A 406

Adtran Managing the Centralized Control Plane

NEs From CPc Page

After you select NEs From CPc, a table displays and lists network elements that successfully
migrated and are added to the Centralized Control Plane (CPc).
The table includes these columns:

Column Description

CPc URI The uniform resource identifier of the network element in the CPc.

CPc ID The identification of the network element in the CPc database.

NE ID The identification of the network element in the Ensemble Controller

database. If no value displays, the network element does not exist in the
Ensemble Controller database.
To remove network elements from the CPc that are not in the Ensemble
Controller database, in the first column of the table, select it, and then
click Remove Node From CPc.

Connection The connection state between network elements and the CPc.
Status

If this window has many pages, use this page navigator to change pages:

Managing the Centralized Control

Plane Server in Linux
To manually manage the Centralized Control Plane (CPc) server, change to the root account or
to a user who belongs to the docker group. Then run the ./ni-ctl.sh script located in the directory
/opt/adva/fsp_nm_ni.
The software logs any action in a file stored in the directory /var/lib/docker/volumes/ni_
ni-logs/_data/adva-ni/.

Ensemble Controller R15.3 Administrator Manual - Issue: A 407

Adtran Managing the Centralized Control Plane

For information about how to uninstall the CPc server, see Uninstalling Linux Applications. More
actions to maintain the CPc server are described in these topics:

Upgrading the Centralized Control Plane Server 408

Backing Up the Control Plane Database 408
Restoring the Centralized Control Plane Database 409
Centralized Control Plane Server Health Check 410

Upgrading the Centralized Control Plane

Server
If the Centralized Control Plane (CPc) server is enabled, follow the standard Ensemble Controller
upgrade procedure. These steps also automatically upgrade the CPc server. This procedure
applies to both the common installation variant (Ensemble Controller AND CPc server) and the
standalone variant (only CPc server).
For information about how to enable the CPc server, see Setting Up the Centralized Control
Plane.
For information about how to upgrade the Ensemble Controller, see Upgrading Ensemble
Controller in Linux.

Backing Up the Control Plane Database

If the Centralized Control Plane (CPc) server is enabled, follow the standard options to back up
the Ensemble Controller database, which automatically back up the CPc server. This procedure
applies to both the common installation variant (Ensemble Controller AND CPc database) and
the standalone variant (CPc database only).
For information about how to enable the CPc server, see Setting Up the Centralized Control
Plane.
Choose from these options to back up Ensemble Controller and the CPc database:
l The recurring Database Backup action that you configure in Ensemble Controller initiates
regular backups. For information about how to configure recurring actions, see the Ensemble
Controller User Manual.
l In the Ensemble Controller Settings > System > Immediate Database Backup, you can create
immediate backups. For more information about how to start an immediate backup, see
Immediate Database Backup.
l The NMSAdmin script option [J] - Backup Database initiates immediate backups.

If you use the NMSAdmin script to back up the database, the process does not
account for the number of backup files that you can create. That is, if this
process exceeds the number of backup files that you specified in the
fnm.properties file, the software does not automatically delete the old backup
files. You have to delete them manually.

Ensemble Controller R15.3 Administrator Manual - Issue: A 408

Adtran Managing the Centralized Control Plane

For information about how to set the allowed number of backup files that can
be created, see Setting the Number of Database Backup Files Allowed to be
Created.

For additional information about database backup, see Updating Ensemble Controller
Database Information.

Backup File Storage 409

Backup Operation Notifications 409

Backup File Storage

If the database backup is successful, the process creates relevant files including the binary
backup package dbfnm_NM_NI.tar.gz. This file contains both Ensemble Controller and Control
Plane server backup files. If the Control Plane database backup fails, the process does not
create the binary backup package.
The Ensemble Controller installation directory stores the binary backup package
/var/db.backup. You will need this package later to restore the database.
For information about database restore, see Restoring the Centralized Control Plane Database.

Backup Operation Notifications

You can view any backup operation in the Ensemble Controller message pane, including
notifications in the Events tab.
The message pane and Events tab is described in the User Manual.

Restoring the Centralized Control Plane

Database
If the Centralized Control Plane (CPc) server is enabled, complete the standard Ensemble
Controller restore steps and consider the Requirements to Restore the CPc Database in this
chapter. This restore procedure also automatically restores the CPc database. The restore
procedure applies to both the common installation variant (Ensemble Controller AND the CPc
database) and the standalone variant (only the CPc database).
For information about how to enable the CPc server, see Setting Up the Centralized Control
Plane.
For information about how to restore the Ensemble Controller database, see Restoring the
Ensemble Controller Database.

Requirements to Restore the CPc Database 410

Procedure to Restore the CPc Database 410

Ensemble Controller R15.3 Administrator Manual - Issue: A 409

Adtran Managing the Centralized Control Plane

Requirements to Restore the CPc Database

l Ensure that the CPc backup database file that you want to restore (dbni.tgz by default)
resides in the Ensemble Controller installation directory var/db.backup. Also verify that the
backup database file is in the binary backup package dbfnm_NM_NI.tar.gz. For information
about the binary backup package, see Backup File Storage.
l To restore the CPc database, including the Ensemble Controller database, instead of
RestoreDB, use the NMSAdmin script and complete these steps. The RestoreDB script restores
only the Ensemble Controller database.

Procedure to Restore the CPc Database

1. Shut down the Ensemble Controller Server. See Stopping the Ensemble Controller Server.
2. Change to the root account, and then run the NMSAdmin script.
3. Type [L] - Restore Database Backup.
4. Wait for the process to finish.
5. After the restore process completes, start the Ensemble Controller Server. See Starting the
Ensemble Controller Server.

Centralized Control Plane Server Health

Check
To analyze and troubleshoot Centralized Control Plane (CPc) server problems, you can verify
the condition of the server health by either running scripts or by viewing the Ensemble Controller
(ENC) client graphical user interface (GUI). The health-check report collects CPc server data, for
example, debug data, logs, traces, component status, and so on.

Health Check Using Scripts 410

Health Check Using the Ensemble Controller GUI 411

Health Check Using Scripts

The script you use depends on how you installed the CPc server.
Change to the root account, and then:
l If you installed the CPc server as a standalone version, run the ni-sdp.sh script located in the
directory /opt/adva/fsp_nm_ni/.
l If you installed the CPc server using Ensemble Controller, run the healthcheck_nms.sh scipt
located in the directory /opt/adva/fsp_nm/bin/.
–or–
You can run the NMSAdmin script, and then select [H] - System Health Report.

Ensemble Controller R15.3 Administrator Manual - Issue: A 410

Adtran Managing the Centralized Control Plane

Health Check Using the Ensemble Controller GUI

If the CPc server is enabled, complete the standard Ensemble Controller steps for Creating a
System Health Report.
For information about how to enable the CPc server, see Setting Up the Centralized Control
Plane.

Ensemble Controller R15.3 Administrator Manual - Issue: A 411

Adtran Troubleshooting

Chapter 6
Troubleshooting
This chapter describes how to troubleshoot Ensemble Controller.

Purpose 412
Assumptions 412
Terms 413
Preparation 413
Tools of the Trade 415
Troubleshooting Steps 415
Resolving Installation Issues 415
Resolving Start-up Issues 421
Resolving Access Issues 430
Resolving Normal Operations Issues 435

Purpose
The purpose of this chapter is to provide a guide to troubleshooting the Ensemble Controller.
While it cannot cover every possible error or problem, it covers enough ground to be able to
resolve approximately 80% of all known issues which can occur with the Ensemble Controller.
Issues that are related to a special software version are not discussed as most of them are fixed
in the successor version.

Assumptions
This document assumes these conditions:
l You are trained on Ensemble Controller and the Element Manager, and you know what the
software does.
l You are trained on at least one FSP product.
l You have access to Ensemble Controller and Element Manager documentation (User
Manual, Release Notes, and Compatibility Matrix).
l You know IP and SNMP.

Ensemble Controller R15.3 Administrator Manual - Issue: A 412

Adtran Troubleshooting

l You have basic knowledge of optics and WDM.

l You have a network plan containing the IP addresses of the network elements and paths of
the service connections.
l The network element configuration and the software versions installed on the network
elements are documented.
l You are familiar with NEMI software.
l You know the user names and passwords to access the NEMI, the Ensemble Controller and
Element Manager Software.
l All components are using the most current version of software. If not, you need to have
access to the Adtran website, often referred to as the Partner Login, and be able to download
the current version. Please see “Determining NEMI NE Software Revision Level” for further
assistance.
l All units can be powered on.

Terms
Throughout the document the term Adtran Management Software is used for the Ensemble
Controller and the FSP xxxx Element Managers. FSP xxxx Element Manager stands for FSP 150 and
FSP 1500 Element Manager. Ensemble Controller is available for Windows and Linux.
These terms are used in that document:

ENC Ensemble Controller

EM Element Manager

NE Network Element

NMS Network Management Station

Preparation
Before you begin to troubleshoot the Management Software or any given installation, it is
important to prepare for the task beforehand. These are some basic steps that you should take,
before you continue to troubleshoot a problem or issue.

Discussing the Management-Software Products Ensemble Controller and FSP Element

Manager 414
Discussing the Network Configuration 414
Clearly Defining the Issue That You Try to Resolve 414

Ensemble Controller R15.3 Administrator Manual - Issue: A 413

Adtran Troubleshooting

Discussing the Management-Software

Products Ensemble Controller and FSP
Element Manager
Even with the best documentation, it is pointless to attempt to troubleshoot issues with a
product, with which you are not familiar. At the very least you should have attended product
training for the product that included the management software. If you know nothing about
management software, you should seriously question whether or not you should be attempting
to resolve issues with these products.

Discussing the Network Configuration

You cannot troubleshoot a configuration with which you are not familiar. To solve management
issues, you require knowledge about the management and the optical network. A very key part
of this is to have a map of the management network containing information about the IP
addresses of the network elements, about the SNMP communities and the topology. You can
connect network elements to the management through:
l Ethernet
l OSC
l Serial line

You need to have this information in forehand. To solve problems that are released to the
services running on your network, an “optical” network map and topology is required. In the
Ensemble Controller, you can setup connections between the nodes on port level. So you have
to know, which ports are actually connected through fibers, and which are protected and
unprotected.

Clearly Defining the Issue That You Try to

Resolve
Too often, the full description of an issue is “it doesn’t work”. Unfortunately, as description as
vague as this does not shed much light on the issue. A clear description of which aspect of the
equipment functions are not correctly operating as well as an understanding of how to
recognize and test a working configuration, is essential to the timely resolution of any problem.
Determine the tools you will likely need to resolve the issue, before you begin your work. It is a
tremendous disappointment to drive 100 kilometers to an installation location and find that you
do not have the appropriate tools to do the job. However, people do this every day. The
standard resolution to this issue is to create a kit that has every conceivable tool that could be
used and keep it with you at all times. The only difficulty with this solution is that much of the
equipment associated with optics is rather expensive and thus, can need to be shared
amongst a variety of individuals.

Ensemble Controller R15.3 Administrator Manual - Issue: A 414

Adtran Troubleshooting

Tools of the Trade

In any technical profession, there are certain tools that should be on hand at all times. Most of
the tools needed to troubleshoot network manage issues are already on the customer side. The
customer runs a network management station that has the management software installed.
Software utilities for network management like ping, traceroute, a MIB Browser are standard on
a management station. Even so you should carry a laptop with you with these installations:
l MIB Browser
A MIB browser like MG Soft shall be installed on your computer. It helps you checking the MIB
variables.
l Adtran Management Software
You should have installed the latest version of the Ensemble Controller and the FSP xxx
Element Managers.

Troubleshooting Steps
Complete these steps to troubleshoot Ensemble Controller issues.
These steps do NOT include the most intuitive aspects of any installation, such as monitoring
alarms or adding a new subnetwork. It also does not discuss issues external to Ensemble
Controller, such as issues with operating systems, for example Windows or Linux, and so on.
l Is the issue associated with a management-software installation?
If yes, go to Resolving Installation Issues.
l Does a problem appear during the software start-up?
If yes, go to Resolving Start-up Issues .
l Do you have network-access problems?
If yes, go to Resolving Access Issues.
l Do you have problems during normal operations?
If yes, go to Resolving Normal Operations Issues .

Resolving Installation Issues

This section addresses issues that might occur during the installation of Ensemble Controller.
Inform yourself about the operating system and the Ensemble Controller version.
Verify the installation requirements of Ensemble Controller against the processor power,
available memory, and the free disk capacity of the system.
The installation of Ensemble Controller requires local administrator privileges on the system.

Ensemble Controller R15.3 Administrator Manual - Issue: A 415

Adtran Troubleshooting

Cannot install Ensemble Controller. 416

The Ensemble Controller installation fails with an error message. 416
Updating the Ensemble Controller Client Launcher 417

For more troubleshooting steps regarding installation, see Troubleshooting Client Download
Errors. Otherwise, return to Troubleshooting Steps.

Cannot install Ensemble Controller.

Cause: The management machine does not meet the software installation
requirements, or you do not have sufficient privileges.

Solution: 1. Verify the installation instructions. You might have to uninstall the existing
software before you install the new software version.
2. Make sure the Ensemble Controller Server has the required processor
power, the memory, and the free hard disk capacity specified in the
Release Notes of the Adtran management software.
3. Make sure that you have full administrator or power-user privileges on
the Windows Ensemble Controller Server.
4. On the Linux Ensemble Controller Server, you must have root permission
to install the Adtran management software.
5. In some rare cases, you might need to delete the complete Ensemble
Controller installation directory after you uninstall the previous Ensemble
Controller version. Back up the Ensemble Controller database before you
delete the complete Ensemble Controller installation directory.

The Ensemble Controller installation fails with

an error message.
Cause: You have not properly removed the previous Ensemble Controller version
from the Ensemble Controller Server in your Windows system.

Ensemble Controller R15.3 Administrator Manual - Issue: A 416

Adtran Troubleshooting

Solution: To verify that Ensemble Controller completely uninstalled from the Windows
Ensemble Controller Server, click Start > Settings > Control Panel >
Add/Remove Software. If you see Ensemble Controller in the list, uninstall it. If
Ensemble Controller is not in the list, proceed with these steps:
1. Launch the Windows Registry Editor.
2. Delete all these entries:
l HKEY_LOCAL-
Machine\Software\Microsoft\Windows\CurrentVersion\
Uninstall\{55C56D...}
l HKEY_LOCAL- Machine\Software\ADVA Optical Networking\FSP
Network Manager
NOTE: For a 64-bit Windows operating system, this key is located in:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adva Optical
Networking\FSP Network Manager
3. Install the new Ensemble Controller version.

Updating the Ensemble Controller Client

Launcher
You use the Ensemble Controller Client launcher to download different graphical user interface
(GUI) versions and to start these versions depending on the server version.
Complete this procedure to update the client launcher.

Requirement to Update the Client Launcher 417

Procedure to Update the Client Launcher 417

Requirement to Update the Client Launcher

l Somebody requested from you to update the client launcher, or the Release Notes state it.
l Your current Ensemble Controller installation is a client-only installation.
o If yes, start this procedure with Step 4 and skip the first 3 steps.
o If no, complete this procedure from the beginning.

Procedure to Update the Client Launcher

Obtaining a Client-Only Installation
1. Install the Ensemble Controller as described from Step 1 to Step 5 in the section Installing
Ensemble Controller in Windows.

Ensemble Controller R15.3 Administrator Manual - Issue: A 417

Adtran Troubleshooting

2. In the Choose Install Set window, clear ENC Server.

Only ENC Client is selected now:

3. Follow the installation wizard as described from Step 9 in the section Installing Ensemble
Controller in Windows.

Updating the Client Launcher

4. Download the relevant version of the Ensemble Controller installation package to which you
wish to update the client launcher.
5. Double-click the EXE application file of this installation package that you have just
downloaded.
The InstallAnywhere window appears. A status bar indicates progress while the system
starts the installation wizard:

Ensemble Controller R15.3 Administrator Manual - Issue: A 418

Adtran Troubleshooting

6. Click Next to continue. The Choose Install Set window opens:

7. Stay with the settings as displayed that is, only ENC Client is selected, and then click Install.
A status bar and status messages indicate progress. The upgrade continues as illustrated:

Ensemble Controller R15.3 Administrator Manual - Issue: A 419

Adtran Troubleshooting

8. Click Next.
After the upgrade completes, the Installation Complete window displays:

9. Click Done to complete the procedure.

Ensemble Controller R15.3 Administrator Manual - Issue: A 420

Adtran Troubleshooting

Resolving Start-up Issues

This section addresses issues that might happen while launching the Ensemble Controller
Server or the client.

Ensemble Controller does not start without an error message. 421

The Ensemble Controller Server SNMP Forwarder does not start. 422
The Ensemble Controller Server Mediation Server does not start. 422
Cannot launch the Element Manager Using Ensemble Controller. 423
External event logging does not start. 423
Ensemble Controller Server Connectivity 424
SNMP Connectivity Test 425
Unable to start or stop the Ensemble Controller Server without an error message. 426
Ensemble Controller Server processes do not start after server restart or crash. 427
The Ensemble Controller Server does not start after Linux restarts. 427
Linux stops with the error message: "No buffer space available." 427
Open-file limit is too low for the Ensemble Controller Server process in Linux 428
Cannot launch the Ensemble Controller Client. 428
Problem to start the Ensemble Controller Client 428
Irrelevant error message that Mediation Server could not start 429
Unable to launch the Ensemble Controller Client after download and upgrade to 12.1.1 430

Return to Troubleshooting Steps.

Ensemble Controller does not start without

an error message.
Issue: The system performance is too low.

Solution: Make sure the Ensemble Controller Server has the required processor power,
the memory and the free hard disk capacity. For more details, see the
Release Notes of the Ensemble Controller.

Ensemble Controller R15.3 Administrator Manual - Issue: A 421

Adtran Troubleshooting

The Ensemble Controller Server SNMP

Forwarder does not start.
Issue: Windows: SNMP Forwarder does not start.
Linux: SNMP Forwarder does not exist in the list when the issue occurs.

Cause: l The SNMP Forwarder service is by default disabled, and thus it does not
start automatically.
–or–
l You enabled the SNMP Forwarder service but still, it does not start. The
SNMP Forwarder listens to TCP and UDP port 2545 by default. A reason why
the SNMP Forwarder could fail is because another application process
occupies the TCP port 2545. If the UDP port 2545 is occupied, it will not
receive forwarded traps from the Ensemble Controller Server.

Solution: l Enable the SNMP Forwarder service. See Element Manager.

–or–
l Exit the application that also uses the port 2545, and then restart the
Ensemble Controller Server.
Note: You can verify whether the port 2545 is in use with these commands
for your system:
o Windows: netstat -p udp -an
o Linux: netstat -a | grep 2545

The Ensemble Controller Server Mediation

Server does not start.
Issue: Linux: The Xmx3000M (Mediation Server) SNMP Forwarder does not exist in the
list when the issue occurs.

Solution: 1. Restart the Mediation Server.

2. If that does not help, restart the Ensemble Controller Server.
3. If both fails, contact Adtran Technical Services.

Ensemble Controller R15.3 Administrator Manual - Issue: A 422

Adtran Troubleshooting

Cannot launch the Element Manager Using

Ensemble Controller.
Issue: l You have not enabled the SNMP Forwarder service, which is disabled by
default. The Element Manager requires this service to run.
l A common issue is that the SNMP response time is too low.
l You have not installed the Element Manager that comes with the
Ensemble Controller software package.
l The IP connectivity is bad.
l The firewall blocks port 2545 for the Element Manager.

Solution: 1. From the Ensemble Controller application bar Settings menu, select
Configuration, and then SNMP Profiles Manager.
2. Select the profile that this network element uses, and then in the Timeout /
[sec] field, adapt the timeout value.
3. Log into the network element by using telnet, and then launch the craft
interface.
4. Go to SNMP Configuration and load the correct MIB.
5. Run the Ensemble Controller installation software on the machine where
you want to launch the Element Manager.
6. Contact your network administrator to request to verify the network
connectivity.
7. Enable the SNMP Forwarder service. See Element Manager.
8. Unblock the port 2545 on the firewall that is located between the
Ensemble Controller Server and Client.

External event logging does not start.

Issue: You have not enabled logging to the external file eventlog.csv.

Solution: 1. Go to the Ensemble Controller installation directory.

2. Open the log4j2.xml file, and then identify this section:

Ensemble Controller R15.3 Administrator Manual - Issue: A 423

Adtran Troubleshooting

3. Change the level attribute value to on:

4. Restart the Ensemble Controller Server.

By default, Ensemble Controller writes the logs to a ring of 10 files each the size of 1 MB. After
Ensemble Controller writes the last file, the log again begins to write to the first file and
overwrites all information in that file. For this setting to take effect, you must restart the
Ensemble Controller Server.

Ensemble Controller Server Connectivity

After the system accepts the login, it tries to connect to the Mediation Server. If the connection
fails, the system raises one of these error messages:

Cannot find the specified host name 424

Ensemble Controller Server could be down or is not responding 424
Cannot connect to the Ensemble Controller Server: xyz 424

Cannot find the specified host name

The specified name cannot be resolved to an address. It is either incorrect or the name server
configuration on the local system is incorrect.

Ensemble Controller Server could be down or is not

responding
Although firewalls can actively reject connection attempts as well as just dropping packets, the
most likely reason is that the specified host could be reached but refused the connection
because the Mediation Server is not running or is using a different port (default 8443).

Cannot connect to the Ensemble Controller Server: xyz

Possible reasons include an incorrect address, missing or incorrectly configured routes on the
involved systems, broken physical links, firewall dropping packets, or a server system that
disconnected or switched off.
After the system connects to the Mediation Server, it attempts to contact the JMS broker. If this
test encounters a problem, an error message displays:

Ensemble Controller R15.3 Administrator Manual - Issue: A 424

Adtran Troubleshooting

The specified host could be reached but refused the connection because the JMS broker is not
running, is using a different port (default 33028) or the port is blocked by a firewall.

SNMP Connectivity Test

The Element Manager embedded in Ensemble Controller to manage FSP 1500 devices needs to
communicate with the SNMP Forwarder server. If this is not possible, the Element Manager
blocks.
This test verifies whether the Element Manager can reach the server and informs about any
existing problems. If a problem exists, you can start the Element Manager anyway or cancel the
request. The system tries to perform the test sequence as follows:
1. Obtain the configured host name and ports.
2. Establish a TCP connection.
3. Close the connection.

If everything works, the Element Manager starts.

If the name cannot be resolved that is, there is either a frontend or a DNS configuration problem,
this message displays:

If a connection is actively refused, the most likely reason is that the server is not running or is not
using the configured port, although a firewall also could reject connections. This message
displays:

Ensemble Controller R15.3 Administrator Manual - Issue: A 425

Adtran Troubleshooting

In all other cases, a blocked port is the most likely reason. Other problems, such as missing
routes, or the host being down, are less likely because the frontend is able to talk to the
Mediation Server. This message displays:

Unable to start or stop the Ensemble

Controller Server without an error message.
Issue: If you run either of these commands, the system generates an error:
l ENC Installation Directory\bin > StartServer.bat
l ENC Installation Directory\bin > StopServer.bat

The same error also appears if you click either of these options:
l

An example error message is shown here:

Input Error: There is no script engine for file extension ".vbs".
Shutting down Ensemble Controller Server...
System error 5 has occurred.
Access is denied.

Solution: NOTE:
You have to be a member of the administrator group to start or stop the
server.
If the VBScript module is not registered correctly or the VBS file class settings
are broken, the error occurs when you run cscript. To fix the problem, install
Windows Script 5.7 for Windows 2003 from Microsoft to allow the admin to
verify the code.
Use this link for the Windows 2003 Window Script 5.7 software:
http://www.microsoft.com/downloads/en/confirmation.aspx?
displaylang=en&FamilyID=f00cb8c0-32e9-411d-a896-f2cd5ef21eb4
Use this link for Windows XP or Windows 2000 Window Script 5.6 software:
http://www.microsoft.com/downloads/en/confirmation.aspx?
FamilyID=47809025-D896-482E-A0D6-524E7E844D81

Ensemble Controller R15.3 Administrator Manual - Issue: A 426

Adtran Troubleshooting

Ensemble Controller Server processes do not

start after server restart or crash.
Issue: You rebooted your Windows or Linux system before the PostgresSQL server
was able to terminate its shutdown process. That is, the PostgresSQL process
prevents the system from starting properly.

Cause: The reason for that is, the Postgres database writes a control file to prevent a
second postgres instance from running on the same server. This control file is
deleted if you shut down the PostgresSQL server. If the PostgresSQL shutdown
process is disrupted, for example if you restart the system, before the control
file is deleted, the server cannot restart as long as this file exists.

Solution: Delete the postmaster.pid file located in the Ensemble Controller installation
directory ...\postgres\data, and then restart your system.

The Ensemble Controller Server does not start

after Linux restarts.
Cause: The runlevel of the Linux server is not set to the required level.

Solution: Complete either of these options in your Linux system:

l In the /etc/inittab file, change the runlevel value to 3, and then restart.
–or–
l Copy the S96postgres file and the S98fnm.server file from /etc/rc3.d to
/etc/rc5.d/.

Linux stops with the error message: "No

buffer space available."
Cause: If Linux discovers network elements, it uses the local address resolution
protocol (ARP) for processing purposes. If it discovers a large number of
network elements, for example 10,000 network elements, the ARP table stores
many entries respectively, and thus is likely to exceed the upper threshold of
1,024 entries. This results in the No buffer space available error message.

Solution: Increase the ARP table threshold ("lookup") number to 32,768 in these files,
and then restart your Linux system:
l /proc/sys/net/ipv4/neigh/default/gc_thresh1
l /proc/sys/net/ipv4/neigh/default/gc_thresh2
l /proc/sys/net/ipv4/neigh/default/gc_thresh3

Ensemble Controller R15.3 Administrator Manual - Issue: A 427

Adtran Troubleshooting

Open-file limit is too low for the Ensemble

Controller Server process in Linux
Cause: File descriptors are open while they connect to the network element, and also
when MTOSI is enabled, for example during inventory polling. If inventory
polling takes less than one minute, the file descriptor stays open and the
system generates error messages.

Solution: Increase the open-file limit on the server as described in Installing Ensemble
Controller in Linux.

Cannot launch the Ensemble Controller

Client.
Issue: The unzipping of the client files, which happens on a first launch or upon
upgrade, fails for unknown reasons.

Solution: Delete all files and folders in C:\ProgramData\clientupdater.

Problem to start the Ensemble Controller

Client
Cause: Insufficient memory to launch client. This error displays:

Solution: Close other applications, and then relaunch the Ensemble Controller Server
and Client.

Ensemble Controller R15.3 Administrator Manual - Issue: A 428

Adtran Troubleshooting

Irrelevant error message that Mediation

Server could not start
Issue: On some Windows computers, you might experience that the Ensemble
Controller Client and Server start successfully. However, the system still sends
a message that it could not start the Mediation Server as this example shows:
Start_Server
Starting Ensemble Controller Server...
The ADVA: PostgreSQL Server service is starting.
The ADVA: PostgreSQL Server service was started successfully.
The ADVA: JMS Server service is starting.
The ADVA: JMS Server service was started successfully.
The ADVA: SNMP Forwarder service is starting.
The ADVA: SNMP Forwarder service was started successfully.
The ADVA: Mediation Server service is starting.....
The ADVA: Mediation Server service could not be started.
More help is available by typing NET HELPMSG 3523.
Command Failed, please check error(s) messages above.

Solution: Complete the steps provided at

https://support.microsoft.com/en-us/help/922918/a-service-does-
not-start-and-events-7000-and-7011-are-logged-in-window
to add the registry key ServicesPipeTimeout with a value of 120,000
milliseconds to the Registry Editor in these directories:
l Computer\HKEY_LOCAL_
MACHINE\SYSTEM\CurrentControlSet\Control
l Computer\HKEY_LOCAL_
MACHINE\SYSTEM\CurrentControlSet\Services\advams

Ensemble Controller R15.3 Administrator Manual - Issue: A 429

Adtran Troubleshooting

Unable to launch the Ensemble Controller

Client after download and upgrade to 12.1.1
Issue: If you use an Ensemble Controller Client version before 12.1.1, and you connect
to a 12.1.1 Ensemble Controller Server, a Confirm dialog box opens that
recommends to upgrade your Client to 12.1.1.

After you select Yes, the software downloads and upgrades your Client. After
the upgrade finishes, an Error message displays:

Solution: For all Ensemble Controller Client versions that you want to upgrade to 12.1.1,
first complete these steps:
1. Use a text editor to open the launch.properties file that Ensemble
Controller stores in the clientupdater installation directory.
2. In the launch.properties file, search for
-Djava.endorsed.dirs=lib/endorsed, and then delete it. Also remove any
leftover spaces to adjust the line.
3. Log in the Ensemble Controller Client as planned.

Resolving Access Issues

This section addresses connectivity issues between the Network Management Software and
the network.

Cannot ping the network element 431

Cannot configure the network element through the Element Manager 431
SNMP timeout occurs while accessing the network element 432
The Ensemble Controller Client cannot connect to the Server 433
The Ensemble Controller Client cannot connect because of incorrect user name -
password pair 433
SNMPv3 communication fails after factory-default reset 434

Ensemble Controller R15.3 Administrator Manual - Issue: A 430

Adtran Troubleshooting

Centralized Control Plane Cannot Connect to the Network Element on Server with Two
Network Interfaces 434
Centralized Control Plane Cannot Install and Use Signed Certificate 435

Return to Troubleshooting Steps.

Cannot ping the network element

Cause: This issue can occur for multiple reasons. It could be related to the hardware
or to the software. Hardware issue like a faulty cable are not discussed in that
document. It is assumed that the hardware and the cabling is setup properly
and works as designed.
l A most common reason is that the IP address or the IP route or default
gateways is not setup correctly in the network element or in the Ensemble
Controller Server.
l Another possibility is that the port for pings (ICMP messages) is blocked in
the network.

Solution: 1. Verify whether the IP configuration of the Ensemble Controller Server and
of the network element is consistent.
2. Verify whether ICMP messages are filtered in the firewall.
3. Verify whether the network element is powered up and ready for service

Cannot configure the network element

through the Element Manager
Cause: You do not have SNMP write access to the network element. These situations
could be the reason:
l SNMP write access is prohibited on the network element. You can verify the
write access settings for a selected network element in the Overview tab,
SNMP Configuration area, Management Settings.
l The SNMP write community string in the Ensemble Controller does not match
the community string specified in the network element. In that case it is not
possible to perform SNMP set commands. Nobody has write access to this
network element.
l Your user privileges in the Ensemble Controller are not sufficient to change
parameters on the network element.

Ensemble Controller R15.3 Administrator Manual - Issue: A 431

Adtran Troubleshooting

Solution: 1. Enable SNMP SET access on the NE for everyone or for a dedicated range
of Ensemble Controller Servers. You can do this through the NE craft
interface in the menu SNMP configuration.
2. Make sure that the write community string of the network element
matches the write community setup in the Element Manager. You can do
this through the network element craft interface in the menu SNMP
configuration.
3. The Element Manager supports users with different privileges so called
roles. Contact the network administrator for more information about
roles.

SNMP timeout occurs while accessing the

network element
You have these options to troubleshoot the issue:

Option 1 – IP Connectivity Bad 432

Option 2 – Improper Handling of Fragmented Packets or MTU Too Small 432

Option 1 – IP Connectivity Bad

Cause: The IP connection is bad.

Solution: 1. Check connectivity to the network element with a “ping”. If a ping fails, see
solutions mentioned under Cannot ping the network element
2. If you are able to ping the NE, from the Ensemble Controller application
bar Settings menu, select Configuration, and then SNMP Profiles Manager.
3. Select the profile that this network element uses, and then in the Timeout /
[sec] field, adapt the timeout value.
4. If you still get the timeouts and you are using Windows XP, verify that
you enabled the firewall, which is automatically installed with Service
Pack 2. This can cause an unpredictable behavior even if the
applications have "allowed status" in the firewall configuration.

Option 2 – Improper Handling of Fragmented Packets or

MTU Too Small

Cause: Improper handling of fragmented packets or the maximum transmission unit

(MTU) is too small.

Ensemble Controller R15.3 Administrator Manual - Issue: A 432

Adtran Troubleshooting

Solution: Follow either of these solutions:

l Change to SNMPv1 because there are no SNMP GET BULK requests, which
can have gotten fragmented.
l Fix intermediate device 'data communication network' (DCN)
configurations to allow for large or fragmented packets on the path
between Ensemble Controller (ENC) and network element (NE).

The Ensemble Controller Client cannot

connect to the Server
Cause: l The user name of the Ensemble Controller Server cannot be resolved. DNS
server might be missing in the network.
l A firewall between the Ensemble Controller Server and Client computer is
blocking required ports.

Solution: 1. Make sure that the Ensemble Controller Server computer knows itself
under the same name as the Client. If a DNS server is missing, from the
Ensemble Controller Server computer name, remove the DNS suffix.
2. The Ensemble Controller Client and Server communicate through the
ports as outlined in Supported Communication Ports. Make sure that a
firewall does not block these ports. Note that Windows XP by default
enables a firewall. Make sure that it is disabled because it could still
cause unpredictable problems although correctly configured.

The Ensemble Controller Client cannot

connect because of incorrect user name -
password pair
Issue: You forgot your password or someone has changed it.

Solution: 1. If you have a backup from a point in time where you know the passwords
then replay the backup and after that you will be able to login with the
old passwords. Beware that changes from the timespan between now
and that date in the past will be lost.
2. Take a backup of the current database and send that to Adtran support.
The password for admin will be reset and the database sent back to you
for replay.

Ensemble Controller R15.3 Administrator Manual - Issue: A 433

Adtran Troubleshooting

SNMPv3 communication fails after factory-

default reset
Issue: SNMP communication to the network element fails. Network element is not
visible in Ensemble Controller.

Solution: On FSP150CP and CM, after you reset Ensemble Controller to factory defaults,
and especially with SNMPv3 configurations, you must set up the SNMP
credentials on the network element, and then toggle the SNMP configuration
in the Ensemble Controller as follows:
1. In the tree pane Networks tab, select the problem network element, and
then in the tab pane, open the Overview tab. If this tab is not yet
available in the pane, press Ctrl + t. In the window that opens, select the
relevant tab name. The Overview tab shows the parameter group areas
for the selected network element.
2. In the SNMP Configuration area, click the pen icon .
3. In the SNMPv3 Settings area, User Name field, change the user name, for
example, to netadmin1, and then click Apply. For more information about
how to change SNMP settings for an individual network element, see the
User Manual.
4. Open the SNMP Profiles tab for the network that includes the network
element. If this tab is not yet available in the pane, press Ctrl + t. In the
window that opens, select the relevant tab name.
5. In the Profile Name column, note down the SNMP profile that this network
uses.
6. In the ribbon menu Action area, select SNMP Profiles Manager.
7. In the SNMP Profiles Manager window, select the profile for the network.
For information about the SNMP Profiles Manager window, see the User
Manual.
8. In the SNMP Settings area, SNMPv3 Settings, User Name field, change the
user name back to the original name, and then click Apply.

Centralized Control Plane Cannot Connect to

the Network Element on Server with Two
Network Interfaces
Cause: On the ENC Server with two or more network interfaces, it is possible that not
all changes in the networks are visible for docker service. This may lead to a
situation where Centralized Control Plane (CPc) which runs in docker
container cannot connect to the network element, and only ENC can connect
to this network element.

Ensemble Controller R15.3 Administrator Manual - Issue: A 434

Adtran Troubleshooting

Solution: Restart the docker service:

systemctl restart docker
After the restart, CPc will see all networks from the ENC Server and will be able
to connect to the network element.

Centralized Control Plane Cannot Install and

Use Signed Certificate
Cause: The ni-install-certificates.sh script requires a network connection between
Centralized Control Plane (CPc) and ENC server. The CPc sends a certificate
download request to the Ensemble Controller server using source address
from docker bridge network and destination port 8443. The Centralized
Control Plane uses the obtained certificate to communicate with ENC on port
9543. If a firewall blocks this communication, the certificate will not be
installed (an error 404 will be returned) or connection to network elements
using the certificate will not work.

Solution: Check the address of the docker bridge network:

docker network inspect docker_gwbridge | grep Subnet
The system displays the IP address of the network, for instance 172.18.0.0/16.
Modify your firewall settings to allow connectivity from this network to port
8443 in order to install singed certificate and port 9543 in order to
communicate with network elements using the certificate.

Resolving Normal Operations Issues

This section discusses issues that could happen during normal operation with the network
management software.

General Trouble 436

Ensemble Controller Menu displays in gray color. 437
Ensemble Controller does not receive traps. 437
Ensemble Controller displays the network-element inventory incorrectly. 438
Ensemble Controller does not detect a fiber break. 438
The Ensemble Controller Server detects a false fiber break. 438
Different alarm severities in Ensemble Controller and Element Manager. 439
Removed module displays in the Ensemble Controller inventory. 439
Connections from removed modules still display. 439
Alarms in the Alarm View display in gray color. 440
You cannot start the Element Manager for an FSP 3000R7 NE. 440

Ensemble Controller R15.3 Administrator Manual - Issue: A 435

Adtran Troubleshooting

Configuration backup of FSP 3000R7 fails with the message “Download protocol …”. 440
After configuration, network element backup fails with the message “... Backup server is
not responding...” 441
You received the system event “Maximum amount of events, which are queued for
processing, has been reached (“500”), events are discarded.” 441
You receive the event “System time deviation high”. 442
The Notification Manager does not send emails although configured. 442
You receive the event “Authentication failure trap message”. 443
Ensemble Controller receives no traps for an FSP 3000R7 network element. 443
The system does not write the trap address to the FSP 150CM. 444
The Ensemble Controller Server crashes after a time or time zone change, scheduled
backup does not work, or status polling never ends. 444
“Unknown Entity” displays in alarm or event windows. 445
Security Manager permission "Write Access to Supported Connections" is not blocked
although disabled. 445
UDP Packet Loss on a Linux Server 446

Return to Troubleshooting Steps.

General Trouble
The Ensemble Controller database can be inconsistent, for example, if an inventory update fails
to update the database according to the real inventory.
Complete these steps to verify the Ensemble Controller database for any inconsistencies and
fix them if required:
1. In the tree pane Networks tab, right-click a single network element, a network, or the root,
and then select Check DB Consistency. After the system finishes the database verification,
the DB Consistency dialog box appears.
2. In the DB Consistency dialog box, Results area, click Show Details to verify the list for any error
messages.
3. Export the DB consistency results to a file, if required:

a. Click Export.
b. In the Save As dialog box, select the location and file name.
c. Click Save.

4. If Ensemble Controller reports a database inconsistency, right-click the same tree pane
element as in Step 1, and then select Fix DB Inconsistency.
5. Wait for this operation to complete. After the system completes, the DB Consistency dialog
box appears.
6. Click Show Details to verify whether the system fixed the errors.

Ensemble Controller R15.3 Administrator Manual - Issue: A 436

Adtran Troubleshooting

7. If required, repeat the steps to clear remaining errors.

8. If your issue still remains, contact our Technical Services.

Ensemble Controller Menu displays in gray

color.
Cause: Ensemble Controller supports users with different privileges. If a user does not
have the privileges to run a menu it displays in gray color.

Solution: Contact your network administrator for more information about privileges.

Ensemble Controller does not receive traps.

Cause: l The most common cause is that you did not specify Ensemble Controller
as a trap recipient in the network element.
l Another process blocks trap port 162 on the Ensemble Controller Server
machine. Ask your system administrator for support if you think that this is
the reason but you cannot resolve it.
l IP connectivity between the network element and the Ensemble Controller
is bad.

Solution: 1. In the trapsink table of the network element, type the IP address of the
management station. Use the FSP Element Manager or the network
element craft interface.

2. Verify that only the Ensemble Controller uses the trap port 162 on the
management machine.
3. Verify the IP connection. If it is bad, contact your network administrator.

Ensemble Controller R15.3 Administrator Manual - Issue: A 437

Adtran Troubleshooting

Ensemble Controller displays the network-

element inventory incorrectly.
Cause: Lost traps can cause inconsistencies in the inventory.

Solution: Force inventory polling of the network element or press F5.

Ensemble Controller does not detect a fiber

break.
Cause: Ensemble Controller uses alarm correlation to detect fiber breaks. This means
that the time between the network elements and the Ensemble Controller
Server must be synchronized.

Solution: 1. Use a network time protocol (NTP) server to synchronize the time of all
network elements and the Ensemble Controller Server. You can setup an
NTP server on each network element through the craft interface.
2. Install timesync software on your Windows Ensemble Controller Server.
–or–
Use the net time command to configure the Windows Time Service.
For Linux, you must set up an xntp server.

The Ensemble Controller Server detects a

false fiber break.
Cause: To detect a fiber break the Ensemble Controller Server is reliant on the correct
setup of fibers if the network includes an OSC. If fibers are not set up correctly,
the Ensemble Controller Server might report a fiber break as soon as all the
connections that use that fiber signal LOS or LOC. If you defined only one
connection, then this can happen very easily.

Solution: Verify and correct the fiber setup.

Ensemble Controller R15.3 Administrator Manual - Issue: A 438

Adtran Troubleshooting

Different alarm severities in Ensemble

Controller and Element Manager.
Cause: Ensemble Controller and the integrated Element Manager work
independently from one another. Alarms are forwarded to and interpreted
from both managers independently.

Solution: To harmonize the alarm severities, adjust the severities for Ensemble
Controller and Element Manager.

Removed module displays in the Ensemble

Controller inventory.
Issue: The channel module appears in the Ensemble Controller inventory even
though you removed it from the network element.

Cause: Ensemble Controller keeps removed modules in the database and lists them
in the inventory with the installation state not installed. The module state will
indicate a mismatch. Ensemble Controller deletes a removed module from
the database only when you insert a different module in the same slot, or if
you manually delete it.

Solution: If the module is not physically installed, you can delete it from the Ensemble
Controller database in the Modules tab.

Connections from removed modules still

display.
Issue: Ensemble Controller displays connections that are related to the modules
that you removed from the network element.

Cause: Ensemble Controller keeps connections in the database although you

removed the related module from the network element. The advantage is
that the connections are not lost if you remove modules for test or
maintenance purposes. Ensemble Controller deletes the connections only
when you insert a different module in the same slot, or when you manually
delete the module.

Solution: If the module is not installed you can delete it from the Ensemble Controller
database in the Modules Tab.

Ensemble Controller R15.3 Administrator Manual - Issue: A 439

Adtran Troubleshooting

Alarms in the Alarm View display in gray

color.
Cause: Ensemble Controller displays disabled alarms in gray color in the Alarm View.
Ensemble Controller disables alarms that are not related to a connection.
You can manually disable and filter alarms.

Solution: Works as designed. No action required.

You cannot start the Element Manager for an

FSP 3000R7 NE.
Cause: The Element Manager for your FSP 3000R7 network element is not included in
the Ensemble Controller Server because of operability reasons. Future
releases might contain it again.

Solution: For the moment, it works as intended. To access your network elements, you
can use the Web Manager, Telnet, or CLI. A standalone version of the Element
Manager for FSP 3000R7 is available. Contact us if you plan to purchase it.

Configuration backup of FSP 3000R7 fails with

the message “Download protocol …”.
Cause: To back up FSP 3000R7 configurations, you require a working FTP server. The
network elements contain no FTP server of their own. If it is missing or
configured incorrectly, the download of backup configurations from the
network element will fail.

Solution: Configure the NE Backup Transfer settings as described in the User Manual.

Ensemble Controller R15.3 Administrator Manual - Issue: A 440

Adtran Troubleshooting

After configuration, network element backup

fails with the message “... Backup server is
not responding...”
Cause: When the network element backup fails, this error message displays:
"Final failure. (Internal error: Backup server is not responding)!"
It means that the last connection to the server failed, and the system
changed the server status to not alive.
Ensemble Controller tests the server availability every 5 minutes as
configured. Ensemble Controller will connect to the FTP or SFTP server as soon
as the availability test is successful.

Solution: 1. Verify that the FTP or SFTP server is running.

2. To manually test the server availability, in the Ensemble Controller
Settings, select Configuration, and then Network Properties.
3. From the left menu, select NE Backup Transfer.
4. In the relevant server area, click Test FTP Server Connection or Test
SFTP/SCP Server Connection.
If the test is successful, the network element backup will immediately start.

You received the system event “Maximum

amount of events, which are queued for
processing, has been reached (“500”),
events are discarded.”
Cause: Network element traps flood Ensemble Controller. The amount is so high that
the system cannot respond properly anymore.

Solution: To determine the root cause, use a type of network sniffer to find the network
element through its IP address that produces much traffic and thus floods
the system.

Ensemble Controller R15.3 Administrator Manual - Issue: A 441

Adtran Troubleshooting

You receive the event “System time deviation

high”.
Cause: The network element time is not synchronized with the Ensemble Controller
Server. This could impede event correlation, for example.

Solution: Correct the network element time settings. We recommend to use a network
time-protocol server that takes care of the time synchronization on both the
Ensemble Controller Server and the network element.

The Notification Manager does not send

emails although configured.
Cause: l The user email address that you specified in the Notification Manager is
invalid.
l The SMTP server that you specified might reject the sender address, is not
reachable, or not configured at all.
l You specified a very long time for the waiting time delay, which
determines the time after an event occured when Ensemble Controller
can send events.

Solution: 1. Consult your SMTP administrator to get a valid server address or a valid
email address that is registered with the server for outgoing email traffic.
2. In the Ensemble Controller Settings, select System, and then Server
Preferences > SMTP.
3. In the SMTP page fields, type the data obtained from your administrator
in Step 1.
4. Click OK.
5. In the Ensemble Controller Settings, select System, and then Notification
Manager.
6. Specify a shorter delay for getting notifications.
For example, if you specify a delay of 2 days, you will get notification
earliest after 2 days. The notification then includes all the events that
occurred within these two days.

Ensemble Controller R15.3 Administrator Manual - Issue: A 442

Adtran Troubleshooting

You receive the event “Authentication failure

trap message”.
Cause: The system generates this trap when:
l The agent on the network element receives the request from an
unauthorized manager.
–or–
l The request contains an incorrect community string.
The trap message contains the IP address and community string of the
manager that sent the request. Ensemble Controller displays this trap in the
Events tab.
NOTE
Only FSP 1500 has this functionality.

Solution: 1. If an unauthorized manager caused this trap, it works as designed.

2. If the community string is incorrect, fix it in the manager that issued the
request.

Ensemble Controller receives no traps for an

FSP 3000R7 network element.
If you do not receive traps from an FSP 3000R7 network element that has been configured to not
use the OSPF protocol, this can be due to an incorrect configuration of the network element
system IP address. You must use the network element IP address rather than the LAN or Ethernet
IP address.
The FSP 3000R7 network element has two IP addresses, an IP address for the Ethernet interface,
and a system IP address. If you add network elements to the Ensemble Controller database, you
must enter the network-elements system IP address. If this IP address is not configured at all, or
incorrectly configured, the Ensemble Controller cannot receive traps from it.
The easiest way to be sure that the setting is correct, is to set the same IP address for the
Ethernet interface and the system IP.
Consult the FSP 3000R7 Provisioning and Operations Manual for instructions on how to carry out
the described tasks.
1. Verify whether you configured the FSP 3000R7 to use OSPF routing.
2. If OSPF routing is used:
a. Verify that the system IP address is equal to the IP addresses assigned to the SC-1-A-C-
LANIP (Ethernet interface).
b. If the IP addresses are equal, go to Step 5.
c. If the IP addresses are different, modify the system IP address to the same address as the
Ethernet interface.

Ensemble Controller R15.3 Administrator Manual - Issue: A 443

Adtran Troubleshooting

3. If OSPF routing is not used, go to Step 5.

4. Verify whether Ensemble Controller now receives traps from the FSP 3000R7 network
element.
5. If Ensemble Controller still does not receive traps, there is another cause for this trouble.
Contact the Adtran Technical Services for assistance.
6. If Ensemble Controller now can receive traps, you are finished with this procedure.

The system does not write the trap address

to the FSP 150CM.
Cause: The system does not write the trap address to the FSP 150CM network element
in the initial discovery process. Ensemble Controller discovers the network
element, however does not send traps from the network element to
Ensemble Controller.
NOTE
The network element does send alarms only if the public string is available
while Ensemble Controller discovers it. After Ensemble Controller discovered
the network element, you can delete the public string and the network
element continues to send traps to Ensemble Controller.

Solution: Ensemble Controller uses SNMPv2c to handle traps. Make sure that you
correctly configured the SNMPv2c community string in Ensemble Controller.
Also, if you use SNMPv3 as the communication protocol between Ensemble
Controller and the network element, make sure you correctly configured the
SNMPv3 credentials.

The Ensemble Controller Server crashes after

a time or time zone change, scheduled
backup does not work, or status polling never
ends.
Cause: The Windows system time changed to a time in the past or you changed the
system time zone.

Solution: Restart the Ensemble Controller Server.

Ensemble Controller R15.3 Administrator Manual - Issue: A 444

Adtran Troubleshooting

“Unknown Entity” displays in alarm or event

windows.
Cause: Alarm or event windows sometimes show Unknown Entity when Ensemble
Controller receives a trap from the entity that is not discovered or is not
supported in Ensemble Controller.

Solution: For the undiscovered entity, Ensemble Controller corrects the AID after it
successfully discovered the entity.

Security Manager permission "Write Access

to Supported Connections" is not blocked
although disabled.
Cause: Although you disabled the role permission Write Access to Supported
Connections in the Security Manager, you can still execute any actions
related to this permission.

Ensemble Controller R15.3 Administrator Manual - Issue: A 445

Adtran Troubleshooting

Solution: To apply the required security restriction, apart from Write Access to
Supported Connections, you must also disable all the other permissions in
the Configuration-Services category except for these ones:
l Browse Services
l Ensemble Bandwidth Manager
l Read Access to Supported Connections

UDP Packet Loss on a Linux Server

Cause: If the system experiences a high SNMP trap rate, the UDP buffer resources
become insufficient and some UDP packets (SNMP traps) might get lost. This
could reduce the Ensemble Controller performance because of additional
resynchronization procedures.

Solution: 1. Add these lines to the /etc/sysctl.conf file, and increase their buffer limits
to at least 25 MB:
net.core.rmem_max=26214400
l

net.core.rmem_default=26214400
l

2. Restart your Linux system.

Ensemble Controller R15.3 Administrator Manual - Issue: A 446

Hardware or Software Support and
Adtran
Compatibilities

Appendix A
Hardware or Software Support
and Compatibilities
Communication Ports 447
Client Property Overview 456
Server Property Overview 457
Error-free Output of Database Validation Verification 512
Entity Index or AID Values 514

Communication Ports
Communication ports transfer system data for specific purposes between the Ensemble
Controller, different servers, and network elements. The tables in Supported Communication
Ports outlines these ports with respect to source, destination, application, protocol and purpose.
This information is especially helpful when configuring a firewall.

Port Connection Sequence 447

Configuring Server and Client Communication Ports 448
Effects on the GUI Using Secure Ports 449
Supported Communication Ports 449

Port Connection Sequence

This is the sequence in which the Ensemble Controller Server and Client connects to ports for
the initial communication:
1. The server listens on both, secure (HTTPS) and insecure (HTTP) ports.
2. The client first tries to connect to the secure port.
3. If the secure connection fails, the client connects to the insecure port.

Ensemble Controller R15.3 Administrator Manual - Issue: A 447

Hardware or Software Support and
Adtran
Compatibilities

Configuring Server and Client

Communication Ports
To specify secure and insecure ports for the server and the client (client updater), edit the
relevant properties in these files:
l fnm.properties: Use these properties to set the server ports:
o com.adva.fnm.option.webserver.port
To disable insecure ports, set the property
com.adva.fnm.option.webserver.port to none.
Recommendation:
If you set the property to none, we recommend that you adapt these tile
server properties to use https.

o com.adva.fnm.option.TileServerLayer.street=https:[...]
o com.adva.fnm.option.TileServerLayer.satellite=https:
[...]
For information about map tile servers, see Installing the Local
Geographical Map-Tile Server in Linux.

o com.adva.fnm.option.rest.securePort
The fnm.properties file is stored in the Ensemble Controller installation directory, which is for
example: C:\Program Files (x86)\ADVA Optical Networking\FSP Network Manager
For more information about these properties, see the respective paragraph in Server Access
Options.
For more information about editing the fnm.properties file, see Editing the fnm.properties File.
l launch.properties: Set client updater ports. The property to edit is
launcher.webserver.port_x
By default, the ports in the launch.properties file are specified as follows:
launcher.webserver.port_0=8443
launcher.webserver.port_1=8080
launcher.webserver.port_2=80
launcher.webserver.port_3=9000
After you configure the web server in the fnm.properties file to use a different port than the
default one, you must edit the launch.properties file accordingly. For example,
launcher.webserver.port_4=9999
where 9999 represents the port that the server uses.
The launch.properties file is stored in the Ensemble Controller installation directory, which is
for example: C:\Program Files (x86)\ADVA Optical Networking\FSP Network
Manager\clientupdater
Consider that the value that you set for
com.adva.fnm.option.rest.securePort must match one of the
launcher.webserver.port settings in the launch.properties file so that the
client updater can communicate with the server through a secure port.

Ensemble Controller R15.3 Administrator Manual - Issue: A 448

Hardware or Software Support and
Adtran
Compatibilities

Effects on the GUI Using Secure Ports

If you use secure ports for communication, a server certificate displays for you to accept if you
perform these actions in the Ensemble Controller Client graphical user interface (GUI):
l Logging in to the Ensemble Controller Client
For more information about how to log in to the Ensemble Controller, see Logging Into the
Ensemble Controller Client.
l Configuring the Multi-server Management window
For more information about the Multi-server Management window and its usage, see the
User Manual.

Supported Communication Ports

This section provides an overview of the communication ports for connected sources and
destinations and includes the related applications and protocols.

Source Destination Reference to Supported Communication

Ports, Different Applications and
Protocols

Ensemble Ensemble Controller Table 18 Ensemble Controller Client

Controller Client Server Connections to Ensemble Controller Server
Connections
Message Server Table 19 Ensemble Controller Client
Connections to Message Server

Ensemble Controller Table 20 Ensemble Controller Client

Server SNMP Forwarder Connections to Ensemble Controller Server
App SNMP Forwarder App

Network Element Table 21 Ensemble Controller Client

Connections to Network Element

Ensemble Controller R15.3 Administrator Manual - Issue: A 449

Hardware or Software Support and
Adtran
Compatibilities

Source Destination Reference to Supported Communication

Ports, Different Applications and
Protocols

Ensemble Ensemble Controller Table 22 Ensemble Controller Server

Controller Server Server Connections to Ensemble Controller Server

Ensemble Controller Table 23 Ensemble Controller Server

Server (Remote) Connections to Ensemble Controller Server
(Remote)

Ensemble Controller Table 24 Ensemble Controller Server

Server (Primary or Connections to Ensemble Controller Server
Standby) (Primary or Standby)

Quorum Server Table 25 Ensemble Controller Server

Connections to Quorum Server

Fiber Director Server Table 26 Ensemble Controller Server

Connections to Fiber Director Server

SyncAssurance Table 27 Ensemble Controller Server

Connections to SyncAssurance

Message Server Table 28 Ensemble Controller Server

Connections to Message Server

Postgres Database Table 29 Ensemble Controller Server

Connections to Postgres Database

FTP Server Table 30 Ensemble Controller Server

Connections to FTP Server

Network Element Table 31 Ensemble Controller Server

Connections to Network Element

NTP Server Table 32 Ensemble Controller Server

Connections to NTP Server

SNMP Forwarder Table 33 Ensemble Controller Server

Connections to SNMP Forwarder

Ensemble Controller R15.3 Administrator Manual - Issue: A 450

Hardware or Software Support and
Adtran
Compatibilities

Source Destination Reference to Supported Communication

Ports, Different Applications and
Protocols

Network Element Ensemble Controller Table 34 Network Element Connections to

Server Ensemble Controller Server

FTP Server Table 35 Network Element Connections to

FTP Server

SCP Server Table 36 Network Element Connections to

SCP Server

FlexNet Embedded Table 37 Network Element Connections to

Server FlexNet Embedded Server

SNMP Forwarder Network Element Table 38 SNMP Forwarder Connections to

Network Element

Web Browser FlexNet Embedded Table 39 Web Browser Connections to

Server FlexNet Embedded Server

EFD Mobile Application Table 40 Web Browser Connections to

EFD Mobile Application

Quorum Server Ensemble Controller Table 41 Quorum Server Connections to

Server (primary or Ensemble Controller Server (Primary or
standby) Standby)

Ensemble Fiber Ensemble Fiber Director Table 42 Ensemble Fiber Editor to Ensemble
Editor Server Fiber Director Server

Servers Using Ensemble Controller Table 43 Servers Using Mutual

Mutual Server Authentication Connections to Ensemble
Authentication Controller Server

Table 18: Ensemble Controller Client Connections to Ensemble Controller Server

Application Port Protocol Purpose or Remarks

HTTP 8080 TCP For legacy client software

updates through the REST
interface or the client updater
from an Ensemble Controller
installation earlier than version
9.2.

HTTPS 8443 For client software updates

through the REST interface and
other secured REST interfaces.

HTTP, HTTPS 9090 For the HTTP proxy functionality.

Ensemble Controller R15.3 Administrator Manual - Issue: A 451

Hardware or Software Support and
Adtran
Compatibilities

Table 19: Ensemble Controller Client Connections to Message Server

Application Port Protocol

JMS 33028 TCP

Table 20: Ensemble Controller Client Connections to Ensemble Controller Server SNMP
Forwarder App
Application Port Protocol Purpose or Remarks

Prop 2545 TCP For Element Manager functionality.

Table 21: Ensemble Controller Client Connections to Network Element

Application Port Protocol Purpose or Remarks

SSH, SCP 22 TCP

Telnet 23

HTTP 80 For the Web GUI.

HTTPS 443 For the Web GUI over HTTPS.

SyncView Plus 8000 Open SyncView Plus from the Ensemble

Controller to communicate with the OSA
5548C device.

Table 22: Ensemble Controller Server Connections to Ensemble Controller Server

Application Ports Protocol Purpose or Remarks

RMI 33091 TCP Remote operations between the nmsadmin

script and the server.

Table 23: Ensemble Controller Server Connections to Ensemble Controller Server (Remote)
Application Ports Protocol Purpose or Remarks

HTTPS 8443 TCP Standard High Availability

9543

Ensemble Controller R15.3 Administrator Manual - Issue: A 452

Hardware or Software Support and
Adtran
Compatibilities

Table 24: Ensemble Controller Server Connections to Ensemble Controller Server (Primary or
Standby)
Application Ports Protocol Purpose or Remarks

HTTPS 2379 TCP Streaming Replication High Availability

2380
8008

SQL 5432

Table 25: Ensemble Controller Server Connections to Quorum Server

Application Ports Protocol Purpose or Remarks

HTTPS 12379 TCP Streaming Replication High Availability

12380 The ports differ depending on the number of
managed clusters. See Overview of Quorum
Server Ports.

Table 26: Ensemble Controller Server Connections to Fiber Director Server

Application Ports Protocol Purpose or Remarks

HTTP 10080 TCP Communication to the Ensemble Fiber

Director Server. See Requirements to Install
HTTPS 10443 the Ensemble Fiber Director Server.

Table 27: Ensemble Controller Server Connections to SyncAssurance

Application Ports Protocol Purpose or Remarks

HTTPS 8093 TCP Communication to the SyncAssurance server.

See Installing and Configuring the Sync
Assurance Application in Linux.

Table 28: Ensemble Controller Server Connections to Message Server

Application Ports Protocol Purpose or Remarks

JMS 33028 TCP Available only locally on the server machine.

Table 29: Ensemble Controller Server Connections to Postgres Database

Application Ports Protocol Purpose or Remarks

SQL 5432 TCP Available only locally on the server machine.

Ensemble Controller R15.3 Administrator Manual - Issue: A 453

Hardware or Software Support and
Adtran
Compatibilities

Table 30: Ensemble Controller Server Connections to FTP Server

Application Ports Protocol Purpose or Remarks

FTP 21 TCP Information and server management; can

also be SFTP.

SFTP 22 Information and server management.

SCP

Table 31: Ensemble Controller Server Connections to Network Element

Application Ports Protocol Purpose or Remarks

HTTPS 443 TCP SSO support for the Web GUI over HTTPS. See
Single Sign-On Support (SSO).

SNMP 161 UDP SNMP manages the get and response

functions.

Table 32: Ensemble Controller Server Connections to NTP Server

Application Ports Protocol Purpose or Remarks

NTP 123 UDP Use for an NTP time update.

Table 33: Ensemble Controller Server Connections to SNMP Forwarder

Application Ports Protocol Purpose or Remarks

SNMP 2545 UDP Trap forwarding. Available only locally on the

server machine. Need only if you manage FSP
1500 devices using the Element Manager.

Table 34: Network Element Connections to Ensemble Controller Server

Application Ports Protocol Purpose or Remarks

SNMP 161 UDP SNMP response.

SNMP 162 UDP SNMP traps.

Ensemble Controller R15.3 Administrator Manual - Issue: A 454

Hardware or Software Support and
Adtran
Compatibilities

Table 35: Network Element Connections to FTP Server

Application Ports Protocol Purpose or Remarks

FTP 20 TCP File transfer. Disable this server if you use SCP,
and the network element supports the server.

21 Information and server management. Yo can

also use SFTP.

Table 36: Network Element Connections to SCP Server

Application Ports Protocol Purpose or Remarks

SCP 22 TCP File transfer.

Table 37: Network Element Connections to FlexNet Embedded Server

Application Ports Protocol Purpose or Remarks

HTTP 7070 TCP Network element access to FlexNet (license

validation).
HTTPS 7071

Table 38: SNMP Forwarder Connections to Network Element

Application Ports Protocol Purpose or Remarks

SNMP 161 UDP SNMP manages the get and response

functions.

Table 39: Web Browser Connections to FlexNet Embedded Server

Application Ports Protocol Purpose or Remarks

HTTPS 8444 TCP License management (FlexNet Publisher from

Flexera).

Table 40: Web Browser Connections to EFD Mobile Application

Application Ports Protocol Purpose or Remarks

HTTPS 7443 TCP Communication to the EFD Mobile

Application.

Ensemble Controller R15.3 Administrator Manual - Issue: A 455

Hardware or Software Support and
Adtran
Compatibilities

Table 41: Quorum Server Connections to Ensemble Controller Server (Primary or Standby)
Application Ports Protocol Purpose or Remarks

HTTPS 2379 TCP Streaming Replication High Availability

2380

Table 42: Ensemble Fiber Editor to Ensemble Fiber Director Server

Application Ports Protocol Purpose or Remarks

SQL 25432 TCP Communication with the Ensemble Fiber

Director Server database. See Requirements
to Install the Ensemble Fiber Director Server.

Table 43: Servers Using Mutual Authentication Connections to Ensemble Controller Server
Application Ports Protocol Purpose or Remarks

HTTPS 9543 TCP On this port, ENC accepts connections from other
servers using mutual authentication. To disable
this port, edit property
com.adva.fnm.option.rest.securePortWithMutualA
uth in the fnm.propertis file. For more details about
this property, see Server Access Options.

Client Property Overview

This section describes the Remote User Options available in the fnmclient.properties file. To
customize the Ensemble Controller Client you can edit the appropriate property in this file.
l For Windows, the fnmclient.properties file is located in the Ensemble Controller installation
directory C:\Program Files\ADVA Optical Networking\FSP Network
Manager\clientupdater.
l For Linux, the fnmclient.properties file is located in the /opt/adva/fsp_nm directory.

Remote User Options

Use this option to enable or disable remote access to the Ensemble Controller Client through
special system applications such as Citrix.

Ensemble Controller R15.3 Administrator Manual - Issue: A 456

Hardware or Software Support and
Adtran
Compatibilities

com.adva.common.workbench.dialog.login.force_
system_user=false
This property is disabled (set to false) by default. When enabled (set to true), the determined
system user name is retrieved from the system and automatically entered in the User Name
field of the Login window. The field becomes disabled (dimmed) and thus cannot be edited.

Server Property Overview

This section describes the properties included in the fnm.properties file.
Whenever you change property settings, restart the Ensemble Controller Server as described in
Verifying Services in Windows and Verifying Services in Linux.

Authentication Access Options 457

Backup Options 472
Disk Space Monitoring Options 472
Ensemble Sync Director Options 473
Embedded License Server Options 477
Graphical User Interface Options 480
High Availability Options 483
Internal Options 485
Miscellaneous Options 490
Oscillating Events Suppression Options 497
Password Change Action Manager Options 498
Performance Monitoring Options 498
Qualitiy Compliance Options 499
Rapid Term Monitoring (RTM) 500
Scaling Options 503
Security Options 504
Self-Monitoring 505
Server Access Options 508
TCA Monitoring Option 512

Authentication Access Options

Ensemble Controller supports these authentication access protocols:

RADIUS 458
TACACS+ 461

Ensemble Controller R15.3 Administrator Manual - Issue: A 457

Hardware or Software Support and
Adtran
Compatibilities

LDAP 464

RADIUS
This section describes the properties to configure one or up to three RADIUS servers.
After you set the properties, you must also configure the Ensemble Controller Settings > System
> Server Preferences > Security parameters. For more information about how to set security
parameters, especially for authentication, see Setting Authentication Parameters.

Properties for the Specific RADIUS Server 459

RADIUS Client Library 461
Specifying the RADIUS Authentication Type 461

Ensemble Controller R15.3 Administrator Manual - Issue: A 458

Adtran Hardware or Software Support and Compatibilities

Properties for the Specific RADIUS Server

Properties Description

1st Server 2nd Server 3rd Server

com.adva.fnm.option.radiushost com.adva.fnm.option.radiushost2 com.adva.fnm.option.radiushost3 This property

specifies the
server IP
address or
host name.

com.adva.fnm.option.radiusport com.adva.fnm.option.radiusport2 com.adva.fnm.option.radiusport3 This property

specifies the
port that the
server listens
to. The factory
default is 1812.

Ensemble Controller R15.3 Administrator Manual - Issue: A 459

Adtran Hardware or Software Support and Compatibilities

Properties Description

1st Server 2nd Server 3rd Server

com.adva.fnm.option.radiustimeout com.adva.fnm.option.radiustimeout2 com.adva.fnm.option.radiustimeout3 This property

specifies the
server time-
out in seconds.
If you do not
set it, the
system uses
the default of 8
seconds.
NOTE:
This time-out
plus the time-
outs that you
can set for the
other RADIUS
servers, must
NOT exceed 60
seconds.

For detailed instructions about these properties, see these related topics:
l Configuring the RADIUS Server Access in Ensemble Controller
l Configuring the RADIUS Server Timeout

Ensemble Controller R15.3 Administrator Manual - Issue: A 460

Hardware or Software Support and
Adtran
Compatibilities

RADIUS Client Library

com.adva.fnm.option.radiusclient
This parameter specifies the client library that RADIUS uses.
RADIUS supports these client libraries. According to the specified library, the system determines
the maximum shared secret password length:
l axl: The system uses this library by default. It allows a maximum password length of up to 16
characters.
l jradius: Use this library if you require a password with more than 16 characters.

For RADIUS Access-Challenge, both client libraries are supported.

For information about how to specify shared secret passwords, see Setting Authentication
Parameters.

Specifying the RADIUS Authentication Type

com.adva.fnm.option.radiusauthentication
This parameter specifies the type of authentication that the configured RADIUS servers use.
These are the supported authentication types:
l PAP (default)
l CHAP
l MSCHAP
l MSCHAP2

TACACS+
This section describes the properties to configure one or up to three TACACS+ servers.
After you set the properties, you must also configure the Ensemble Controller Settings > System
> Server Preferences > Security parameters. For more information about how to set security
parameters, especially for authentication, see Setting Authentication Parameters.

Properties for the Specific TACACS+ Server 462

Specifying the TACACS+ Authentication Type 464

Ensemble Controller R15.3 Administrator Manual - Issue: A 461

Adtran Hardware or Software Support and Compatibilities

Properties for the Specific TACACS+ Server

Properties Description

1st Server 2nd Server 3rd Server

com.adva.fnm.option.tacacshost1 com.adva.fnm.option.tacacshost2 com.adva.fnm.option.tacacshost3 This property

specifies the
server IP
address or
host name.

com.adva.fnm.option.tacacsport1 com.adva.fnm.option.tacacsport2 com.adva.fnm.option.tacacsport3 This property

specifies the
port that the
server listens
to. The factory
default is 49.

Ensemble Controller R15.3 Administrator Manual - Issue: A 462

Adtran Hardware or Software Support and Compatibilities

Properties Description

1st Server 2nd Server 3rd Server

com.adva.fnm.option.tacacstimeout1 com.adva.fnm.option.tacacstimeout2 com.adva.fnm.option.tacacstimeout3 This property

specifies the
server time-
out in
seconds. If you
do not set it,
the system
uses the
default of 8
seconds.
NOTE:
This time-out
plus the time-
outs that you
can set for the
other
TACACS+
servers, must
NOT exceed
60 seconds.

For detailed instructions about these properties, see these related topics:
l Configuring the TACACS+ Server Access in Ensemble Controller
l Configuring the TACACS+ Server Timeout

Ensemble Controller R15.3 Administrator Manual - Issue: A 463

Hardware or Software Support and
Adtran
Compatibilities

Specifying the TACACS+ Authentication Type

com.adva.fnm.option.tacacsauthentication
This parameter specifies the type of authentication that the configured TACACS+ servers use.
These are the supported authentication types:
l PAP (default)
l CHAP
l MSCHAP
l ASCII

LDAP
This section describes the properties that you use to configure the access and directory
information for one or up to three LDAP servers.
l To gather valuable background information about LDAP, start off with Basics About the LDAP
Server Directory Structures.
–or–
l Immediately proceed to edit these properties to configure and use LDAP authentication:
o Specific LDAP Server Properties
o Advanced Server Properties
After you set the properties, you must also configure the Ensemble Controller Settings >
System > Server Preferences > Security parameters. For more information about how to set
security parameters, especially for authentication, see Setting Authentication Parameters.

Basics About the LDAP Server Directory Structures

Ensemble Controller connects to LDAP servers to maintain the required user information in a
single, logically centralized, tree-structured directory.
The LDAP remote authentication and authorization capability works with any directory server
that provides a standard LDAPv3 protocol interface and has the necessary schema and
directory tree structures needed as a prerequisite.
Adtran extensively tested the solution with Microsoft Active Directory and OpenLDAP directory
servers. Other directory servers should be compatible but have not been tested explicitly.
To set up an Ensemble Controller LDAP integration requires intimate knowledge of the directory
environment to configure it correctly and securely. We recommend that you discuss your
environment with the technical support if you have any doubts about how to configure LDAP
settings in Ensemble Controller.

Using the Directory for Authentication 465

Using the Directory for Authorization 465

Ensemble Controller R15.3 Administrator Manual - Issue: A 464

Hardware or Software Support and
Adtran
Compatibilities

Using the Directory for Authentication

To log in to Ensemble Controller, you must provide your username and password for
authentication. To validate your authentication credentials, Ensemble Controller uses the
fnm.properties settings as described in Specific LDAP Server Properties and Advanced Server
Properties to form an LDAP query as follows:
1. Find the user entry in the directory.
When Ensemble Controller searches for the user entries in the directory, ENC makes this LDAP
request:
l The search root = Search Base.
l The search scope = Subtree.
l The search filter = Filter = (&(objectClass=<User Object Class>)[(objectCategory=<User
Object Category>)](<Login Attribute>=<username>)).
2. Bind to the directory using the provided password.
3. If both steps are successful, proceed to the authorization phase. Otherwise, Ensemble
Controller rejects the login.

Using the Directory for Authorization

You can specify either of these authorization methods to determine the directory structure and
schema:
l memberOf or isMemberOf
l advaUserGroups

memberOf or isMemberOf
The directory group membership method to specify a directory structure applies after you
select the Authorization Attribute memberOf or isMemberOf. The selected attribute uses
directory groups to represent the security group membership of Ensemble Controller users.
You must first create a set of directory groups that correspond to the Ensemble Controller
security group names. Then, ensure that you add the individual directory users as members of
these groups.
This sample directory structure illustrates a hierarchy of users and groups specific to Ensemble
Controller (ENC).

Ensemble Controller R15.3 Administrator Manual - Issue: A 465

Hardware or Software Support and
Adtran
Compatibilities

Figure 22: Example of a memberOf Directory Structure

l The Search Base shows the parent node for the user entries where the system begins to
search.
l The Group Base shows the parent node for the security groups.

memberOf User Entry Example

This example illustrates a user entry that shows various groups for the memberOf attribute. The
bold text in this example shows the defined Group Base and the security group names that are
based on the shown directory structure in Figure 22.

To define group membership, in the directory, populate distinguished name (DN) values of
group members in the group members attribute. This multi-valued attribute provides forward
pointers to the group member entries. Each individual user entry has a memberOf attribute. This
attribute contains backpointers to the distinguished names of the groups that the user is a
member of. Because of the general nature of directories, user entries can be a member of
many different directory groups.
You use a group base setting to identify the set of directory groups that is relevant for Ensemble
Controller, and the directory groups prune the memberOf values to identify this specific set.

Ensemble Controller R15.3 Administrator Manual - Issue: A 466

Hardware or Software Support and
Adtran
Compatibilities

advaUserGroups
The advaUserGroups method identifies the set of security group names that belong in a
directory. The directory uses a simple directory attribute of a previously-authenticated user
entry. First you must select the Authorization Attribute advaUserGroups.
To use this approach, you must extend the directory schema and populate the values for each
individual user who wants access to Ensemble Controller.
This sample directory structure illustrates a hierarchy of users.
Figure 23: Example of an advaUserGroups Directory Structure

The Search Base shows the parent node for the user entries where the system begins the
search.
advaUserGroups User Entry Example
This example illustrates how to update an existing directory entry with values for the
advaUserGroups attribute that match the user to pre-existing Administrator and Configurator
groups. You must correctly and individually configure this attribute for each directory user who
requires access to Ensemble Controller.

Ensemble Controller R15.3 Administrator Manual - Issue: A 467

Adtran Hardware or Software Support and Compatibilities

Specific LDAP Server Properties

Each of the three servers has specific properties that Ensemble Controller uses to connect to them, shown in the next table. After you edit these
server-specific properties, edit the Advanced Server Properties.

1st Server Properties 2nd Server Properties 3rd Server Properties Description

com.adva.fnm.option. com.adva.fnm.option. com.adva.fnm.option. Specifies the server IP address or host

ldaphost1 ldaphost2 ldaphost3 name.

com.adva.fnm.option. com.adva.fnm.option. com.adva.fnm.option. Specifies the port that the server listens to.
ldapport1 ldapport2 ldapport3 The default is 389.

com.adva.fnm.option. com.adva.fnm.option. com.adva.fnm.option. Specifies the port that the server listens to.
ldaptimeout1 ldaptimeout2 ldaptimeout3 The default is 389.
Note: This timeout, in addition to the
timeouts that you can set for the other
LDAP servers, must be less than or equal to
60 seconds.

com.adva.fnm.option. com.adva.fnm.option. com.adva.fnm.option. Specifies the security protocol, either

ldapsecprot1 ldapsecprot2 ldapsecprot3 StartTLS or LDAPS, that secures the
connection to the LDAP server and relates
to the selected port.

For detailed instructions about these properties, see these related topics:
l Configuring Access to the LDAP Server
l Configuring the LDAP Server Timeout
l Changing the Default Security Protocol

Ensemble Controller R15.3 Administrator Manual - Issue: A 468

Adtran Hardware or Software Support and Compatibilities

Advanced Server Properties

You can use certain Ensemble Controller (ENC) settings to customize LDAP interaction behavior. You can also use these settings to manage some
variation in the directory tree structure and schema that customer deployments use. These settings and your specific LDAP installation must be
compatible.
This table describes the properties that you need to edit to use LDAP authentication, in addition to the Specific LDAP Server Properties . For general
information about how to edit the fnm.properties file, Editing the fnm.properties File.

Name Property Description

Search User com.adva.fnm.option. Specifies the distinguished name of a node within the directory information tree (DIT). This
ldapsearchuser node corresponds to an account that has sufficient permissions. The system uses this
account to connect to the LDAP server and search for users. The system also uses this
account with the same shared secret password that you specify for all three servers. For
information about how to specify the secret passwords, see Setting Authentication
Parameters.

Validate com.adva.fnm.option. Specifies whether the system should validate the LDAP server certificates. The default value
Certificate ldapvalidatecertificate is false, which disables certificate validation.
l Before you enable the certificate, you must import certificates from each server. Also
import any available public key infrastructure root or subordinate certificates into the
keystores of all Ensemble Controller systems. For information about how to import
certificates, see Generating a Certificate Signing Request and Signing the Certificate
Externally, especially Steps 6 to 8.

l After the imported certificates expire, you can no longer log in to your Ensemble
Controller Client.

l You need to import certificates only if you enable this property.

Search Base com.adva.fnm.option. Specifies the distinguished name of the node within the DIT, where the search for users
ldapsearchbase should begin. If you do not set this property, the system starts the search from the overall
directory root.

Ensemble Controller R15.3 Administrator Manual - Issue: A 469

Adtran Hardware or Software Support and Compatibilities

Name Property Description

User Object com.adva.fnm.option. Specifies the name of the directory-schema object class that provides user information.
Class ldapuserobjectclass The system uses this property to find the user entry within the directory. The default value is
user. You can use these values or any other valid class name:

l For the Active Directory, use the default value user.

l For other LDAP servers, change the value to person.

User Object com.adva.fnm.option. Specifies the name of the directory-schema object category that provides user information.
Category ldapuserobjectcategory The system uses this property to find the user entry within the directory. By default, this
property contains no value, which disables it.

l If you use the Active Directory, we recommend that you enable this property to optimize
the user entry search. Specify person as the value.

l For other LDAP servers or standard LDAP directories, leave the property disabled, with no
value.

l If you add a value to this property, the system uses the value to form the object category
filter. The system uses this property for the search only if you add a value.

Login Attribute com.adva.fnm.option. Specifies the name of the directory-schema attribute that provides the username value.
ldaploginattribute When the system searches for an equivalent username to the user entry in the directory, the
system uses this property.
The default value is sAMAccountName. You can use these values or any other valid attribute
name:

l For the Active Directory, use the default value sAMAccountName.

l For other LDAP servers, change the value to uid.

Ensemble Controller R15.3 Administrator Manual - Issue: A 470

Adtran Hardware or Software Support and Compatibilities

Name Property Description

Authorization com.adva.fnm.option. Specifies the name of the directory-schema attribute that the system uses for
Attribute ldapauthorizationattribute authorization. The default value is memberOf, which the system also uses if you specify an
invalid attribute. You can use these values for a case-insensitive attribute:

l memberOf or isMemberOf: The system uses directory groups to represent the security
group membership of Ensemble Controller users.

l advaUserGroups: The system uses a simple directory attribute of a previously

authenticated user entry. The purpose is to identify the set of security group names that
the user should belong to.

Group Base com.adva.fnm.option. Specifies the distinguished name of a node. This node is one level above the specific
ldapgroupbase directory groups for the Ensemble Controller authorization within the DIT. You must set this
property after you select memberOf or isMemberOf for the Authorization Attribute. If you do
not set this property, the system responds to these settings as a misconfiguration. You must
correct the mismatch, and then the system will permit any remote user to log in to
Ensemble Controller.

Group Name com.adva.fnm.option. Specifies a string that identifies ENC-specific groups. This identification occurs if both ENC
Prefix ldapgroupnameprefix groups and non-ENC groups are combined within the directory subtree that the Group Base
property defines. If the group base directory subtree stores only ENC security group
definitions, the default, you can omit using a group name prefix.

To add a group name prefix to differentiate ENC groups from those maintained for other
applications, be aware that the group names in the directory must consist of the prefix plus
the ENC security group name, for example, aENC01Administrator. During the process, the
software removes the prefix to match the user to the Administrator ENC security group.

You can also use the string to identify multiple ENC instances in one directory. For example,
define
l One set of group names for the ENC01 system using the group name prefix = aENC01.
l A second set of group names for the ENC02 system using the group name prefix =
aENC02.

Ensemble Controller R15.3 Administrator Manual - Issue: A 471

Hardware or Software Support and
Adtran
Compatibilities

Backup Options
com.adva.fnm.option.databasebackupfilesnumber
This parameter specifies how many database backup files to create. To comply with high-
availability functionality, the software stores the last database backup file in these two file
copies:
l dbfnm.sql
l dbfnm_time_stamp.sql

Heartbeat on Alarm NBI

This option causes Ensemble Controller (ENC) to create the regular event <Heart Beat>
configurable for different northbound interfaces (CSV, SNMP and MTOSI) to indicate that the
Ensemble Controller Server is still up and running.
These parameters are available:
l com.adva.fnm.option.HeartBeatInterval
This parameter sends an event to all interfaces that you did not configure, such as CSV, SNMP,
and MTOSI.
l com.adva.fnm.option.HeartBeatInterval.CSV_NBI
This property specifies the rate that the system uses to sendt the <Heart Beat> event only to
the CSV alarm NBI described in the Integration Manual.
l com.adva.fnm.option.HeartBeatInterval.SNMP_NBI
This property specifies the rate that the system uses to send the <Heart Beat> event only to
the SNMP alarm NBI described in the Integration Manual.
l com.adva.fnm.option.HeartBeatInterval.MTOSI_NBI
This property specifies the rate that the system uses to send the <Heart Beat> event only to
the MTOSI alarm NBI described in the Integration Manual.

For the relevant parameter to be specified, enter the time between two heart beat events in
seconds. Range is 5 to 360 seconds with a default of 300.

Disk Space Monitoring Options

Make sure to restart the server for any property changes to take effect.

com.adva.fnm.option.diskSpaceLowThreshold
Use this parameter to configure the initial low-disk-space monitoring threshold. The parameter
specifies the available disk space percentage that raises the corresponding Disk Space Low
alarm if the percentage decreases. See the User Manual, Disk Space LOW.
A default value of 30 percent in the fnm.properties file defines this property. If you configure an
illegal value such as invalid syntax, out of range, or less than or equal to the Disk Space Critical
Threshold value, Ensemble Controller logs the misconfiguration and uses the default value.

Ensemble Controller R15.3 Administrator Manual - Issue: A 472

Hardware or Software Support and
Adtran
Compatibilities

The syntax is an unsigned integer that indicates a percentage of 0 to 99. Specify a value of zero
to disable the threshold alarm.

com.adva.fnm.option.diskSpaceCriticalThreshold
Use this parameter to configure the critical low-disk-space monitoring threshold. This
parameter specifies the available disk space percentage that raises the corresponding Disk
Space Critical alarm if the percentage decreases. See the User Manual, Disk Space CRITICAL.
A default value of 15 percent in the fnm.properties file defines this property. If you configure an
illegal value such as invalid syntax, out of range, or greater than or equal to the Disk Space Low
Threshold value, Ensemble Controller logs the misconfiguration and uses the default value.
The syntax is an unsigned integer that indicates a percentage of 0 to 99. Specify a value of zero
to disable the threshold alarm.

com.adva.fnm.option.diskSpacePollingFrequency
Use this this parameter to configure the frequency of when the software should verify the
available disk space. This parameter specifies the number of hours between polls for available
disk space.
A default value of 24 hours in the fnm.properties setting defines this property. If you configure an
illegal value such as invalid syntax or out of range, Ensemble Controller logs the
misconfiguration and uses the default.
The syntax is an unsigned integer of 1 to 168 hours. Specify a value of zero to disable disk space
monitoring.

Ensemble Sync Director Options

These are the Ensemble Sync Director options, formerly known as Sync Manager options.

com.adva.nlms.mediation.synchronization.discovery.Sy
ncDiscoveryQueueSize
This property specifies the synchronization-discovery message-queue size. That is the number
of network-related events, which the synchronization-discovery layer must handle to update
the synchronization topology.
If the managed network is very big or experiences many changes in configuration or operation
in a short time, then the queue increases. If the queue is exhausted, this slows down the server
responsiveness, and thus the graphical user interface also works more slowly.
To avoid this issue, for XL systems of about 50,000 network equivalents or more, we recommend
to increase the default value of 10,000 up to 100,000. This results in more Java virtual-machine
(JVM) memory usage in the server process.

Ensemble Controller R15.3 Administrator Manual - Issue: A 473

Hardware or Software Support and
Adtran
Compatibilities

com.adva.nlms.mediation.synchronization.ncd.auto.alig
n.with.subnet
With this property enabled (set to true), the NCD structure in the Synchronization tree pane
aligns with the subnetwork structure in the Networks tree pane. For more information about NCD
structure alignment, see the Synchronization Management Guide, Aligning the NCD Structure
with the Subnetwork Structure.

com.adva.nlms.mediation.synchronization.ncd.auto.alig
n.with.subnet.separator
This property specifies the separator used in the name of a newly created NCD due to structure
alignment. For more information about NCD structure alignment, see the Synchronization
Management Guide, Aligning the NCD Structure with the Subnetwork Structure.

com.adva.nlms.mediation.synchronization.snt.telemetry
.tls.option
This property specifies whether the system uses the TLS option to connect to the devices during
the streaming telemetry collection. This setting applies to all devices supported by Quality
Compliance functionality. To enable TLS option, set the value of this property to tls. The default is
no tls.

com.adva.fnm.option.syncNetGraph.maxNEsForLayout
This property specifies the maximum number of network elements for which PTP Hierarchy,
SyncE Hierarchy, and Hybrid Hierarchy options are still available in the layout list. By default, a
maximum of 50 network elements are supported on these layouts.

Health Center Properties

This section describes properties that you can use to change default settings for the Health
Center window. For information about the Health Center window, see the User Manual, Viewing
the Server Health Performance.

com.adva.fnm.option.HealthCenter.SampleRateInMinutes 475
com.adva.fnm.option.HealthCenter.ViewRefreshPeriodInSec 475
com.adva.fnm.option.HealthCenter.GaugeMonitoredHours 475
com.adva.fnm.option.HealthCenter.DBRetentionDays 475
CPU Thresholds 475
Memory Thresholds 476
Disk Thresholds 477

Ensemble Controller R15.3 Administrator Manual - Issue: A 474

Hardware or Software Support and
Adtran
Compatibilities

com.adva.fnm.option.HealthCenter.SampleRateInMinutes
This property specifies the health center sampling rate in minutes. You can specify a value
between 1 and 60. The default is 1.

com.adva.fnm.option.HealthCenter.ViewRefreshPeriodInSec
This property specifies the health center refresh period in seconds. You can specify a value
between 60 and 3600. The default is 300.

com.adva.fnm.option.HealthCenter.GaugeMonitoredHours
This property specifies the health center gauge monitor hours (last x hours). You can specify a
value between 1 and 23. The default is 1.

com.adva.fnm.option.HealthCenter.DBRetentionDays
This property specifies the database retention days. Any data older than the specified property
value will Ensemble Controller automatically delete. You can specify a value between 30 and
365. The default is 120.

CPU Thresholds
com.adva.fnm.option.HealthCenter.CpuUtilizationThreshold 475
com.adva.fnm.option.HealthCenter.CpuDegradedThreshold 475
com.adva.fnm.option.HealthCenter.CpuUnhealthyThreshold 475

com.adva.fnm.option.HealthCenter.CpuUtilizationThreshold
This property specifies the CPU utilization threshold in % to determine whether the CPU sample is
healthy. You can specify a value between 0 and 100. The default is 85.

com.adva.fnm.option.HealthCenter.CpuDegradedThreshold
This property specifies the high threshold in % for the rate of good CPU samples out of all
samples for each observed period. If this rate of good samples and all samples is below the
high threshold but still above the low threshold, the CPU is considered degraded for the
measured period. Default observed periods display in a gauge for the last 60 minutes and in a
chart for the last 30 days in the Ensemble Controller Health Center. You can specify a threshold
value between 15 and 99. The default is 70. For more information about Health Center, see the
User Manual.

com.adva.fnm.option.HealthCenter.CpuUnhealthyThreshold
This property specifies the low threshold in % for the rate of good CPU samples out of all
samples for each observed period. If this rate of good samples and all samples is below the low
threshold, the CPU is considered unhealthy for the measured period. Default observed periods
display in a gauge for the last 60 minutes and in a chart for the last 30 days in the Ensemble
Controller Health Center. You can specify a threshold value between 0 and 84. The default is 30.
For more information about Health Center, see the User Manual.

Ensemble Controller R15.3 Administrator Manual - Issue: A 475

Hardware or Software Support and
Adtran
Compatibilities

The specified value must be at least 15 points below the value you specified for
the CPU degraded threshold. If not, Ensemble Controller automatically sets the
value to exactly 15 points below the degraded threshold.

Memory Thresholds
com.adva.fnm.option.HealthCenter.PhysicalMemoryUtilizationThreshold 476
com.adva.fnm.option.HealthCenter.SwapMemoryUtilizationThreshold 476
com.adva.fnm.option.HealthCenter.PageVsPhysicalMemoryThreshold 476
com.adva.fnm.option.HealthCenter.MemoryDegradedThreshold 476
com.adva.fnm.option.HealthCenter.MemoryUnhealthyThreshold 476

com.adva.fnm.option.HealthCenter.PhysicalMemoryUtilizationThreshold
This property specifies the physical memory utilization threshold in % to determine whether the
memory sample is healthy along with other conditions such as the Swap Memory Utilization
and the Page Vs Physical Memory rate. You can specify a value between 0 and 100. The default
is 85.

com.adva.fnm.option.HealthCenter.SwapMemoryUtilizationThreshold
This property specifies the swap memory utilization threshold in % to determine whether each
memory sample is healthy along with other conditions such as the Swap Memory Utilization
and the Page Vs Physical Memory rate. You can specify a value between 0 and 100. The default
is 85.

com.adva.fnm.option.HealthCenter.PageVsPhysicalMemoryThreshold
This property specifies the page against physical memory rate threshold in % to determine
whether each memory sample is healthy along with other conditions such as the Swap Memory
and the Physical Memory Utilization. You can specify a value between 0 and 100. The default is
20.

com.adva.fnm.option.HealthCenter.MemoryDegradedThreshold
This property specifies the high threshold in % for the rate of good memory samples out of all
samples for each observed period. If this rate of good samples and all samples is below the
high threshold but still above the low threshold, the memory is considered degraded for the
measured period. Default observed periods display in a gauge for the last 60 minutes and in a
chart for the last 30 days in the Ensemble Controller Health Center. You can specify a threshold
value between 15 and 99. The default is 70. For more information about Health Center, see the
User Manual.

com.adva.fnm.option.HealthCenter.MemoryUnhealthyThreshold
This property specifies the low threshold in % for the rate of good memory samples out of all
samples for each observed period. If this rate of good samples and all samples is below the low
threshold, the memory is considered unhealthy for the measured period. Default observed
periods display in a gauge for the last 60 minutes and in a chart for the last 30 days in the
Ensemble Controller Health Center. You can specify a value between 0 and 84. The default is 30.
For more information about Health Center, see the User Manual.

Ensemble Controller R15.3 Administrator Manual - Issue: A 476

Hardware or Software Support and
Adtran
Compatibilities

The specified value must be at least 15 points below the value you specified for
the memory degraded threshold. If not, Ensemble Controller automatically
sets the value to exactly 15 points below the degraded threshold.

Disk Thresholds
com.adva.fnm.option.HealthCenter.WindowsMonitoredDiskPartitions
This property specifies the Windows disk partitions to be monitored. Type comma-separated
strings, for example: c,d
For each taken sample, Ensemble Controller displays the health information for the disk or
partition experiencing the lowest values. The default is c.

com.adva.fnm.option.HealthCenter.LinuxMonitoredDiskPartitions
This property specifies the Linux disk partitions to be monitored. Type comma-separated
strings, for example: /,/opt/adva
For each taken sample, Ensemble Controller displays the health information for the disk or
partition experiencing the lowest values. The default is /,/opt/adva,/var/lib/docker.

com.adva.fnm.option.HealthCenter.DiskDegradedThreshold
This property specifies the high free-disk threshold in %. If the average free disk utilization (%) for
the observed period is below this threshold but still above the low threshold, the disk is
considered degraded. You can specify a value between 15 and 99. The default is 30.

com.adva.fnm.option.HealthCenter.DiskUnhealthyThreshold
This property specifies the low free-disk threshold in %. If the average free disk utilization (%) for
the observed period is below this threshold, the disk is considered unhealthy. You can specify a
value between 0 and 84. The default is 15.

The specified value must be at least 15 points below the value you specified for
the disk degraded threshold. If not, Ensemble Controller automatically sets the
value to exactly 15 points below the degraded threshold.

Embedded License Server Options

com.adva.fnm.option.flexeraServer.ipaddress
This parameter specifies the IP address of the main Embedded License Server, and is by default
disabled. Write the IP address in uniform resource identifier (URI) format:
<protocol>://<IPaddress>:<port>
If you specify only the <IPaddress> without the <protocol> or the <port>, Ensemble Controller uses
the default values that is, https for <protocol> and 7071 for <port>. For more information about
the default values, see Supported Communication Ports.

com.adva.fnm.option.backupFlexeraServer.ipaddress
This parameter specifies the IP address of a second Embedded License Server that operates as
a backup server. It is disabled by default. Write the IP address in URI format:
<protocol>://<address>:<port>

Ensemble Controller R15.3 Administrator Manual - Issue: A 477

Hardware or Software Support and
Adtran
Compatibilities

If you specify only the <IPaddress> without the <protocol> or the <port>, Ensemble Controller uses
the default values that is, https for <protocol> and 7071 for <port>. For more information about
the default values, see Supported Communication Ports.

com.adva.fnm.option.elsgui.ipaddress
This property specifies the main license server GUI URL. A default browser will be used to open
the ELS GUI URL of the main license server. The format of this property is: [https://]<host>[:<port>].
If you specify a URL without the protocol, then the default protocol is https://. Also if you do not
specify a port, the default port for secure access is 8444. For more information about the
default port values, see Supported Communication Ports. The overall default URL for this
property is https://127.0.0.1:8444.

com.adva.fnm.option.backupElsgui.ipaddress
This property specifies the backup license server GUI URL. A default browser will be used to open
the ELS GUI URL of the backup license server. The format of this property is: [https://]<host>
[:<port>]. By default this property is disabled (empty URL). If you specify a URL without the
protocol, then the default protocol is https://. Also if you do not specify a port, the default port for
secure access is 8444. For more information about the default port values, see Supported
Communication Ports.

com.adva.fnm.option.flexeraServer.pollingInterval
This parameter specifies the polling interval in seconds between the Ensemble Controller and
the Embedded License Server. You can select a value in the range of 30 to 300 seconds. If you
specify a value that is out of that range, Ensemble Controller uses the default value of 60
seconds.
This property is not included in the fnm.properties file. You must add it if you want to use it.

com.adva.fnm.option.flexeraServer.timeout
This parameter specifies the time in milliseconds after which Ensemble Controller notifies about
connection issues to the Embedded License Server. The default value is 5000 milliseconds.
This property is not included in the fnm.properties file. You must add it if you want to use it.

com.adva.fnm.option.flexeraServer.hostidprefix
This property specifies an optional prefix that you can specify. The system combines this prefix
with a server-generated suffix to form the complete Flexera host-ID value for the Ensemble
Controller installation.
The default prefix value is enc that the system uses even if the property is not present in the
fnm.properties file. If you do not want a prefix, type "" as the value.
Comply with these format rules to specify the prefix:
l A printable string of up to 32 characters.
l Unicode characters are permitted, except hyphen ("-") and space (" ").

If the defined prefix violates any of the formatting rules, then the system uses the default prefix
enc in software without further notice.

Ensemble Controller R15.3 Administrator Manual - Issue: A 478

Hardware or Software Support and
Adtran
Compatibilities

Any change to this property affects the overall host ID assigned to the Ensemble Controller
instance. After a server restart, the changes take effect and result in releasing all licenses that
you acquired against the old host ID followed by a re-acquisition against the new host ID.

com.adva.opt.flexera.requestLicenses
This property specifies the set of feature licenses that you want the system to acquire. The
system always acquires basic licenses or the equivalent chain regardlessly of this property.
Comply with these format rules to specify the feature licenses:
l A string that contains comma-delimited feature license names.
Use this option if you have multiple Ensemble Controller installations using a common
Embedded License Server. It will allow you to control the feature licenses that each Ensemble
Controller is to request individually.
l If you specify *, the system will request licenses for all licensed capabilities and will be bound
by the available set of licenses on the Embedded License Server. You can use this option
when your Ensemble Controller is the only client of the Embedded License Server.
l If you specify no string value, the system will NOT acquire feature licenses.

As an example, this property value allows the system to request the licenses for the Ensemble
Optical Director, the Bandwidth Manager, which you will need to use all features of Optical
Director, and also Ensemble Fiber Director:
com.adva.opt.flexera.requestLicenses=ENC-EOD,ENC-BWM,ENC-EFD
This property is not included in the fnm.properties file. You must add it if you want to change the
default value *, which the system always uses independently from whether this property is
present in the fnm.properties file. In advanced customer environments with Embedded License
Server license pooling, we recommend to set this property on each Ensemble Controller Server.
This list shows the complete set of supported feature license names that you can use with this
property:
l ENC-BWM
l ENC-CBM
l ENC-CRYPTO
l ENC-EFD
l ENC-EOD
l ENC-EPD
l ENC-ESAMG
l ENC-ESAMP
l ENC-ESD
l ENC-HA-STD
l ENC-HA-STREAM
l ENC-MTOSI
l ENC-SDN-PRESTO
l ENC-SDN-TAPI

Ensemble Controller R15.3 Administrator Manual - Issue: A 479

Hardware or Software Support and
Adtran
Compatibilities

Graphical User Interface Options

com.adva.fnm.option.server_welcome_text
This property is used to specify a welcome message to be displayed in the login dialog box.

com.adva.fnm.option.server_postLogonText
This property is used to specify a post-login message to be displayed after you log in to the
Ensemble Controller (ENC) Client. See Post-Login Dialog Box Message for more information.

com.adva.fnm.option.date_format
This property enables to customize the format of how the date is presented wherever it appears
in the graphical user interface of the Ensemble Controller Client.
This table provides some examples of date formats that are possible. However, you can specify
your own format by using these predefined characters:
l YY - year
l MM - month
l dd - day

Format Date Example

YYYY-MM-dd 2014-07-21

dd.MM.YY 21.07.14

dd MMM YY 21 Jul 14

dd MMM YYYY 21 Jul 2014

M/d/YY 7/21/14

MM/d/YY 07/21/14

MM/d/YYY 07/21/2014

Browser-Related Properties
This section describes properties that you can use to specify secure or insecure CLI shell clients,
also for individual network elements, web browsers, or PDF viewers.

com.adva.fnm.security.CLI_[WINDOWS|LINUX] 481
com.adva.fnm.security.ssh.CLI_[WINDOWS|LINUX] 481
com.adva.fnm.option.useCLIOverTelnet 481

Ensemble Controller R15.3 Administrator Manual - Issue: A 480

Hardware or Software Support and
Adtran
Compatibilities

com.adva.fnm.security.browser_[WINDOWS|LINUX] 482
com.adva.fnm.security.pdf_[WINDOWS|LINUX] 482

com.adva.fnm.security.CLI_[WINDOWS|LINUX]
This property predefines the configuration of an insecure shell client such as Telnet. Each
operating system (OS) that Ensemble Controller supports, has a dedicated property to launch
the relevant network element command line interface:
l Windows: com.adva.fnm.security.CLI_WINDOWS=cmd /K start telnet
l Linux: com.adva.fnm.security.CLI_LINUX=/usr/bin/xterm -e
/usr/kerberos/bin/telnet

These properties are by default disabled. After you enable them, as described in Configuring CLI
Launch Commands, the specified, corresponding command values display as predefined
values in the respective Insecure Shell Path field in the Browsers window. The Browsers window is
opened from the application bar user menu, User Settings.
In the Browsers window, you can change the predefined settings for a shell client as described
in the User Manual, Procedure to Specify Browsers, and the system does no longer take the
settings from the fnm.properties file into account. The settings that you specify in the Browsers
window take priority.

com.adva.fnm.security.ssh.CLI_[WINDOWS|LINUX]
This property predefines the configuration of a secure shell client such as PuTTY. Each operating
system (OS) that Ensemble Controller supports, has a dedicated property to launch the
relevant network element command line interface:
l Windows: com.adva.fnm.security.ssh.CLI_WINDOWS=C:\\Program Files
(x86)\\PuTTY\\putty.exe
l Linux: com.adva.fnm.security.ssh.CLI_LINUX=/usr/bin/xterm -e
/usr/kerberos/bin/putty

These properties are by default disabled. After you enable them, as described in Configuring
CLI Launch Commands, the specified, corresponding command values display as predefined
values in the respective Secure Shell (SSH) Path field in the Browsers window. You open the
Browsers window from the application bar user menu, User Settings.
In the Browsers window, you can change the predefined settings for a shell client as described
in the User Manual, Procedure to Specify Browsers, and the system does no longer take the
settings from the fnm.properties file into account. The settings that you specify in the Browsers
window take priority.

com.adva.fnm.option.useCLIOverTelnet
This property specifies the devices that use the insecure Telnet client when they access the
command line interface. By default, there are no devices listed. Multiple devices can be
specified separated by commas.
These device values are supported:

Ensemble Controller R15.3 Administrator Manual - Issue: A 481

Hardware or Software Support and
Adtran
Compatibilities

l ALM
l FSP_1500 series
l FSP_150CC series
l FSP_150CC_T series
l FSP_150CM/CP
l FSP_150CP/MX
l FSP_150EGM series
l FSP_150EGX
l FSP_3000C
l FSP_3000R7
l FSP_ProVM series
l FSP_XG/GE series
l HN4000/HN400 series
l JUNIPER_MX series
l OSA series

For value details about specific variants of a device series, see the NE Type field on the device, or
the ne.versions file in the Ensemble Controller installation directory.

com.adva.fnm.security.browser_[WINDOWS|LINUX]
This property predefines the configuration of a browser such as the Internet Explorer. Each
operating system (OS) that Ensemble Controller supports, has a dedicated property to launch
the relevant network element browser:
l Windows: com.adva.fnm.security.browser_WINDOWS=C:\\Program
Files\\Internet Explorer\\iexplore.exe
l Linux: com.adva.fnm.security.browser_LINUX=

These properties are by default disabled. After you enable them, the specified, corresponding
command values display as predefined values in the respective Web Browser Path field in the
Browsers window. You open the Browsers window from the application bar user menu, User
Settings.
In the Browsers window, you can change the predefined settings for a web browser as
described in the User Manual, Procedure to Specify Browsers, and the system does no longer
take the settings from the fnm.properties file into account. The settings that you specify in the
Browsers window take priority.

com.adva.fnm.security.pdf_[WINDOWS|LINUX]
This property predefines the configuration of a PDF viewer such as Adobe Reader. Each
operating system (OS) that Ensemble Controller supports, has a dedicated property to launch
the relevant network element PDF:

Ensemble Controller R15.3 Administrator Manual - Issue: A 482

Hardware or Software Support and
Adtran
Compatibilities

l Windows: com.adva.fnm.security.pdf_WINDOWS=C:\\Program Files

(x86)\\Adobe\\Reader 10.0\\Reader\\AcroRd32.exe
l Linux: com.adva.fnm.security.pdf_LINUX=

These properties are by default disabled. After you enable them, the specified, corresponding
command values display as predefined values in the respective PDF Viewer Path field in the
Browsers window. You open the Browsers window from the application bar user menu, User
Settings.
In the Browsers window, you can change the predefined settings for a PDF viewer as described
in the User Manual, Procedure to Specify Browsers, and the system does no longer take the
settings from the fnm.properties file into account. The settings that you specify in the Browsers
window take priority.

com.adva.fnm.option.maxMapLabelLength
This property specifies the maximum number of characters that can be used for the network
element (NE) names in the map pane. By default, a maximum of 100 characters are supported.
Should the specified maximum number of characters be exceeded, then the NE name ends
with three dots. For example, if the property has been set to 5 and the NE name is “EGX-123” then
the name displayed in the map pane is "EGX-1…".

com.adva.fnm.security.auto_logout_user_disable
If you configured the auto-logout feature and you are inactive for some minutes, Ensemble
Controller will log you out automatically.
This property specifies the users who Ensemble Controller is NOT to consider for the auto-logout
feature, and therefore does not automatically log these users out.
To specify the users, type the case-sensitive user names behind the equal sign and separate
them by commas, for example:
com.adva.fnm.security.auto_logout_user_
disable=Admin,admin,User01,user02

High Availability Options

com.adva.fnm.ssl.knownHosts
This parameter specifies the name of the file containing the list of known SFTP hosts on the
primary server. The factory default name and location is .ssh/known_hosts.

com.adva.fnm.option.automaticSwitchover
This parameter regulates whether the secondary Ensemble Controller Server automatically
changes to master mode when it cannot connect to the primary server that currently runs in
master mode.

Ensemble Controller R15.3 Administrator Manual - Issue: A 483

Hardware or Software Support and
Adtran
Compatibilities

If the high-availability configured servers lose connection to each other, the

Ensemble Controller status bar (see Server Status) indicates the respective
status with a delay of one minute after the servers lost connection.

If you set this parameter to enabled, automatic switchover will take place. The factory default
setting is disabled.

com.adva.nlms.mediation.ha-stream.automatic-
switchover
This property specifies whether the system automatically takes care of switchovers. This setting
must be the same on all cluster members. If not, a configuration error occurs and the system
behavior is undefined.
If you change this property, you do not need to restart the Ensemble Controller Server to take
effect. It might cause an unnecessary switchover.
l If you set this property to enabled:
o The system will monitor faults and raise alarms for these where possible.
o The system will react automatically to detected faults and, if necessary, will attempt to
change the standby to become the primary if the current primary experiences an outage
or loses quorum.

l If you set this property to disabled:

o The system will monitor faults and raise alarms for these where possible.
o The system will NOT automatically react to detected faults and will NOT attempt to
change the standby to become the primary if the current primary experiences an outage
or loses quorum.
o The system will respond to a manual switchover request if you decide that a switchover is
needed.
o If you detect that the expected primary experiences an outage, manually perform a
switchover to the standby as described in Initiating a Server Work Mode Switchover.

com.adva.fnm.option.slavePolling
If polling for example performance monitoring polling is allowed in slave mode, this property is
used to specify polling to be 'enabled' or 'disabled'. By default it is disabled.

com.adva.fnm.ssl.keyfile
This parameter specifies the location and name of the private key file for connecting to an SFTP
on the primary server. The value .ssh/id_rsa stated in this property is an example.
Optionally, a password can be specified related to this private key file. To do so, see the property
com.adva.fnm.ssl.passphrase.

Ensemble Controller R15.3 Administrator Manual - Issue: A 484

Hardware or Software Support and
Adtran
Compatibilities

com.adva.fnm.ssl.passphrase
This parameter specifies a passphrase that protects the private key used for the Ensemble
Controller Server SSH or SFTP connections.
Encrypt this property value using the obfuscate_ssl_password script. This script is obfuscate_
ssl_password.sh for Unix and obfuscate_ssl_password.bat for Windows. The script is
located in the <installation>/bin directory.
To populate the property value:
1. Execute the obfuscate_ssl_password script. When prompted, type in the passphrase that
protects the private key, such as mypassphrase. The script output should be similar to
Encrypted password:t61arUIkx8+Y3SJkc66qYA==
2. Use the generated encrypted string as the property value, for example,
com.adva.fnm.ssl.passphrase=t61arUIkx8+Y3SJkc66qYA==

com.adva.fnm.option.afterSwitchoverSecondaryScript=/
opt/usr/bin/secondary.sh
In Linux, this parameter points to the script that the system executes after this node changed to
the slave state.

Internal Options
You typically do not modify internal options unless the Adtran Technical Services advise you to
do so.

com.adva.fnm.option.recalculateCounter
Use this parameter to enable event counter recalculation on server startup by typing true. After
the server has started, you must reset this parameter to false, which disables the function.

com.adva.nlms.mediation.evtProc.maxEventQueueSize
This parameter specifies the maximum number of events, which are queued for processing.
When this number is reached, all events are discarded.

Properties for Handling Event Processing Suspension

To keep the server responsive in case of a high trap rate, the processing is suspended based on
the processing queue level. There are three stages:
Stage 1: blocking of most chatty NE live traps
Stage 2: blocking of live and regenerated traps of most chatty traps
Stage 3: blocking of all traps
These settings specify the upper and lower thresholds of the three protection stages (in
percent):

Ensemble Controller R15.3 Administrator Manual - Issue: A 485

Hardware or Software Support and
Adtran
Compatibilities

l com.adva.nlms.mediation.evtProc.EventQueueThresholdsStage1=50,30
l com.adva.nlms.mediation.evtProc.EventQueueThresholdsStage2=60,40
l com.adva.nlms.mediation.evtProc.EventQueueThresholdsStage3=70,50

This setting defines the suspend/resume interval for protection stages 1 and 2 (in seconds):
l com.adva.nlms.mediation.evtProc.EventQueueSuspendResumeInterval=30,10

This setting defines the ratio of affected NEs for suppression during protection stages 1 and 2 (in
percent):
l com.adva.nlms.mediation.evtProc.EventQueueSuspendedRatio=30

Properties for Handling Trap Flood Detection

The trap flood detection feature is used to detect trap floods per NE. An alarm is raised if the
number of traps exceeds the given threshold values. The alarm is cleared if the flood does not
exist anymore.
These properties allow to enable or disable the feature and to adjust the threshold values:
l # if SNMP trap flood mechanism is enabled (default value = true)
com.adva.nlms.mediation.evtProc.TrapFloodDetectorEnabled=true
l # number of traps per second which is considered as trap flood
com.adva.nlms.mediation.evtProc.TrapFloodSampleThreshold=5
l # Length of sample period in seconds
com.adva.nlms.mediation.evtProc.TrapFloodSamplePeriodTime=10
l # Number of consecutive sample periods
com.adva.nlms.mediation.evtProc.TrapFloodSamplePeriodAmount=18

The detector only considers live traps (detection type = TRP). It supervises the number of traps
for each NE separately over a couple of sample periods.
Upon expiry of the sample period timer (TrapFloodSamplePeriodTime) the detector checks
whether a flood condition now exists or not anymore and raises/clears the flood alarm.
A flood condition exists if the threshold (TrapFloodSampleThreshold) is exceeded in x
consecutive sample periods (x = TrapFloodSamplePeriodAmount – 1). A flood condition does
not exist anymore if the threshold is exceeded in less than x sample periods (x =
TrapFloodSamplePeriodAmount / 2).

com.adva.nlms.mediation.event.maxEventLogSize
This setting specifies the maximum event log size. The default value is 200,000.
If needed you can increase this value up to 999,999. However, any value above 500,000 could
cause the Ensemble Controller to have temporary problems in displaying new events. It can
happen at the time when the Ensemble Controller starts to delete old events to bring the
number below the specified threshold.

Ensemble Controller R15.3 Administrator Manual - Issue: A 486

Hardware or Software Support and
Adtran
Compatibilities

Properties for Setting NBI Alarm or Event Filters

These properties specify the severities for the alarms and events that you want Ensemble
Controller to filter out for either of these northbound interfaces (NBIs):

NBI Property for ...

SNMP Alarms: com.adva.nlms.mediation.event.SnmpNbiAlarmFilter

Events: com.adva.nlms.mediation.event.SnmpNbiEventFilter

CSV Alarms: com.adva.nlms.mediation.event.CsvNbiAlarmFilter

Events: com.adva.nlms.mediation.event.CsvNbiEventFilter

For information about the Ensemble Controller NBIs, see the Integration Manual.
This table lists the supported severity values:

Severity Description – The system reports:

Value

CR A critical event.

MJ A major event.

MN A minor event.

WN A warning event.

I An informational event.

To use this property, type the severity values as these examples show:
l com.adva.nlms.mediation.event.SnmpNbiAlarmFilter=Severity[I]
–or–
l com.adva.nlms.mediation.event.CsvNbiAlarmFilter=Severity[WN,I]

For information about how to change the default or currently assigned severity and type for
events in Ensemble Controller, see the User Manual, Setting Event Type and Severities.

com.adva.nlms.mediation.event.initCSVLogOnStartup
After you enable this property, the system writes all standing alarms to the event CSV file each
time the Ensemble Controller Server (ENC Server) restarts. The content of the CSV rows are
largely similar to the alarms when they are initially written to the eventlog.csv file, with these
exceptions:

Ensemble Controller R15.3 Administrator Manual - Issue: A 487

Hardware or Software Support and
Adtran
Compatibilities

l The Update field has a new value of INIT signifying that these rows were written due to the
Ensemble Controller re-initialization. This will allow the OSS to have absolute knowledge that
these are the only alarms of which the Ensemble Controller is aware and will allow it to
determine alarms it that it needs to add, and also alarms that it needs to delete from its view.
l Because this feature is governed by an enabled/disabled flag, there is no backwards
compatibility impact from the new field value.
l The Ack field will contain a reflection of whether the alarm was acknowledged in the
Ensemble Controller or not.
l All other fields will contain values as per the time that the alarm was last emitted or updated
by the Ensemble Controller.

com.adva.nlms.mediation.event.CSVLogLineBreakAtEOL
This parameter is by default set to no, which locates the insertion of the line break at the start-
of-line. Changing it to yes locates the insertion of the line break at the end-of-line.

com.adva.nlms.mediation.event.syncAlarmsListenerPort
This parameter specifies the port that is used by an OSS client to trigger the alarm NBI
synchronization. The function is disabled if there is no port specified.

com.adva.nlms.mediation.event.notification.allowExtern
alScripts
When set to true, the Notification Manager runs any configured external script based on the
settings of the enabled Notification Manager Script check box and Command field. For
information about the Notification Manager, see the User Manual. By default, the parameter is
set to false that is, the Notification Manager skips running of any configured external script. Then
the Command field and Script check box are disabled.

When set to true, this feature allows running a custom script on the server
when it receives certain events. You can configure any command that run
regardless of user security level. Consider the security implications if you
enable this feature.

com.adva.fnm.option.hideFAMDetails
When set to true, this parameter disables the ribbon menu option of the Fiber Assurance tab
allowing to view measurement details about the fingerprint or fault analysis. By default, the
parameter is set to false that is, the menu option is enabled (made available).

com.adva.fnm.option.trapsink.aging
When Ensemble Controller discovers a network element, the system uses the keep alive polling
(KAP) feature to automatically register the Ensemble Controller Client (ENC Client) IP address in
the trapsink table of that network element. For more information about trapsink aging, see the
User Manual.
Use this property to:

Ensemble Controller R15.3 Administrator Manual - Issue: A 488

Hardware or Software Support and
Adtran
Compatibilities

l Define how long the network element must keep the ENC Client IP address in thetrapsink table
before the network element automatically removes it.
If Ensemble Controller sends requests to the network element during the time that you set,
the time counting restarts and the IP address retention time extends in the network element
trapsink table.
l Disable the automatic trapsink registration.

These are the supported property values:

Value Value Name Description

Number

0 trapsink disabled Type 0 behind the property equal sign to disable

trapsink registration.
After you disable trapsink registration:
l It applies to all network element types that
Ensemble Controller discovers from that moment.
l You can no longer disable the Automatic Trapsink
Re-Registering feature.

1 duration1hour(1) Type 1 behind the property equal sign to specify that

the network element must keep the trapsink table
entry for 1 hour.

2 duration1day(2) The default value, which defines that the network

element must keep the trapsink table entry for 1 day.

3 duration3days(3) Type 3 behind the property equal sign to specify that

the network element must keep the trapsink table
entry for 3 days.

4 duration1week(4) Type 4 behind the property equal sign to specify that

the network element must keep the trapsink table
entry for 1 week.

5 duration1month(5) Type 5 behind the property equal sign to specify that

the network element must keep the trapsink table
entry for 1 month.

6 unlimited(6) Type 6 behind the property equal sign to specify that

the network element never removes the trapsink table
entry.

Consider these limitations if you change the property value:

l If you change the value, it takes effect only for newly discovered network elements. However,
the FSP 3000 C shows an exception to this rule for value number 6. If you change to 6, it
applies to already discovered and newly discovered FSP 3000 C network elements.
l These property values are designed for FSP 3000R7 network elements. If you change the value
to anything between 1 and 5, other network elements interpret them only as value number 6.

Ensemble Controller R15.3 Administrator Manual - Issue: A 489

Hardware or Software Support and
Adtran
Compatibilities

com.adva.unsupported.ne.versions.check.enabled
This property specifies whether the Unsupported Versions tab is available in the tab pane, and
thus the feature. See User Manual.
If the property is set to true, Ensemble Controller recognizes unsupported network elements that
it discovers, and then raises a respective alarm. The property is by default set to false, and thus
the tab with its feature disabled. For this property to take effect if you change it, you must restart
the Ensemble Controller Server as described in Starting the Ensemble Controller Server.

Miscellaneous Options
com.adva.fnm.option.disableClientUpdates
This parameter controls the behavior of the client updater. When set to true, the client updater
is disabled and does not inform you about updates. In this scenario, the updater does not verify
the server version, and the software starts the installed client. You can therefore use an existing
GUI with a patched server. By default, this parameter is set to false with the client updater
enabled.

com.adva.fnm.option.iphostnameenabled
Ensemble Controller supports the fully qualified IP hostname for every network element as a
separate data field. You can edit this field for a selected network element in the Overview tab,
Identity area. This field, however, initializes with the host name that the software retrieves from a
reverse hostname lookup, which is OS-dependant. This process occurs on the Ensemble
Controller Server host. If the reverse lookup process fails, the hostname field remains empty,
even if you specify a host name when you add the network element to Ensemble Controller.
Only web-based craft interfaces, on an external web browser, use the hostname field. This
property sets the use of the host name. If set to true, ENC uses the host name, and if set to false
ENC does not use the host name.

com.adva.nlms.mediation.report.NeCountInventoryThre
shold
This parameter specifies the network-element threshold number for a single inventory report. If
the report shows a threshold that exceeds the specified value, a message displays to warn you.
The message includes a request for you to proceed or cancel the report generation. The default
threshold value is 200.

com.adva.nlms.mediation.report.AlarmCountThreshold
This parameter specifies the number of alarms threshold for a single fault/security report. If the
report shows a threshold number that exceeds the set value, a message displays to warn you.
The message includes a request for you to proceed or cancel the report generation. The default
threshold value is 3000.

Ensemble Controller R15.3 Administrator Manual - Issue: A 490

Hardware or Software Support and
Adtran
Compatibilities

com.adva.fnm.option.CSVSeparator
This property specifies the character that separates column values. By default, Ensemble
Controller uses the pipe "|" character. Alarm or event log files are unaffected by any character
definition through this property because these log files do not use this property.

com.adva.nlms.mediation.report.keptfilesnumber
This property specifies the total number of scheduled CSV report files for each report type that
the system will store in filesystem locations. If the total number of reports exceeds the set value,
the oldest report is deleted. The default is four CSV report files.

com.adva.nlms.mediation.report.keptfilesnumber.manu
al
This property specifies the total number of manual CSV report files for each report type that the
system will store in filesystem locations. If the total number of reports exceeds the set value, the
oldest report is deleted. This property is disabled by default (0).

com.adva.nlms.mediation.report.performance.PmReport
PagesLimit
This parameter specifies the number-of-pages threshold value for a single
performance/service performance report. The default is 1000 pages. The software first verifies
the threshold number before the process generates the report. If this number exceeds the
threshold value, the software does not generate a report.

com.adva.nlms.mediation.report.reportExternalStorage
If you set this property to true, the report process considers external file storage paths when the
software generates reports.
For each type of report, such as an inventory report, service inventory report, and other reports,
you must specify a different path. Add this path immediately after the
...reportExternalStorage property. After the software generates the report, the software
stores the report in the location you specify.
The paths are organized into interactive (manual) reports and scheduled reports. This figure
displays the property with the respective paths (unspecified) that the reports extract from the
fnm.properties file.

Ensemble Controller R15.3 Administrator Manual - Issue: A 491

Hardware or Software Support and
Adtran
Compatibilities

Consider these aspects when you specify paths:

l Make sure that access permissions do not restrict the specified paths.
l After an upgrade, previous reports do not migrate to the new location. You must maintain or
migrate these reports manually.
l The report process considers the property and specified paths for scheduled reports by
using the aging or deletion function of CSV reports.
Manual reports do not use this process, and you must manually clean the data in these files.
l Make sure that you maintain or update the fnm.properties file on all servers, including the
high availability (HA) servers.
l If you encounter errors, for example a path is missing or inaccessible because of permissions,
the software generates an error message and displays manual reports. For scheduled
reports, an event that displays on the appropriate event screen points to the encountered
error.

com.adva.nlms.mediation.report.sync.performance.devi
ce.types
This property specifies which device types should be included in the sync performance report.
By default, a sync performance report covers these network elements:
l OSA 5401
l OSA 5405-I
l OSA 5405-MB
l OSA 5405-O
l OSA 5405-P

Ensemble Controller R15.3 Administrator Manual - Issue: A 492

Hardware or Software Support and
Adtran
Compatibilities

l OSA 5410
l OSA 5411
l OSA 5412
l OSA 5420
l OSA 5421
l OSA 5422
l OSA 5430
l OSA 5440
l OSA SoftSync

If you want to reduce the list of device types included in the report, add this property to the
fnm.properties file and type comma seperated list of device types as its value. You can only
enter device types from the above list.

com.adva.nlms.mediation.report.suffix
This property specifies the suffix of the automatic reports file name. The suffix has format "_
text_%version". For example, if you type com.adva.nlms.mediation.report.suffix=report1A, the
report file will have this name: <report name>_report1A_ENC_xx.x.x. The text in this property can
contain only:
l These alphanumeric characters: a to z; A to Z; 0 to 9.
l These special characters: “.” and “_”. No other special characters are allowed.

This property is not added to the fnm.properties file automatically. To use this property, you
need to add it manually to the file.

com.adva.nlms.mediation.neResources.csv.NE_
RESOURCES_REGULAR_REPORT_FILE_PATTERN
This parameter specifies the name of a resource report. The default name is Resource_%DATE_
TIME%.csv.

com.adva.nlms.mediation.neResources.csv.NE_
RESOURCES_REGULAR_REPORT_DAYS_TO_RETAIN_FILES
This parameter specifies the number of days the system will retain a resource report. The
default value is 10 days.

com.adva.nlms.mediation.neResources.csv.NE_
RESOURCES_REGULAR_REPORT_MAX_FILE_SIZE
This parameter specifies the maximum file size of a resource report. The default value is 50 MB.

Ensemble Controller R15.3 Administrator Manual - Issue: A 493

Hardware or Software Support and
Adtran
Compatibilities

com.adva.nlms.mediation.CSV_FILE_TRANSFER
If you set this property to yes, these CSV files transfer to a secure file-transfer protocol (SFTP)
server:
l Inventory Report
l Performance Monitoring Reports (see CSV Performance NBI)
l Ensemble Sync Director Reports:
o PTP Remote Slaves Report
o Sync Topology Report
o Sync Performance Report

For more information about these reports, see the Integration Manual. For information about
how to configure the SFTP server, see the Integration Manual, Enabling the CSV File Transfer.

com.adva.nlms.mediation.sm.prov.cp.CP_POLICY_
PROXY_NODES_IP
This property specifies one or more proxy node IP addresses. To add IPv4 addresses, use this
format separated by commas: A.B.C.D,E.F.G.H,W.X.Y.Z
You can apply the control plane policy only to proxy nodes that run software version 16.1.1 or
later.

com.adva.nlms.mediation.sm.prov.cp.waitForMonitorEq
ualizationTimeInSecs
This property specifies the time in seconds that Ensemble Optical Director must wait after you
initiate an action before the system monitors equalization. The default is 2 seconds.

com.adva.nlms.mediation.sm.prov.cp.waitForEqualizatio
nTimeInSecs
This property specifies the maximum time in seconds required to complete equalization on the
device. The default is 900 seconds. The software uses this property when you provision a
service. Wait until the creation of the service and equalization complete before you modify any
ports in use.

com.adva.nlms.mediation.sm.prov.cp.LOCKED_LINKS_
ENABLED
This parameter specifies whether locked links display in the GUI and whether you can reset
them. The parameter has these values:
l true - enables the locked links display and reset feature.
l false (default) - disables the locked links display and reset feature.

Ensemble Controller R15.3 Administrator Manual - Issue: A 494

Hardware or Software Support and
Adtran
Compatibilities

For hardware release 12. 1, first enable this parameter before any initial discovery of any FSP
3000R7 network elements. If you enable this property after discovery of these network elements,
the software will not recognize the locked links.

com.adva.nlms.mediation.sm.prov.cp.UseCPRestForPreP
athComputation
If you set this parameter to 'yes', the system uses the CP REST interface to compute possible
working and protection paths during service creation. A table displays the paths, and you can
select the most applicable path. The default parameter is enabled.

com.adva.nlms.mediation.sm.prov.cp.MaxNumberOfCo
mputedPaths
This parameter specifies the number of paths that display in the table of possible paths
computed by control plane through the CP REST interface during service creation. By default,
the interface sets five paths.

com.adva.nlms.mediation.sm.DigitalSignalSuffix
This property specifies the suffix that the software adds to the top-level service connection
name. The property applies to explored, provisioned, and tracked services. If you enable the
property, the top-level service connection inherits the service object name and adds the
specified suffix.

The maximum length of the service name including the suffix must be 1000
characters or less.

For more information, see the WDM Management Guide, Service Name Propagation to the
Client-Facing Connectivity.

com.adva.nlms.mediation.sm.EthernetDigitalSignalSuffix
This property specifies the suffix that the software adds to the top-level service connection
name. The property applies to Ethernet-tracked services. If you enable the property, the top-
level service connection inherits the service object name and adds the specified suffix.

The maximum length of the service name including the suffix must be 1000
characters or less.

For more information, see the Packet Management Guide, Ethernet Tracked Services Name
Propagation to the Top-Layer Connection.

Ensemble Controller R15.3 Administrator Manual - Issue: A 495

Hardware or Software Support and
Adtran
Compatibilities

com.adva.nlms.mediation.sm.ServiceNameTemplate
This property specifies the string pattern that Ensemble Controller uses to create the service
names, and then displays the pattern in the tree pane Services tab. For more information about
how to edit the property, see the property description in the fnm.properties file. For general
information about service names, see the WDM Management Guide, Service Naming.

com.adva.nlms.common.visual.BANDWIDTH_USAGE_
[LOW|HIGH]
This parameter specifies the number-of-links threshold for bandwidth usage. The threshold
values are:
l low = 1% to 25% (com.adva.nlms.common.visual.BANDWIDTH_USAGE_LOW=25)
l normal = 26% to 74%
l high = 75% to 99% (com.adva.nlms.common.visual.BANDWIDTH_USAGE_HIGH=75)
l full = 100%

com.adva.nlms.mediation.ethNEConfig.maxTemplateSiz
eInKB
This parameter specifies the maximum template size in KB. The default template size is 1024 KB.

com.adva.nlms.mediation.config.fsp_
r7.useAdvaSpecificSerialNumbers
If you set this property to 'true', the premise of the Ensemble Controller is that all FSP 3000R7
serial numbers start with 'LBADVA' instead of 'FA'.
The software updates all serial numbers upon server startup.

com.adva.nlms.mediation.config.shelfLocationInfoSetta
ble
If you set this parameter to true, the physical shelf location that you can define in the Overview
tab, Identity area, correlates to the respective network element. The reverse is also true. That is, if
you change the shelf location property on the NE, this information also changes on Ensemble
Controller.

com.adva.nlms.mediation.sm.prov.ni.controller
This parameter specifies whether the Network Intelligence (NI) Controller is enabled (true) or
disabled (false).

Properties for Managing Pro-Vision

To enable and then start Pro-Vision in your web browser, set these properties to true:

Ensemble Controller R15.3 Administrator Manual - Issue: A 496

Hardware or Software Support and
Adtran
Compatibilities

l com.adva.nlms.sdn.enabled
l com.adva.nlms.mediation.pv.startModule

com.adva.fnm.option.UseSnmpForRest
This property specifies whether changed SNMPv3 login credentials — the user name and
password — overwrite any specified HTTP, HTTPS, or REST credentials for FSP 3000R7 network
elements. If you do not change the SNMPv3 credentials, the specified credentials for HTTP, HTTPS,
or REST remain valid. By default, the property is set to true, and thus enabled.
The SNMPv3 login credentials change reflects in:
l The Overview tab for an individual FSP 3000R7 network element.
l The Overview tab for the Network root if it contains FSP 3000R7 network elements.
l The Centralized Control Plane for the FSP 3000R7 network elements that the control plane
manages.

com.adva.fnm.option.UseSFTPFileTransfer.device.types
For a secure transfer protocol, ENC uses SCP if the network element supports it. For devices that
do not support SCP, ENC transfers files using SFTP. Use this property to specify the devices and
versions that will use SFTP instead of SCP by default.
Example:
com.adva.fnm.option.UseSFTPFileTransfer.device.types = OSA 5420:10.5, OSA 5422, OSA 5412
In this example ENC would use SFTP for OSA 5412, 5422, and for OSA 5420 version 10.5 or later (e.g.
10.6 or 11.1).

To avoid issues with unsecure old versions of SFTP use this property with the
latest currently installed version of the element. You can skip the version if the
element is new enough that it never used the outdated SFTP - not even in its
first software version.

Oscillating Events Suppression Options

These options configure suppression of oscillating events.
Sometimes an event “oscillates”, that is, it is raised repeatedly. Depending on the oscillating
event suppression settings, the Ensemble Controller Server can ignore these events. The
settings are:
l The oscillating events soak period.
l The oscillating events blocking period.

com.adva.fnm.option.disableLoggingPeriod
If the Ensemble Controller Server receives the same event three times within the number of
seconds specified by this parameter (soak period), further logging of that event is inhibited. The
factory default value is 10 seconds.

Ensemble Controller R15.3 Administrator Manual - Issue: A 497

Hardware or Software Support and
Adtran
Compatibilities

com.adva.fnm.option.enableLoggingPeriod
Logging of the inhibited event is enabled again when Ensemble Controller Server has not
received the particular event for the number of seconds specified by this parameter (blocking
period). The factory default value is 60 seconds.

com.adva.nlms.medation.config.dyingGaspDisabled.dev
ice.types
If a network element sends dying gasp notifications, it alerts that it is about to restart, reset or
otherwise go down. These notifications help service technicians to already exclude issues such
as circuit or hardware failures, and thus narrow down the search for the issue.
However, you can disable these dying gasp notifications for the network elements that you
specify.
1. Behind the property equal sign, type the relevant network element string IDs. Seperate them
through commas, for example:
[...]config.dyingGaspDisabled.device.types=FSP 150CC-XG210,FSP 150-GE102Pro-H
2. Restart the Ensemble Controller Server as described in Verifying Services in Windows and
Verifying Services in Linux.
After the Ensemble Controller Server restarts, the property change takes effect only for newly
discovered network elements. The network elements that the system already discovered
remain unaffected by this property change.
The Message Pane shows relevant messages if the system disables dying gasp notifications
for certain network elements.

Password Change Action Manager Options

This option allows the created password change action (PCA) log file to be sent to the email
address specified. The entry is defined as follows:

com.adva.fnm.option.pcaLogReceiver=<email_address>
Enter the email address where the newly created log file will be sent.

com.adva.fnm.option.pcaMaxThreadCount
This property specifies the maximum PCA threads.

Performance Monitoring Options

com.adva.nlms.mediation.performance.CSVvalidTime
This parameter specifies how many days the system preserves CSV performance report files
before it deletes them. The parameter becomes inoperative, when you disable the recurring
action Performance Data Export (Short Term) and Sync Performance Report.

Ensemble Controller R15.3 Administrator Manual - Issue: A 498

Hardware or Software Support and
Adtran
Compatibilities

For more information about the file handling of performance reports, see the Integration
Manual.

com.adva.nlms.mediation.neComm.150ccSnmpDelay
This parameter specifies how long of a delay (in milliseconds) is to be allowed between
performance monitoring requests for FSP 150CC devices.

Qualitiy Compliance Options

Specify these parameters to set up the Sync Quality Compliance Report.

com.adva.nlms.mediation.performance.CSVvalidTime
This parameter specifies how many days the system preserves the report files before it deletes
them. The parameter becomes inoperative, when you disable the recurring action Sync Quality
Compliance Report.

com.adva.nlms.mediation.report.sync.quality.complianc
e.clock.ref
This parameter specifies the clock reference for the Sync Quality Compliance Report. These are
the valid values:
l SystemClock
l PTP
l NTP

If you specify a non-valid value, the system uses the default SystemClock.

com.adva.nlms.mediation.report.sync.quality.complianc
e.threshold.degraded.ns
This parameter specifies the degraded threshold in nanoseconds. It must be bigger than zero
and smaller than the failed threshold. If the offset of the selected clock reference, for a specific
NE is bigger than this value over the report time range, but is never bigger than Failed threshold,
the report Compliance status for this NE is Degraded.

com.adva.nlms.mediation.report.sync.quality.complianc
e.threshold.failed.ns
This parameter specifies the failed threshold in nanoseconds. It must be bigger than the
degraded threshold. If the offset of the selected clock reference, for a specific NE is bigger than
this value over the report time range, the report Compliance status for this NE is Failed.

Ensemble Controller R15.3 Administrator Manual - Issue: A 499

Hardware or Software Support and
Adtran
Compatibilities

Rapid Term Monitoring (RTM)

Rapid Term Monitoring is a newer metric-collection mechanism that is used to monitor and
assess the overall health of the Ensemble Controller. Compared to self-monitoring, RTM
monitors application and system attributes at a shorter interval called the rapid term interval.
You can start and stop RTM from the Ensemble Controller GUI or CLI, compared to the short-
term and long-term options of self-monitoring.
To set up RTM, configure these parameters.

com.adva.fnm.mediation.monitoring.rapidTermInterval
Set the rapid term interval to any integer between 1 and 299 seconds. If invalid values are
entered, including alphabetical strings, the default value of 2 seconds is used.

com.adva.fnm.mediation.monitoring.rapidStartAtSyste
mStartUp
If you wish to start RTM at system startup, set the above property to ‘true’. By default, RTM does
not start at system startup. RTM is started and stopped manually after the data is collected. If
the server restarts when RTM is running, RTM will not restart automatically. Only one instance of
RTM is allowed to run at a given time.

Deletion of Log Files

Ensemble Controller deletes old log files according to these rules:
l Rapid monitoring log files are rolled at startup or when the size of the files exceeds the
maximum value configured in log4j2.xml. Afterwards, the backup index of the files get
increased by one. When the backup index of a file exceeds the maximum value configured in
log4j2.xml, this file gets deleted.
l NE-related log files older than 5 days are deleted. Hence we recommend that you save NE
logs in a separate folder, if you wish to keep them for future reference.

Retrieving Monitoring Data

The resulting RTM data are stored in /var/monitoring under the Ensemble Controller installation
directory:
l rapidTerm.csv
o Application data values that are configured for rapid term monitoring.
l rapidTermNE_<NE-name>.csv
o Network element-related data configured for rapid term monitoring.

The maximum file size and maximum backup index of the rapid monitoring csv files are
configured using log4j2.xml.

Ensemble Controller R15.3 Administrator Manual - Issue: A 500

Hardware or Software Support and
Adtran
Compatibilities

At the start of every rapid monitoring session, the csv files are rolled over (rapidTerm.csv
becomes rapidTerm.csv.1, rapidTerm.csv.1 becomes rapidMonitoring.csv.2,..,
rapidMonitoring.csv.max gets deleted). This occurs even if the current log file has not reached
the maximum file size, since new configuration will lead to different headers in log files.

Specifying Monitored Attributes

A configuration file, stored in monitoringConfig/rapidTerm under the Ensemble Controller
installation directory, contain the parameters that RTM monitors. It specifies the application,
system, and NE-related parameters to monitor and is read only when rapid term monitoring is
started.
l Application attributes are variables of the Ensemble Controller Server modules such as
performance, polling, persistence, NE communication, configuration, event processing,
events, and server.
l System attributes are parameters of the Java VM such as Hot Spot Diagnostic, Class Loading,
Memory, Code Cache Manager, Code Cache, PS Eden Space, PS Old Gen, PS Perm Gen, PS
Survivor Space, operating system, runtime, threading, and logging.
l The number of timeouts can be monitored per NE.

You can either use the default configuration file or customize it as follows:
1. Navigate to this folder:
ENC Installation Directory\monitoringConfig\rapidTerm
2. Modify the defaultRapidTerm.properties file as follows:
l Add each new attribute you wish to monitor in separate row.
l To exclude an attribute from monitoring, place a “#” in the beginning of the row.
3. If you wish to monitor NE attributes, add the corresponding network element names to this
file:
ENC Installation Directory\monitoringConfig\monitoredNEList\rapid.properties
4. Restart the Ensemble Controller Server.

Triggering RTM
Use one of these applications to trigger RTM:

Windows CLI Interface 501

Linux CLI Interface 502
Ensemble Controller GUI 502
nmsadmin Script 502

Windows CLI Interface

For Windows, run RTM from the Ensemble Controller installation directory using these CLI
commands:
1. To display the RTM state (activated or not), type this command:
jre\bin\java -jar lib\adva_tools.jar -rState

Ensemble Controller R15.3 Administrator Manual - Issue: A 501

Hardware or Software Support and
Adtran
Compatibilities

2. To start RTM, type this command:

jre\bin\java -jar lib\adva_tools.jar -rStart 1000
where 1000 in this example is the duration of rapid monitoring.
3. To stop RTM, type this command:
jre\bin\java -jar lib\adva_tools.jar -rStop

Linux CLI Interface

For Linux, run RTM from the Ensemble Controller installation directory using these CLI
commands:
1. To display the RTM state (activated or not), type this path including the command:
/opt/adva/share/jre/bin/java -jar /opt/adva/fsp_nm/lib/adva_tools.jar -
rState
Please ensure that you enter the path as one command. The same applies
to Step 2 and 3.

2. To start RTM for a specified duration, type this command:

/opt/adva/share/jre/bin/java -jar /opt/adva/fsp_nm/lib/adva_tools.jar -
rStart 1000
where 1000 in this example is the duration of rapid monitoring.
3. To stop RTM, type this command:
/opt/adva/share/jre/bin/java -jar /opt/adva/fsp_nm/lib/adva_tools.jar -
rStop

Ensemble Controller GUI

Complete these steps to run RTM from the Ensemble Controller GUI:
1. In the Ensemble Controller Settings, select System, and then Rapid Term Monitoring. The
Rapid Monitoring window opens.
2. Type the Duration in seconds, and then click Start. A message indicates rapid monitoring
activation.
3. Click OK to acknowledge the RTM start message. The Message Pane indicates that RTM was
collected.
4. If you wish to stop RTM before the monitoring duration elapses, in the Ensemble Controller
Settings, select System, and then Rapid Term Monitoring.
5. Click Stop in the resulting window.

nmsadmin Script
Complete these steps to run RTM using the nmsadmin script:

Ensemble Controller R15.3 Administrator Manual - Issue: A 502

Hardware or Software Support and
Adtran
Compatibilities

1. Run the nmsadmin script file located in the Ensemble Controller bin installation directory.

2. Type I to show the current RTM state.

3. Type N to start RTM, and then enter the RTM duration in the range of 1 to 3600 seconds. If the
maximum value is exceeded, a warning message displays.
4. Press Enter.
5. To stop RTM before the duration expires, type U, and then press Enter.

Scaling Options
com.adva.fnm.option.threadPoolSize
For each Ensemble Controller connected to the Ensemble Controller Server, a thread is
established. Each thread requires a certain amount of memory, and hence it is advisable to
limit the number of simultaneous threads allowed. This parameter specifies this number. The
factory default is 9.

com.adva.nlms.mediation.polling.MAX_RUNNING_
POLLING_TASKS
Ensemble Controller is configured to poll Network Elements at regular intervals. The number of
simultaneous polling actions must be in accordance with the DCN capacity, and is specified by
this parameter. The factory default value is 10.

com.adva.nlms.mediation.performance.watchdog.olp
Setting this parameter to 'true', the system will automatically stop the performance monitoring
collection if these limits for performance monitoring objects (PMOs) have been exceeded:

Ensemble Controller R15.3 Administrator Manual - Issue: A 503

Hardware or Software Support and
Adtran
Compatibilities

l com.adva.nlms.mediation.performance.watchdog.max15minPmo=50000
This property specifies the maximum number of PMOs for the short term interval.
l com.adva.nlms.mediation.performance.watchdog.max24minPmo=200000
This property specifies the maximum number of PMOs for the long term interval.

When these limits have been exceeded, an alarm is raised and PM data is no longer collected.
To resume PM collection, decrease the number of subnetworks to which PM templates are
assigned and restart the server.

Security Options
com.adva.fnm.option.FallbackNEUserID
This property specifies the user name that relates to the randomly created fallback password.
An acceptable user name must conform to character rules. The rules differ according to the
network-element type and any configured security policies. For FSP 3000R7 network elements,
the fallback user name must:
l Have 4 to 10 characters.
l Contain only these alphanumeric characters: a to z; A to Z; 0 to 9.
l Contain only these special characters: “.” and “_”. No other special characters are allowed.

Use this fallback password to access a network element if an interruption occurs to the
Ensemble Controller (ENC) connection. You can also use the fallback password if a failure
occurs when you request administrative user rights on the network element.
For more information about how to request or grant administrative user rights on network
elements, see Granting Temporary Admin User Rights on Network Elements.

com.adva.fnm.option.FallbackPasswordManagement
If you set this property to 'true', you enable the NE-fallback user-password management tool.
Additionally you must specify the property com.adva.fnm.option.FallbackNEUserID. By default,
the management tool is disabled, that is set to false.
The NE-fallback password management tool manages the password of the fallback user (the
user of "last resort") for each individual network element.

com.adva.fnm.option.SSOviaFBP
If you set this property to 'true', you enable the Establishing an SSO Connection Using Fallback
Passwords. You must also specify the property com.adva.fnm.option.FallbackNEUserID. By
default, SSO connection through fallback password is disabled (set to 'false').

com.adva.fnm.option.SSOviaAHA
If you set this property to 'true', you enable an SSO Connection through Ad Hoc Local NE Account.
See . By default, SSO connection through Ad Hoc Account is disabled (set to 'false').

Ensemble Controller R15.3 Administrator Manual - Issue: A 504

Hardware or Software Support and
Adtran
Compatibilities

com.adva.fnm.option.ssoDisabled.device.types
This property permanently disables an SSO connection for specified NE types. For more
information about how to specify NE types, see .

com.adva.fnm.option.maxFtpPasswordLength
This property controls the maximum length of the ftp server passwords. The default value is 64
characters, which is also the maximum length that Ensemble Controller supports. With this
property you can limit the maximum password length to a value that is supported by all
devices installed in the network.

com.adva.fnm.security.authorization.aspect
This property enables/disables REST calls authorization on server side. By default, the property is
set to enabled.

Self-Monitoring
Self-Monitoring is a metric-collection mechanism that is used to monitor and assess the overall
health of the Ensemble Controller. If you suspect a problem with the Ensemble Controller, such
as slow system performance or high memory consumption, you can monitor application,
system, and network element attributes for these cases:
l short-term interval
l long-term interval
l “on demand”

You activate and deactivate short-term and long-term monitoring from the fnm.properties file.
Generally, you use long-term monitoring under normal conditions, while you use short-term
monitoring if you suspect a problem such as slow system performance.
“On demand” monitoring is activated by using the Ensemble Controller GUI or the nmsadmin
script. You can obtain a current snapshot of the system to analyze a known problem such as
slow system performance.

Specifying Monitored Attributes

Configuration files, one per each monitoring scheme, are located in the monitoringConfig
subfolder of the Ensemble Controller installation directory. They specify the application, system,
and NE-related parameters to monitor.
l Application attributes are variables of the Ensemble Controller Server modules such as
performance, polling, persistence, event processing, events, and server.
l System attributes are parameters of the Java VM such as operating system, memory,
threading, and logging.
l The number of timeouts can be monitored per NE.

You can either use the default configuration files or customize them as follows:

Ensemble Controller R15.3 Administrator Manual - Issue: A 505

Hardware or Software Support and
Adtran
Compatibilities

1. Navigate to the folder corresponding to a monitoring scheme you wish to use:

l ENC Installation Directory\monitoringConfig\longTerm
l ENC Installation Directory\monitoringConfig\shortTerm
l ENC Installation Directory\monitoringConfig\onDemand
2. Modify the corresponding .properties file as follows:
l Add each new attribute to a separate row.
l To exclude an attribute from monitoring, place a “#” in the beginning of the row.
l To monitor NE(s), add this attribute:
com.adva.nlms.mediation.neComm.SNMP4JConfiguration$SNMPAdapterInfoMBean.
getTimeoutsNoPerNE

3. Repeat Step 1 to Step 2 for each remaining monitoring scheme you will use.
4. If you wish to monitor network element attributes, add the corresponding network element
names to these files, depending on the monitoring scheme you will use:
ENC Installation Directory\monitoringConfig\monitoredNEList\onDemand.properties
ENC Installation Directory\monitoringConfig\monitoredNEList\periodical.properties
Use the periodical.properties file for short-term and long-term monitoring.

5. Restart the Ensemble Controller Server.

Triggering Self-Monitoring
The procedure to activate self-monitoring depends on the scheme you use:
l To trigger short-term or long-term monitoring, proceed to Activating Short-Term or Long-
Term Monitoring.
l To trigger “on demand” monitoring.

1. Proceed to Activating Short-Term or Long-Term Monitoring.

2. Next, proceed to either On-Demand Monitoring Using Ensemble Controller or On-Demand
Monitoring Using nmsadmin .

Activating Short-Term or Long-Term Monitoring

By default, both short- and long-term monitoring are disabled. When you activate either or both
schemes, you need to modify the corresponding time interval in the fnm.properties file.
Additionally, you need to modify either short- or long-term monitoring to use on-demand
monitoring.
1. To activate short-term monitoring, set this fnm.properties file attribute to 5, 10, 15, 20, 25, 30,
35, 40, 45, 50, 55, or 60 minutes.
com.adva.fnm.mediation.monitoring.shortTermInterval
If the value you set is invalid, including an alphabetical string, Ensemble Controller uses the
default value of 15 minutes as the short-term interval.
2. To activate long-term monitoring, set this fnm.properties file attribute to hours multiplied by
60 minutes, where hours is an integer from 0 to 24:
com.adva.fnm.mediation.monitoring.longTermInterval

Ensemble Controller R15.3 Administrator Manual - Issue: A 506

Hardware or Software Support and
Adtran
Compatibilities

For example, if the long-term interval is 10 hours, enter 600 (10 × 60). If the value you
configure is invalid, including an alphabetical string, Ensemble Controller uses the default
value of 1440 minutes (24 × 60) as the long-term interval.
3. Restart the Ensemble Controller Server to activate the new values.

On-Demand Monitoring Using Ensemble Controller

Execute this procedure to start on-demand monitoring using the Ensemble Controller GUI:

On-demand monitoring works only if short-term or long-term monitoring is

enabled. To enable short-term or long-term monitoring, see Activating Short-
Term or Long-Term Monitoring.

1. In the Ensemble Controller Settings, select System, and then Self-Monitoring Actions. A
window opens asking for confirmation.
2. Click Continue to start the monitoring. A Save window opens prompting you to select a
location to save the monitoring log.
3. Select the file name and location to save your results, and then click Save. A window opens
indicating the file name and location you just selected.
4. Press OK. The file you specified in Step 3 is populated with the monitoring results.

On-Demand Monitoring Using nmsadmin

Complete these steps to start on-demand monitoring using the nmsadmin script located in the
Ensemble Controller installation directory, bin folder.

On-demand monitoring works only if short-term or long-term monitoring is

enabled. To enable short-term or long-term monitoring, see Activating Short-
Term or Long-Term Monitoring.

1. Launch the nmsadmin script.

2. Type W to start on-demand monitoring, and then press Enter.
3. Type V to exit.

Retrieving Monitoring Data

The resulting monitoring data are stored in /var/monitoring under the Ensemble Controller
installation directory. These include:
l CSV monitoring logs such as shortTerm.csv, longTerm.csv and onDemand.csv files
l Thread dump log files resulting from “on demand” monitoring
l NE-related log files such as shortTermNE_<NE-name>.csv, longTermNE_<NE-name>.csv and
onDemandNE_<NE-name>.csv.NE-related log files such as shortTermNE_<NE-name>.csv,
longTermNE_<NE-name>.csv and onDemandNE_<NE-name>.csv.

Deletion of Log Files

Ensemble Controller deletes old log files according to these rules:

Ensemble Controller R15.3 Administrator Manual - Issue: A 507

Hardware or Software Support and
Adtran
Compatibilities

l Short-term and long-term monitoring logs are rolled at Ensemble Controller Server startup,
while “on demand” monitoring logs are rolled when you trigger “on demand” monitoring
again. The logs are also rolled when the file size exceeds the maximum value configured in
log4j2.xml. Afterwards, the backup index of the files get increased by one. When the backup
index of a file exceeds the maximum value configured in log4j2.xml, this file gets deleted.
l Once you remove an NE from the monitoring list(s), the Ensemble Controller deletes logs
associated with this NE. Hence we recommend that you save NE logs in a separate folder, if
you wish to keep them for future reference.

Server Access Options

Properties for Servers with Multiple IP Interfaces
If the Ensemble Controller Server (ENC Server) needs to interact with multiple IP interfaces, you
can use these properties to configure them:

Properties Description

com.adva.fnm.option.serverIP For communication from the

server to the client, and from the
server to the server.

com.adva.fnm.option.trapsink For SNMP trap registrations. The

property supports only IPv4
addresses or host names. Type a
trapsink IP address that faces
network elements.

com.adva.fnm.option.trapsinkport The port that the server uses for

SNMP trap notifications. The
default is 162. If you do not define a
port, the system uses the default.

com.adva.fnm.option.trapsink.ip6 For SNMP trap registrations. The

property supports only IPv6
addresses. Local link addresses
are not accepted.

com.adva.fnm.option.trapsink.IpValidationEnabled To enable the property, set it to

true. After you enable it, the system
validates the trapsink IPv4 and
IPv6 addresses to verify whether
they belong to the system. The
validation process takes place
during server restart.

Ensemble Controller R15.3 Administrator Manual - Issue: A 508

Hardware or Software Support and
Adtran
Compatibilities

Properties Description

com.adva.fnm.option.snmpProviderHost For Element Manager SNMP

communication. Type an IP
address that faces Ensemble
Controller Server clients.

com.adva.nlms.mediation.mtosi.hostName Displays in MTOSI responses.

com.adva.fnm.option.snmpNBISource You can configure Ensemble

Controller to transmit SNMP
northbound interface (NBI) traps. If
configured, the software reports
the source IP address that you
specify with this property as
varbind within the event.

For details about these properties and the requirements when specifying respective IP
addresses for each of them, see Configuring Multiple Network Interfaces.

com.adva.fnm.option.webserver.port
This property specifies the Jetty web server port that the Ensemble Controller Client uses. The
default port is set to 8080, which is commonly used for web services and which customer
firewalls should not block. By default, the client will try to connect to the ports 80, 8080 and 9000.
To disable (close) these ports so that the server can no longer connect to them, set the property
to none.

Recommendation:
If you set the property to none, we recommend that you adapt these tile server
properties to use https.
l com.adva.fnm.option.TileServerLayer.street=https:[...]
l com.adva.fnm.option.TileServerLayer.satellite=https:[...]

For information about map tile servers, see Installing the Local Geographical
Map-Tile Server in Linux.

com.adva.fnm.option.rest.securePort
This property specifies the port that the Jetty web server and the GUI use. The default port is set
to 8443. To disable (close) this port so that the server can no longer connect to it, set the
property to none.

com.adva.fnm.option.rest.securePortWithMutualAuth
This property specifies the port that server to server authentication uses based on certificates
(mutual authentication). The mutual authentication process allows for secure communication
between the various Ensemble Controller applications. The default value for this port is 9543.

Ensemble Controller R15.3 Administrator Manual - Issue: A 509

Hardware or Software Support and
Adtran
Compatibilities

com.adva.nlms.mediation.server.proxy.startModule
This parameter specifies whether the internal HTTP proxy is enabled (set to 'yes') or disabled (set
to 'no'). The proxy is by default disabled.

com.adva.nlms.mediation.server.proxy.port
This parameter specifies the port where the HTTP proxy is working. By default, port 9090 is used.

com.adva.nlms.mediation.http.client.certs.verification
This property specifies whether ENC mediation verifies the certifications of other servers during
HTTPS communication. The property is extended with server names. If the server name is set to
on, ENC mediation verifies the server certificate. If the server name is set to off, verification does
not happen. The server names are set to off by default. For more information, see Verifying
Certificates of other Servers.

Properties for Configuring the Java Messaging System

(JMS)
The Java messaging system is used to internally communicate events on the server and
between server and client. It is preconfigured and active upon Ensemble Controller installation.
As appropriate, the JMS. can be customized by using these properties:
l jms.transportProtocol
The transport protocol to communicate between the server and the JMS broker service.
These protocol options are available:
o nio1+ssl: With the release version 12.3, the default protocol including encryption in the
messaging system.
If you upgrade your Ensemble Controller version to 12.3 without
uninstalling the existing version, ensure that in the fnm.properties file, you
change the jms.transportProtocol from nio to nio+ssl.

To change to an unencrypted JMS transport, set these properties:

jms.transportProtocol=nio
jms.additional.args=
The jms.additional.args property must be empty if the transport protocol is nio.
o nio1: Before the release version 12.3, the default protocol in the messaging system.
o tcp: The alternative protocol in the messaging system. If the nio protocol causes any
installation or system problems, we recommend to use the tcp protocol.
o ssl: The alternative protocol for secure client-server connections. Only enable ssl if you
really need it. If you enable it and you experience any performance issues, revert to
nio+ssl.

1. nio stands for non-blocking input or output (I/O). It provides access to low-level I/O operations of modern operating
systems and directly uses the most efficient operations of the underlying platform.
Ensemble Controller R15.3 Administrator Manual - Issue: A 510
Hardware or Software Support and
Adtran
Compatibilities

l jms.additional.args
You can use additional arguments while the JMS connections establish.
l jms.url
The IP that the nms server, activemq, and the client uses for communication. The default
value is 0.0.0.0 unless the Ensemble Controller Server has more than one network interface, or
a specific network interface was needed for the server-client communication.
l jms.port
The port that the nms server, activemq, and the client uses for communication. Change this
property if you use the default port 33028.
l activemq.useJMX
Use this property to enable or disable the activemq-jmx communication for monitoring
purposes. The default value is true.
We recommend against setting this property to false. If you do so, the JMS does no longer use
the default activemq.jmx.port 33092 and therefore cannot monitor the health and
performance status of the ActiveMQ broker anymore. Instead, set the property to true and
use a firewall to block any external access to this port to warrant monitoring.
l activemq.jmx.port
The port that the broker uses to communicate with JMX. Change this property only if the
default port 33092 is in use. You can use the ActiveMQ settings to connect to port 33092 only
from the localhost. The system discards remote connections. You can use the firewall to hide
this port without influencing the Ensemble Controller operations.

com.adva.fnm.mediation.monitoring.commandLineInter
facePORT
The RMI port is used by the command line interface to trigger the Ensemble Controller
functionality.

com.adva.fnm.option.server_timeout
This property specifies the session idle time. The session idle time governs how many seconds
of inactivity is accepted from any connected Ensemble Controller session, before Ensemble
Controller automatically closes the client session. If the computer running the Ensemble
Controller Server is slow, or the Ensemble Controller database is very large, you can increase the
property value. The default setting is 300 seconds, which is 5 minutes.

com.adva.fnm.option.maxClientConnectionAlarmThresh
old
This property specifies the maximum number of clients that can be connected. If this number is
exceeded, an alarm is raised. The default value is 20.

com.adva.fnm.option.maxClientConnectionAllowed
This property specifies the maximum number of clients that can be connected. The default
value is 20.

Ensemble Controller R15.3 Administrator Manual - Issue: A 511

Hardware or Software Support and
Adtran
Compatibilities

For the Ensemble Controller Server the maximum number of clients that simultaneously can
access the Ensemble Controller depends on the server hardware. See the Dimensioning Guide
for details. The maximum allowed number is 75 clients.

TCA Monitoring Option

com.adva.nlms.mediation.thresholdCrossingAlert.tcaCle
arDelay=30
# Delay in seconds applied at the 15-minute boundary before TCA is raised
# during the previous 15-minute interval are cleared
This option sets the hold-off delay used by the TCA Monitoring feature, see the Packet
Management Guide for details. The default value is 30.

com.adva.nlms.mediation.thresholdCrossingAlert.tcaDet
ectionByParamId
A boolean property that indicates whether latency-related TCAs are detected using
'parameterId' value in internal events. If the value is set to 'false', 'newStringValue' property is
used to detect latency-related TCAs.

Error-free Output of Database

Validation Verification
Prior to upgrading the Ensemble Controller Server, we recommend that you perform database
consistency verification by using printDBInconsistenciesPostgres script provided in the
Salesforce Customer Portal.
This is the error-free output obtained from running the printDBInconsistenciesPostgres script.

======================================================================================
====
=
=
= SEARCHING FOR DB INCONSISTENCIES. PLEASE CONTACT TECH SUPPORT TEAM IF ANY ARE
FOUND! =
=
=
======================================================================================
====
Searching for not supported devices:
find_unsupported_devices
--------------------------

Ensemble Controller R15.3 Administrator Manual - Issue: A 512

Hardware or Software Support and
Adtran
Compatibilities

check_aps_group_inconsistecies
--------------------------------
======================================================================================
====
=
=
= SEARCHING FOR ORPHAN ENTITIES. FNM UPGRADE WILL FAIL IF THERE ARE ANY!
=
=
=
======================================================================================
====
check_entity_db_impl_relations
--------------------------------
check_cn_network_element_table
--------------------------------
find_entities_with_invalid_ne_reference
-----------------------------------------
check_mac_address_duplications
--------------------------------
=====================================================================================
Services on FSP3000 R7 nodes where the optical channels are missing network ptp
information:
check_fsp3000r7_services_missing_network_port_ptp
---------------------------------------------------
=====================================================================================
Services containing optical channels which are missing port or module information:
label | subchconn_id
-------+--------------
=====================================================================================
Services which are missing port or module information:
label | id
-------+----
=====================================================================================
Modules referencing services which do not exist:
name0 | aidstring | id
-------+-----------+----
=====================================================================================
List of duplicated aids:
ne_id | aidstring | count
-------+-----------+-------
=====================================================================================
Duplicate entities have such ids:
name0 | id | id
-------+----+----

Ensemble Controller R15.3 Administrator Manual - Issue: A 513

Hardware or Software Support and
Adtran
Compatibilities

Entities in cycle size 1 have such ids:

id
----
Entities in cycle size 2 have such ids:
id | id
----+----
Entities in cycle size 3 have such ids:
id | id | id
----+----+----
Entities in cycle size 4 have such ids:
id | id | id | id
----+----+----+----
Duplicated CC825 shapers:
ne_id | portindex | flowindex | qosindex
-------+-----------+-----------+----------
=====================================================================================
Fdfr ends without parent:
id | shortdescription
----+------------------
=====================================================================================
Duplicated PG Ports:
shortdescription | ne_id | count
------------------+-------+-------
=====================================================================================
Entities which have reference to non existent Network Element:
id | ne_id | shortdescription | jdoclass
----+-------+------------------+----------
=====================================================================================
List of Alarms associated to multiple Services:
source_ne | entity_description | moduletype_name | services
-----------+--------------------+-----------------+----------

Entity Index or AID Values

Ensemble Controller (ENC) generates unique access identifiers (AIDs) to identify its different
entities. An existing AID address is a well-formed address whose supporting entity (from an
addressing point of view) is assigned in the database.
These entities are then used in all types of reports and windows in which to view information
and configure Ensemble Controller.
For some devices, Ensemble Controller uses AID values, which directly come from the individual
network elements. This is especially true for FSP 3000R7 that is, Ensemble Controller uses the AID
that is provided by the SNMP interface of the FSP 3000R7 management software.

Ensemble Controller R15.3 Administrator Manual - Issue: A 514

Hardware or Software Support and
Adtran
Compatibilities

In general, this also applies to these devices, although there are select cases where Ensemble
Controller generates the AID values to ensure uniqueness, and thus the AIDs will differ from the
ones received from the network element SNMP interface:
l FSP 150EG-M
l FSP 150EG-X
l FSP 150-GE112
l FSP 150-GE114
l FSP 150-GE114S
l FSP 150CC-GE206V
l FSP 150CC-T1804
l FSP 150CC-T3204
l FSP 150-XG210
l FSP 150-XG116Pro
l FSP 150-XG116Pro-H
l FSP 150-XG120Pro
l FSP 150-XG120Pro-SH
l FSP 3000 C
l FSP 3000R7 - SH1PCS

Other Ethernet devices not listed have AID values that are defined in the Ensemble Controller
and generally do not match the AID values as defined on the device.
This section describes the AIDs that Ensemble Controller generates and uses for all supported
network element types. These are the product families:

FSP 150 516

GE11x/XG210 516
FSP 150CC 516
f825 517
GE20x/Txx04 517
FSP 150CM 518
FSP 150CP 518
FSP 150EG-M[2|4|8] 519
FSP 150EG-X 519
FSP 1500 520
FSP 3000 C 520
FSP 3000R7 521
FSP 3000R7 - SH1PCS 521
Hatteras HN[400|4000] 521

For information about the FSP 3000R7 AIDs, see the corresponding product user documentation
obtainable from the Customer Portal at http://www.advaoptical.com/.

Ensemble Controller R15.3 Administrator Manual - Issue: A 515

Hardware or Software Support and
Adtran
Compatibilities

FSP 150
This section contains the AID value descriptions of these FSP 150 device types:

GE11x/XG210 516

GE11x/XG210
These devices conform to this AID format:
<entity type>-<network element>-<shelf>-<slot>-<instance>
l entity type
o Purpose: The entity type.
o Usage: Used for all entities.
l network element
o Purpose: The network element instance number.
o Usage: Not used for all entities.
l shelf
o Purpose: The shelf instance number.
o Usage: Not used for all entities.
l slot
o Purpose: The slot instance number.
o Usage: Not used for all entities.
l instance
o Purpose: The entity instance number.
o Usage: Not used for all entities.

Examples:
NETWORK PORT-1-1-1-2
Network port 2 in NE 1, shelf 1, and slot 1
XFP-1-1-3-1
XFP 1 in NE 1, shelf 1, and slot 3
SFP-1-1-2-1
SFP 1 in NE 1, shelf 1, and slot 2

FSP 150CC
This section contains the AID value descriptions of these FSP 150CC device types:

f825 517
GE20x/Txx04 517

Ensemble Controller R15.3 Administrator Manual - Issue: A 516

Hardware or Software Support and
Adtran
Compatibilities

f825
These devices have a fixed virtual shelf numbered 1 that is assumed and not shown. The AID is in
this format:
<entity type>-<instance>
l entity type
o Purpose: The entity type.
o Usage: Used for all entities.
l instance
o Purpose: The entity instance number.
o Usage: Used for all entities.

Examples:
l WAN-1
l LAN-2
l PSU-1

Other Ensemble Controller device types not shown above are similar to the
f825.

GE20x/Txx04
These devices conform to this AID format:
<entity type>-<network element>-<shelf>-<slot>-<instance>
l entity type
o Purpose: The entity type.
o Usage: Used for all entities.
l network element
o Purpose: The network element instance number.
o Usage: Not used for all entities.
l shelf
o Purpose: The shelf instance number.
o Usage: Not used for all entities.
l slot
o Purpose: The slot instance number.
o Usage: Not used for all entities.
l instance
o Purpose: The entity instance number.
o Usage: Not used for all entities.

Ensemble Controller R15.3 Administrator Manual - Issue: A 517

Hardware or Software Support and
Adtran
Compatibilities

Examples:
NETWORK PORT-1-1-1-2
Network port 2 in NE 1, shelf 1, and slot 1
XFP-1-1-3-1
XFP 1 in NE 1, shelf 1, and slot 3
SFP-1-1-2-1
SFP 1 in NE 1, shelf 1, and slot 2

FSP 150CM
The naming for CM devices is different than for other FSP 150 devices. The name includes the
shelf number. The AID is in this format:
<entity type>-<instance> <shelf>-<slot>
l entity type
o Purpose: The entity type.
o Usage: Used for all entities.
l instance
o Purpose: The entity instance number.
o Usage: Not used for all entities.
l shelf
o Purpose: The shelf instance number.
o Usage: Not used for all entities.
l slot
o Purpose: The slot instance number.
o Usage: Not used for all entities.

Examples:
Complete AID: NET-1 1-6
NET 1 in shelf 1 and slot 6
No <instance>: ACC 1-5
ACC in shelf 1 and slot 5
No <shelf>-<slot>: PSU-1; FAN-1

Some entities such as PSUs are inconsistent and do not indicate the shelf
number.

FSP 150CP
The FSP 150CP AID is in this format:
<entity type>-<instance>

Ensemble Controller R15.3 Administrator Manual - Issue: A 518

Hardware or Software Support and
Adtran
Compatibilities

l entity type
o Purpose: The entity type.
o Usage: Used for all entities.
l instance
o Purpose: The entity instance number.
o Usage: Used for all entities.

FSP 150EG-M[2|4|8]
This device conforms to this AID format:
l Port: <ifName>
l Service: <serviceIndex>
l Service Port: <serviceIndex>-<servicePortIndex>
l Classification Rule: <servicePortIndex>-<ruleIndex>
l QOS: <serviceNumber>-<servicePortIndex>-<entCos>

FSP 150EG-X
This device conforms to this AID format:
<entity type>-<network element>-<shelf>-<slot>-<instance>
l entity type
o Purpose: The entity type.
o Usage: Used for all entities.
l network element
o Purpose: The network element instance number.
o Usage: Not used for all entities.
l shelf
o Purpose: The shelf instance number.
o Usage: Not used for all entities.
l slot
o Purpose: The slot instance number.
o Usage: Not used for all entities.
l instance
o Purpose: The entity instance number.
o Usage: Not used for all entities.

Examples:
OC3-1-1-3-4
OC3 4 in NE 1, shelf 1, and slot 3

Ensemble Controller R15.3 Administrator Manual - Issue: A 519

Hardware or Software Support and
Adtran
Compatibilities

WAN-1-1-19-12
WAN 12 in NE 1, shelf 1, and slot 19
ETH PORT-1-1-23-7
Ethernet port 7 in NE 1, shelf 1, and slot 23

FSP 1500
FSP 1500 AIDs display in the network element (NE) properties, and the reports differ from the AIDs
that display for the events and performance monitoring entities. Small form pluggables (SFPs)
that display in the NE properties correspond to AIDs displayed in the tab pane as shown in here:
l SFP-1 in NE properties is Link A on Events tab.
l SFP-2 in NE properties is Link B on Events tab.
l SFP-3 in NE properties is High Speed Service Port 1 on Events tab.
l SFP-4 in NE properties is High Speed Service Port 2 on Events tab.

For the FSP 1500 NE type, "STM-4 prot", SFP-3, and SFP-4 is not supported. For more information
about the NE types assigned to the different FSP 1500 variants, see the WDM Management
Guide.

FSP 3000 C
This device conforms to this AID format:
<entity type>-<shelf>/<slot>/<port>/<instance>
l entity type
o Purpose: The entity type.
o Usage: Used for all entities.
l shelf
o Purpose: The shelf instance number.
o Usage: Not used for all entities.
l slot
o Purpose: The slot instance number.
o Usage: Not used for all entities.
l port
o Purpose: The port instance number.
o Usage: Not used for all entities.

l instance
o Purpose: The entity instance number.
o Usage: Not used for all entities.

Examples:
Plug-1/5/n1
Plug in shelf 1, slot 5, and port n1.
Ensemble Controller R15.3 Administrator Manual - Issue: A 520
Hardware or Software Support and
Adtran
Compatibilities

ODU4-1/1/c1/otu4/odu4
Facility ID ODU4 in shelf 1, slot 1, port c1, first facility ID otu4, and second facility ID odu4.
For more information about the FSP 3000 C entity AIDs, see the Integration Manual, FSP 3000 C
Access Identifier Changes.

FSP 3000R7
For information about the FSP 3000R7 AIDs, see the corresponding product user documentation
that you can obtain from the Customer Portal.

FSP 3000R7 - SH1PCS

This device conforms to this AID format:
<entity type><network element><shelf><slot><instance>
l entity type
o Purpose: The type of the entity.
o Usage: Used for all entities.
l network element
o Purpose: The network element instance number.
o Usage: Not used for all entities.
l shelf
o Purpose: The shelf instance number.
o Usage: Not used for all entities.
l slot
o Purpose: The slot instance number.
o Usage: Not used for all entities.
l instance
o Purpose: The entity instance number.
o Usage: Not used for all entities.

Examples:
NETWORK PORT-1-1-1-2
Network port 2 in NE 1, shelf 1, and slot 1
XFP-1-1-3-1
XFP 1 in NE 1, shelf 1, and slot 3
SFP-1-1-2-1
SFP 1 in NE 1, shelf 1, and slot 2

Hatteras HN[400|4000]
This device conforms to this AID format:

Ensemble Controller R15.3 Administrator Manual - Issue: A 521

Hardware or Software Support and
Adtran
Compatibilities

<entity type> <shelf>-<slot>-<instance> or <entity type>-<instance>

l entity type
o Purpose: The type of the entity.
o Usage: Used for all entities.

l instance
o Purpose: The entity instance number.
o Usage: Used for all entities.
l shelf
o Purpose: The shelf instance number.
o Usage: Not used for all entities.
l slot
o Purpose: The slot instance number.
o Usage: Not used for all entities.

Examples:
l ETH 1-2-2; STACK 1-2-1
l PSU-B
l Shelf 2

Some entities such as PSUs are inconsistent and do not indicate the shelf
number.

Ensemble Controller R15.3 Administrator Manual - Issue: A 522

Adtran Roles and Allocated Actions

Appendix B
Roles and Allocated Actions
For each role supported in Ensemble Controller (Administrator, Configurator, Operator, Monitor)
default actions are allocated.
For some actions, the 2-Man Rule feature can be set. When the 2-Man Rule feature is set, then
the respective action first has to be approved by an authorized second person before it can be
carried out. For more information about the 2-Man Rule (or two-man approval) feature, see
Enabling Two-Man Approval for Actions.
This table provides an overview of the roles and their respective actions allowed to perform.
There are dependent actions listed in the 'Dependencies' column, which are at the same time
allowed to perform when the action in the 'Name' column is allowed.
For more information about the Ensemble Controller roles and how to customize them as
required, see Roles Tab.

Ensemble Controller R15.3 Administrator Manual - Issue: A 523

Adtran Roles and Allocated Actions

Table 44: Overview of Roles and Their Allowed Actions

Actions Roles
Category Name Dependencies 2-Man Admin. Config. Oper. Mon.
Rule

Application Allow Configuration x x

View License Information x x x x

View Contact Information x x x x

View Support Information x x x x

View About Information x x x x

HA Administration Allow x x
Configuration

Modify Security Preferences Allow x x

Configuration

Modify Connected Servers Allow x

Configuration

View Recurring Actions Allow x x x x

Configuration

Modify Recurring Actions View Recurring x x x

Actions

Second Approval Allow x

Configuration

Control NBI Trap Transmitter Allow x

Settings Configuration

Ensemble Controller R15.3 Administrator Manual - Issue: A 524

Adtran Roles and Allocated Actions

Table 44: Overview of Roles and Their Allowed Actions

Actions Roles
Category Name Dependencies 2-Man Admin. Config. Oper. Mon.
Rule

Create System Health Report Allow x

Configuration,
View Support
Information

View Messages x x x x

Modify Global Layout Templates Allow x

Configuration

Fix DB Inconsistency Allow x x

Configuration

Immediate ENC Server Database Allow x x

Backup Configuration

Server Preferences Allow x x

Configuration

Show Streaming Replication HA x x x x

Status

Enable REST NBI Allow x

Configuration

Access to ELS from ENC x x x x

View ENC-ELS Single Sign-On x

settings

Ensemble Controller R15.3 Administrator Manual - Issue: A 525

Adtran Roles and Allocated Actions

Table 44: Overview of Roles and Their Allowed Actions

Actions Roles
Category Name Dependencies 2-Man Admin. Config. Oper. Mon.
Rule

Modify ENC-ELS Single Sign-On View ENC-ELS x

Settings Single Sign-On
settings

Perform ELS Single Sign-On as x

Administrator

Perform ELS Single Sign-On as x

Restricted Administrator

Perform ELS Single Sign-On as x x x x

Read

User Management Log In x x x x

Multiple Login Log In x x x x

Disconnect User View User List, x

View Security
Manager

Add User View User List, x x

View Security
Manager

Modify User View User List, x x

View Security
Manager

Ensemble Controller R15.3 Administrator Manual - Issue: A 526

Adtran Roles and Allocated Actions

Table 44: Overview of Roles and Their Allowed Actions

Actions Roles
Category Name Dependencies 2-Man Admin. Config. Oper. Mon.
Rule

Delete User View User List, x x

View Security
Manager

View User List View Security x x

Manager

Reset User Password View User List, x

View Security
Manager

Modify Own Password x x x x

Add User Group View User Groups, x x

View Security
Manager

Modify User Group View User Groups, x x

View Security
Manager,
Add User Group

Delete User Group View User Groups, x x

View Security
Manager

View User Groups View Security x

Manager

Ensemble Controller R15.3 Administrator Manual - Issue: A 527

Adtran Roles and Allocated Actions

Table 44: Overview of Roles and Their Allowed Actions

Actions Roles
Category Name Dependencies 2-Man Admin. Config. Oper. Mon.
Rule

Add User Role View User Roles, x x

View Security
Manager

Modify User Role View User Roles, x x

View Security
Manager

Delete User Role View User Roles, x x

View Security
Manager

View User Roles View Security x

Manager

Modify Action Log Settings View Security x x

Manager

Reset Security Settings to Factory Add User Group, x x

Defaults Modify User Group,
Add User Role,
Modify User Role,
Modify Action Log
Settings

View Security Manager Allow x x

Configuration

Modify Own Notification Filters x x x

Ensemble Controller R15.3 Administrator Manual - Issue: A 528

Adtran Roles and Allocated Actions

Table 44: Overview of Roles and Their Allowed Actions

Actions Roles
Category Name Dependencies 2-Man Admin. Config. Oper. Mon.
Rule

Modify All Notification Filters Modify Own x

Notification Filters

User Broadcast User Messages x

Communication

Configuration - View Network Functionality x x x x

Topology

Add New Subnetwork Modify Subnetwork x x

Topology, Allow
Configuration

Create Subnetwork on Root Level Modify Subnetwork x

Topology, Allow
Configuration,
Add New
Subnetwork

Rename Root Level Subnetwork Modify Subnetwork x

Topology, Allow
Configuration,
Add New
Subnetwork

Modify Subnetwork Topology Allow x x x

Configuration

Ensemble Controller R15.3 Administrator Manual - Issue: A 529

Adtran Roles and Allocated Actions

Table 44: Overview of Roles and Their Allowed Actions

Actions Roles
Category Name Dependencies 2-Man Admin. Config. Oper. Mon.
Rule

Delete Subnetwork Allow x x x

Configuration,
Modify Subnetwork
Topology

Delete Subnetwork from root level Allow x x

Configuration,
Delete Subnetwork

Delete Non-Empty Subnetwork Allow x x

Configuration,
Delete Subnetwork

Add Network Element Allow x x x

Configuration,
Modify Subnetwork
Topology

Delete Network Element Allow x x x

Configuration,
Modify Subnetwork
Topology

Manual Line Protection Switch Allow x x x

Configuration

Modify Graph Layout Allow x x

Configuration,
Modify Network
Element Properties

Ensemble Controller R15.3 Administrator Manual - Issue: A 530

Adtran Roles and Allocated Actions

Table 44: Overview of Roles and Their Allowed Actions

Actions Roles
Category Name Dependencies 2-Man Admin. Config. Oper. Mon.
Rule

Move Subnetworks in hierarchy Allow x x

Configuration

Move Network Element in Allow x x

hierarchy Configuration

Add New Customer Allow x x

Configuration

Create customer/customer Allow x

group on root level Configuration,
Add new Customer

Delete Customer Allow x x x

Configuration

Move Customers in hierarchy Allow x x

Configuration

Add New Group Allow x x

Configuration

Delete Group Allow x x x

Configuration

Move Groups in Hierarchy Allow x x

Configuration

Scan IP Range x x

Ensemble Controller R15.3 Administrator Manual - Issue: A 531

Adtran Roles and Allocated Actions

Table 44: Overview of Roles and Their Allowed Actions

Actions Roles
Category Name Dependencies 2-Man Admin. Config. Oper. Mon.
Rule

Configuration - Modify Global Network Properties View Global x x

Network Elements Network Properties,
Allow
Configuration

View Global Network Properties x x x x

Modify Subnetwork Properties View Subnetwork x x

Properties, Allow
Configuration

View Subnetwork Properties x x x x

Modify Network Element View Network x x x

Properties Element Properties,
Allow
Configuration

View Network Element Properties x x x x

Modify Line Properties View Link x x

Properties,
Allow
Configuration

View Line Properties x x x x

Ensemble Controller R15.3 Administrator Manual - Issue: A 532

Adtran Roles and Allocated Actions

Table 44: Overview of Roles and Their Allowed Actions

Actions Roles
Category Name Dependencies 2-Man Admin. Config. Oper. Mon.
Rule

Modify Group Properties View Group x x

Properties,
Allow
Configuration

View Group Properties x x x x

Modify Customer Properties View Customer x x

Properties, Allow
Configuration

View Customer Properties x x x x

Delete Module from Ensemble Modify Network x x

Controller Database Element Properties,
Allow
Configuration

Upgrade Network Element Allow x x x

Software Configuration

Backup Network Element Allow x x

Configuration Configuration

Restore Network Element Allow x x

Configuration Configuration

Perform Manual Polling (Update) x x x x

Ensemble Controller R15.3 Administrator Manual - Issue: A 533

Adtran Roles and Allocated Actions

Table 44: Overview of Roles and Their Allowed Actions

Actions Roles
Category Name Dependencies 2-Man Admin. Config. Oper. Mon.
Rule

Run Element Manager in Read- Run Element x x x

Write Mode Manager in Read-
Only Mode

Run Element Manager in Read- x x x x

Only Mode

Run WEB Manager x x x x

Run CLI Client x x x x

Run Sync View Plus x x x

Enable Alarm Reporting Allow x x

Configuration

Inhibit Alarm Reporting Allow x x

Configuration

Run RAYtracer x x x

Reset SNMP Session View Global x x

Network Properties,
Allow
Configuration

Modify Network Element Password x

Ensemble Controller R15.3 Administrator Manual - Issue: A 534

Adtran Roles and Allocated Actions

Table 44: Overview of Roles and Their Allowed Actions

Actions Roles
Category Name Dependencies 2-Man Admin. Config. Oper. Mon.
Rule

Temporary Privilege Request Allow x x

Approval Configuration

Temporary Privilege Session Kill Temporary x x

Privilege Request
Approval

Reveal Fallback NE Password Allow x x

Configuration

SSO NE Login through Temporary Allow x

Account Configuration,
Run WEB Manager

Configuration - Manager Master Profiles Allow x

Profile Configuration
Management
Distribute Master Profiles Allow x
Configuration

Manage SNMP Profiles View SNMP Profiles x

View SNMP Profiles x

Modify SNMP Settings View SNMP Settings x

View SNMP Settings x

Ensemble Controller R15.3 Administrator Manual - Issue: A 535

Adtran Roles and Allocated Actions

Table 44: Overview of Roles and Their Allowed Actions

Actions Roles
Category Name Dependencies 2-Man Admin. Config. Oper. Mon.
Rule

Configuration - Add Service Browse Services, x x

Services Modify Service,
Allow
Configuration,
Service Admin
State

Modify Service Browse Services, x x x

Allow
Configuration

Delete Service Browse Services, x x x

Allow
Configuration

Service Admin State Browse Services, x x x

Read Access to
Supported
Connections

Service Protection Switch Browse Services x x x

Service Protection Swap Browse Services x x x

Browse Services x x x x

Service Ownership Transfer Browse Services, x

Allow
Configuration

Ensemble Controller R15.3 Administrator Manual - Issue: A 536

Adtran Roles and Allocated Actions

Table 44: Overview of Roles and Their Allowed Actions

Actions Roles
Category Name Dependencies 2-Man Admin. Config. Oper. Mon.
Rule

Equalize Service Browse Services, x x x

Modify Service

Run Service Test Browse Services x x x

Acknowledge / Unacknowledge Browse Services x x

Faulted Service

Export Service List Browse Services x x x

View Encryption x

Ensemble Optical Director Usage x x

Modify Encryption View Encryption x

Ensemble Bandwidth Manager x x x x

Read Access to Supported Browse Services x x

Connections

Write Access to Supported Read Access to x x x

Connections Supported
Connections

Save ROADM Configuration x x

Replace ROADM Configuration Save ROADM x x

Configuration

Ensemble Controller R15.3 Administrator Manual - Issue: A 537

Adtran Roles and Allocated Actions

Table 44: Overview of Roles and Their Allowed Actions

Actions Roles
Category Name Dependencies 2-Man Admin. Config. Oper. Mon.
Rule

Re Equalize ROADM Save ROADM x x

Configuration,
Replace ROADM
Configuration

Remove Saved ROADM Data Save ROADM x x

Configuration

Ensemble Packet Director Usage x x

Adopt/Add Ethernet Ring Ensemble Packet x x

Director Usage

Modify Ethernet Ring Ensemble Packet x x

Director Usage

Delete Ethernet Ring Ensemble Packet x x

Director Usage

Events Modify Event Severity Settings View Event Severity x x

Settings, Allow
Configuration

View Event Severity Settings Allow x x

Configuration

Modify Event Log Size Control View Event Log Size x x

Control

View Event Log Size Control x x

Ensemble Controller R15.3 Administrator Manual - Issue: A 538

Adtran Roles and Allocated Actions

Table 44: Overview of Roles and Their Allowed Actions

Actions Roles
Category Name Dependencies 2-Man Admin. Config. Oper. Mon.
Rule

Acknowledge/Unacknowledge Browse x x x
Event/Alarm Events/Alarms

Delete Event Browse x x x x

Events/Alarms

Delete Security Event Browse Security x x x

Events, Delete
Event

Create Archive Browse x

Events/Alarms

Browse Events/Alarms x x x x

Modify Event/Alarm Filter Settings Browse x x x x

Events/Alarms

Browse Security Events Browse x x x x

Events/Alarms

Ensemble Controller R15.3 Administrator Manual - Issue: A 539

Adtran Roles and Allocated Actions

Table 44: Overview of Roles and Their Allowed Actions

Actions Roles
Category Name Dependencies 2-Man Admin. Config. Oper. Mon.
Rule

Performance Modify Performance Collection View Performance x x

Templates Collection Settings

Modify Performance Collection View Performance x x

Template Assignments Collection Settings

View Performance Collection x x x x

Settings

View Performance Data x x x x

View Fiber Assurance Data View Performance x x x x

Data

View Health Center Server x

Dashboard

View Health Center Network x

Dashboard

Reports Generate Report View Report, x x x

Browse Reports

Delete Report View Report, x x x x

Browse Reports

Browse Reports x x x x

View Report Browse Reports x x x x

Ensemble Controller R15.3 Administrator Manual - Issue: A 540

Adtran Roles and Allocated Actions

Table 44: Overview of Roles and Their Allowed Actions

Actions Roles
Category Name Dependencies 2-Man Admin. Config. Oper. Mon.
Rule

Export Report View Report, x x x x

Browse Reports

Generate Security Report View Security x

Report, Generate
Report, Browse
Security Events

Delete Security Report View Security x x

Report,
Delete Report,
Browse Security
Events

View Security Report View Report, x

Browse Security
Events

Self-Monitoring Run Self-Monitoring x x

TCA-Monitoring View TCA Monitoring x x x x

View Add ESA Probes Window View TCA x x x

Monitoring

Rapid-Monitoring Run Rapid-Monitoring x x

Ensemble Sync View Synchronization x x x x

Director

Ensemble Controller R15.3 Administrator Manual - Issue: A 541

Adtran Roles and Allocated Actions

Table 44: Overview of Roles and Their Allowed Actions

Actions Roles
Category Name Dependencies 2-Man Admin. Config. Oper. Mon.
Rule

Modify Synchronization View x x

Synchronization

View SyncJack x x x x

Modify SyncJack View SyncJack x x

View GNSS Assurance View x x x x

Synchronization

Modify GNSS Assurance View x

Synchronization

View PTP (Time And Phase) x x x x

Assurance

Modify PTP (Time And Phase) View PTP (Time And x x

Assurance Phase) Assurance

Ensemble Run Ensemble Command-Based x x

Command-Based Manager
Manager

Ensemble Fiber Modify Fiber Director Server View Fiber Director x x

Director Settings

Modify Fiber Route View Fiber Director x x

View Fiber Director x x x x

Read EFD Related Data x x x

Ensemble Controller R15.3 Administrator Manual - Issue: A 542

Adtran Roles and Allocated Actions

Table 44: Overview of Roles and Their Allowed Actions

Actions Roles
Category Name Dependencies 2-Man Admin. Config. Oper. Mon.
Rule

Start Tone Generation Read EFD Related x x

Data

Ensemble Controller R15.3 Administrator Manual - Issue: A 543

Pro-Vision – Service Provisioning and
Adtran
Management Platform

Appendix C
Pro-Vision – Service
Provisioning and
Management Platform
Discovering Your Network 544
Fault Management 551
Auditing and Authorization 567

Discovering Your Network

Pro-Vision automatically discovers your network and the elements in the network.
This chapter explains:

Discovery Configuration 544

Setting the Display Name to the System Name 549
Zero Touch Configuration 550

Discovery Configuration
The options explained in this topic are as follows:

Discovery Configuration 545

Viewing Discovery Networks 547
Running Discovery Manually 548
Viewing Discovery Information through the Task Manager 548
Setting Discovery Threads 549

Ensemble Controller R15.3 Administrator Manual - Issue: A 544

Pro-Vision – Service Provisioning and
Adtran
Management Platform

Discovery Configuration
Use this feature to configure Discovery for Pro-Vision. The SNMP Properties are used as defaults
for Network Discovery.
1. Select Settings: Server Options to open the Server Options window and then select the
Discovery tab.

Discovery Tab

Discovery Settings

Field Description

Enable Enable the toggle switch render this feature functional. The switch is
Discovery disabled by default.

Rediscovery Interval (in hours) between two complete discoveries of a network.

Interval (hours) The default is 24 hours. If a negative value is given, it is replaced by 24.

Inter-Device The inter-device gap time between discovering nodes.

Discovery Gap
(ms)

SNMP Settings

SNMP Version Choose the appropriate SNMP version: v1, v2, or v3.

SNMP Port Specify the ports while trying to communicate to the SNMP agents on
each node. The default is 161.

Ensemble Controller R15.3 Administrator Manual - Issue: A 545

Pro-Vision – Service Provisioning and
Adtran
Management Platform

Discovery Tab

SNMP Timeout Specify the timeout (in seconds) to wait for the first response before
(sec) attempting a retransmission. The default is 10 seconds.

SNMP Retries Specify the number of retries to be made to query a device. The
default is 0 (i.e., only one attempt is made to query a particular node).

Read Specify a community string (such as private or public) that can be

Community given to discover the devices when an SNMP request is given. The
default is public.

Write Specify the community; such as private or public to set the write
Community community property for all SNMP-enabled devices. The default is
private.

SNMPv3 User If you selected SNMPv3 in the SNMP Version field, enter a user name of
Name up to 32 characters. Click on CLICK TO SELECT in the SNMPv3 User
Name field to open the Select from SNMPv3 Users Table (see below for
how to configure).

SNMPv3 If you have selected SNMPv3, enter a context name of up to 32

Context Name characters.

2. If you chose SNMPv3 in the SNMP Version field, click on CLICK TO SELECT in the SNMPv3 User
Name field to open the Select from SNMPv3 Users Table. Choose a user from the table and
click Select to fill in the SNMPv3 User Name field. Optionally, click Add to open a window in
which you can create a new profile.

Ensemble Controller R15.3 Administrator Manual - Issue: A 546

Pro-Vision – Service Provisioning and
Adtran
Management Platform

SNMPv3 User Name Add Window

Field Description

User Name A user name between 1 and 32 characters.

Host/Network The hostname/network name. The syntax is A.B.C.D. and/or

A.B.C.D.E.F.G.H.

Netmask (IPv4 Specify the netmask. By default, the value is 255.255.255.0.

only)

Port Enter a port number between 1 and 65,535. The default is 161.

Security Level Choose the security level. Options are No Authentication No Privacy,
Authentication No Privacy, and Authentication and Privacy.

Authentication Enter the appropriate authentication protocol. Options are MD5

Protocol and SHA.

Authentication Enter the authentication password, between 8 and 50 characters.

Password

Re-enter Re-enter the authentication password.

Authentication
Password

Privacy Protocol Enter the appropriate privacy protocol. Options are CBC DES and
CFB AES 128.

Privacy Password Enter the privacy password, between 8 and 50 characters.

Re-enter Privacy Re-enter the privacy password.

Password

3. Click Save to add the entry to the Select from SNMPv3 Users Table. Choose a user from the
table and click Select to fill in the SNMPv3 User Name field.
4. Fill in the other fields as appropriate and click Save in the Discovery tab.

Viewing Discovery Networks

You can view discovered networks by selecting Network: Networks to open the Discovery
Networks Table.

Ensemble Controller R15.3 Administrator Manual - Issue: A 547

Pro-Vision – Service Provisioning and
Adtran
Management Platform

You can select a network entry in the table to open a detailed view below.

Running Discovery Manually

You can run discovery manually by right-clicking on the appropriate discovered network in the
Discovery Networks Table and clicking Run Discovery Now. Alternatively, you can select the
appropriate discovered network in the table and click Run Discovery Now in the upper right of
the menu bar above the table.
When you click Run Discovery Now, a Network Discovery window appears that shows discovery
progress and results.

Viewing Discovery Information through the Task

Manager
You can view Discovery details in Task History and Task Schedules by selecting Tools: Task
Management: History/Schedules.

Ensemble Controller R15.3 Administrator Manual - Issue: A 548

Pro-Vision – Service Provisioning and
Adtran
Management Platform

Here you can view scheduling details and persisted historical discovery results (the last three
runs per network). The same information shown in real-time in the Network Discovery window is
shown in the "Output" here.

Setting Discovery Threads

You can set the number of threads that can run Discovery by selecting Server Options and
choosing the Tasks tab. Here you can adjust the Discovery Threads field to between 1 and 40
threads (the default is 3).

Setting the Display Name to the System

Name
When a device is discovered, the Display Name property for the device is set to the IP address of
the device.
Use this feature to set the device Display Name to the device System Name (hostname) when
the device is discovered.
1. With the editor of your choice, open the PvConfig.properties file in the var/web/pvconf
directory and find #DEVICE_DISPLAYNAME ipaddress.
2. Replace ipaddress with sysname.
3. Start the Pro-Vision server and client.

When you next run discovery, the device icons will contain System Names.

Avoiding Devices with Duplicate Display Names

Current Pro-Vision design requires that devices in the database have unique display name
values. The default value for a device system name is the device model name, for example
OS904. With the addition of system names to the discovery process, multiple devices of the
same model could end up with the same display name in the database.
To avoid this, complete these steps:
1. Before you add a device, verify whether a device with the same System Name already exists
in the database.

Ensemble Controller R15.3 Administrator Manual - Issue: A 549

Pro-Vision – Service Provisioning and
Adtran
Management Platform

2. If no such device exists, set the Display Name to System Name, and then add the device.
3. If such a device does exist, create a new unique name by appending the IP address of the
device to the System Name and set the Display Name to this unique string, for example
OS904@192.168.55.117.

Zero Touch Configuration

Pro-Vision supports an automatic turn-up process for access devices with Zero Touch, which
significantly reduces the operator’s total cost of ownership.
The Zero Touch Configuration allows you to manually add a device in the offline mode and
have that device perform some or all of these actions automatically.
l Receive its address manually, or through DHCP.
l Check the device for the correct Software Version, download the correct version in the event
of a software mismatch, and perform a restart to activate the downloaded version.
l Check for a customized startup configuration, download the configuration, and restart the
device to set that configuration as the running configuration.

You can configure any or all of the features listed below to perform together or separately.

DNS Update
This feature is not supported on Windows platforms.

This release adds RFC 2136 support, which allows you to use Dynamic DNS (Domain Name
Server). Pro-Vision can now notify the DNS to change the DNS configuration of a currently
configured IP address.
Configure the DNS Update using the PvConfig.properties file.
See the Pro-Vision User Manual.

DHCP
In Pro-Vision, the DHCP server does not dynamically hand out IP addresses. Instead, the server
relies on pre-configured IP addresses being returned on the DHCP client's discovery message.
Currently, adding a device to Pro-Vision involves using the user interface and specifying the
device name and characteristics. When the DHCP server is enabled, the Pro-Vision Add Device
screen provides an additional field where you can enter the device MAC address.
The DHCP server stores configuration information in the DeviceObject table. This table is
updated directly when you add or edit device information from the Pro-Vision GUI.
See the Pro-Vision User Manual.

Ensemble Controller R15.3 Administrator Manual - Issue: A 550

Pro-Vision – Service Provisioning and
Adtran
Management Platform

Image Download Software/FPGA

This feature allows you to specify a preferred Software version, FPGA version, and Device
Custom Configuration running on your discovered devices. When you perform the initial
Discovery, Pro-Vision checks the discovered device’s Software and FPGA against the preferred
Software and FPGA versions that are configured in the Zero Touch Image Upgrade and verifies
the correct images are running on the device. If not, Pro-Vision generates a critical alarm
message, stating that the Software and/or FPGA versions do not match. If there is a mismatch
and the image filename is defined, the device is automatically upgraded through the settings
in the File Transfer Profile.
Also, when you perform the initial Discovery, the feature runs automatically and loads your
preconfigured custom configuration files onto any newly discovered devices.

Startup Config
You can now add custom configurations to devices during Discovery. This feature runs
automatically.
When you create a device startup configuration file, you can add special tags to the CLI
commands you enter. You can replace these tag fields by entering your own data, which is then
written out to a device custom file. Enter the tags in UPPERCASE and bracketed by “<” and “>”
characters.

Zero Touch Offline Sync/NTU Replacement

NTU (Network Termination Unit) replacement support has been added to the Zero Touch
features. NTU replacement behavior has been modified to synchronize all configurable port
attributes, including those that are in or out of a default state. All other non-port related
attributes will continue to be synchronized as in the past.

Fault Management
The detection of fault is an online process that gives indication of malfunctioning. Fault
detection and notification are two functional areas which should identify problems and
effectively inform the system administrator. Fault Management handles error conditions (that
cause users to lose the full functionality of a network resource) and provides network
administrators with sophisticated event management, including generation of alerts,
automated actions, event correlation, or trap, event, alert filtering, and so on to detect, isolate,
and repair malfunctions in the network and its control sub-system.
This chapter explains:

Configuring Alarm Filters 552

Performing Alarm Operations 566

Ensemble Controller R15.3 Administrator Manual - Issue: A 551

Pro-Vision – Service Provisioning and
Adtran
Management Platform

Configuring Alarm Filters

When events are generated from devices in a network, you can configure Pro-Vision to send
notifications.
Pro-Vision supports these types of built-in filter notifications:
l Suppressing multiple events in a given interval
l Running system commands on the server
l Sending e-mails
l Sending traps

The processed events are stored in the database and can be viewed in the Events Viewer. The
Events Viewer is asynchronously notified as soon as an event is processed.
You can configure an Event Filter using the Create Filter tool. You can use the properties of the
event object or of the associated trap (if the event has been generated by a trap) in some of
the fields, such as the Suppress Event notification, Run Command notification, Send Trap
notification, and Send E-mail notification.
The rest of the page will cover these items:

Event Log Parameters 552

Opening the Event/Alarm Filter Configuration Tool 553
Configuring Actions 554
Adding Alarm Filters 560
Configuring SNMP Trap Forwarding Profiles 562
Configuring Custom SNMP Traps 563
Viewing Events 565
Viewing Alarms 565

Event Log Parameters

Use this feature to configure events for Pro-Vision. Event configuration influences device polling
in this sense: if a device changes state, an Event is created. How quickly these events are
processed has an impact on overall performance.
Reducing Maximum Event Log Size improves table load speed when there are many events and
saves space in the database, although you can lose information about past events.
1. Select Settings: Server Options to open the Server Options window and then select the Events
tab.

Ensemble Controller R15.3 Administrator Manual - Issue: A 552

Pro-Vision – Service Provisioning and
Adtran
Management Platform

Event Log Tab - Truncation Area

Field Description

Maximum The maximum number of events that the live table can hold. Enter 1 to
Event Log Size 200,000 records. The default is 30,000 records.
(Records) You can increase the maximum size of 200,000 by changing the
property com.adva.nlms.mediation.event.maxEventLogSize located in
the fnm.properties file.
For details regarding the log size, see Log Size Details of Live Events.

Wait Before The waiting time in minutes before events are automatically deleted.
Auto-Delete Enter 1 to 10,080 minutes. The default is 30 minutes.
(Minutes)

Event Log Size The event log size in percentage that triggers a warning to be raised.
Warning Enter 1 to 100 percent. The default is 95 percent.
Threshold (%)

Minimal The minimal interval in hours of sending out warnings. Enter 1 to 672
Warning hours. The default is 24 hours.
Interval
(Hours)

Remaining Log The log size in percentage remaining after events have been deleted.
Size After Enter 1 to 100 percent. The default is 90 percent.
Deletion (%)

Event Log Tab - Truncation Area

History The time period in days of retaining events in the history table. Enter 1
Retention to 360 days. The default is 211 days.
Period (Days)

History The maximum number of events that the history table can hold. Enter 1
Capacity to 1,499,999 records. The default is 1,000,000 records.
(Records)

2. Fill in the fields as appropriate and click Save in the Events Log tab.

Opening the Event/Alarm Filter Configuration Tool

The Event/Alarm Filters can be created or modified using the Event/Alarm Filter Configuration
tool.
To open the Event/Alarm Filter Configuration Tool

Ensemble Controller R15.3 Administrator Manual - Issue: A 553

Pro-Vision – Service Provisioning and
Adtran
Management Platform

1. From the Fault menu, select Filters. The Filters table opens.

Configuring Actions
This section explains how to configure the various actions, so that you can then apply their
Action Profiles to the appropriate filter.

Configuring Email Servers 554

Configuring Email Profiles 555
Configuring SNMP Trap Profiles 556
Configuring Suppress Profiles 558
Configuring System Command Profiles 559
Configuring Remark Action Profiles 560

Configuring Email Servers

You must first configure an Email server if you want to send Emails.
To configure an Email server
1. Select Fault: Actions: Email Servers. The Email Servers table opens.

2. Click Add to open the Create Email Server window.

Ensemble Controller R15.3 Administrator Manual - Issue: A 554

Pro-Vision – Service Provisioning and
Adtran
Management Platform

Field Description

Email Server Enter an Email Server Name of up to 64 characters (this cannot

Name contain a ‘, !, &, \, or TAB).

Host IP or hostname of the email server.

Port Must be between 5 and 65, 535. Usually the SMTP port is 25 or 587 with
SSL/TSL.

Use SSL Enable this toggle switch to use an SSL/TSL connection.

To Designate who you want the mail to be sent to, to a maximum of 255
characters.

From Designate who you want the mail to come from, to a maximum of 255
characters.

Username If you specify a username, it performs the authentication necessary to

send the email.

Password If you specify a password, it performs the authentication necessary to

send the email.

3. Configure the fields as appropriate and click Save. The new Email Server appears in the
Email Servers list.

Configuring Email Profiles

Once you configure an Email server, you can link it to an Email Profile.
To configure an Email profile
1. Select Fault: Actions: Email Profiles. The Email Profiles table opens.

2. Click Add to open the Create Email Action Profile window.

Ensemble Controller R15.3 Administrator Manual - Issue: A 555

Pro-Vision – Service Provisioning and
Adtran
Management Platform

Field Description

Email Profile Enter an Email Profile Name of up to 64 characters (this cannot contain a
Name ‘, !, &, \, or TAB).

Email Server The selected Email Server Profile. Click on CLICK TO SELECT to choose from
Profile the Select From Email Servers window or click Add in that same window
to create a new Email Server.

Subject Click in the Subject field to open the token selector window, where you
choose from among $text, $source, $entity, $time, $sourceType,
$severity, and $category and click Select to add them to the Subject
field.

Message Click in the Message field to open the token selector window, where you
choose from among $text, $source, $entity, $time, $sourceType,
$severity, and $category and click Select to add them to the Message
field.

3. Configure the fields as appropriate and click Save. The new Email Profile appears in the
Email Profiles list.

Configuring SNMP Trap Profiles

Use this feature to generate a SNMPv1, SNMPv2, or SNMPv3 trap with the specified criteria.
Complete these steps to configure an SNMP trap profile:
1. From the Fault menu, Actions list, select SNMP Trap Profiles. The SNMP Trap Action Profiles
table opens.

2. Click Add to open the Create SNMP Trap Action Profile window. This window differs
depending on whether you select v1, v2c, or v3 in the Version field. This window shows the v1
version.

Ensemble Controller R15.3 Administrator Manual - Issue: A 556

Pro-Vision – Service Provisioning and
Adtran
Management Platform

Field Description

SNMP Trap Enter an SNMP trap profile name of up to 64 characters. This name
Profile Name cannot contain these characters: ‘, !, &, \, or the TAB key.

Destination IP address or hostname of the destination.

Port Must be 5 to 65,535.

Community Must be 1 to 100 characters.

Version Select the applicable SNMP version.

l v1: Select to render the Enterprise, Generic Type, and Specific Type
fields visible and configurable.
l v2c: Select to render the OID field visible and configurable.
l v3: If you select this option, you must configure a v3 user in server
options that will be used to send the trap. See Server Settings
Configuration in the Pro-Vision User Manual for more information.

Enterprise Appears if you select SNMP version v1. Identifies the type of managed
object that generates the trap.

Generic Type Appears if you select SNMP version v1. Indicates one of a number of
generic trap types.

Ensemble Controller R15.3 Administrator Manual - Issue: A 557

Pro-Vision – Service Provisioning and
Adtran
Management Platform

Field Description

Specific Type Appears if you select SNMP version v1. Indicates one of a number of
specific trap codes.

OID This trap identification field appears if you select SNMP version v2c.
Enter an object ID that has 1 to 255 characters.

Varbinds Click Add to open the Adding Table Entry window, where you can
configure the Varbinds.
In the Adding Table Entry window:
l OID: Enter the applicable trap identification field. For an SNMP OID
such as 1.1.0, if no leading dot is specified, the standard prefix
1.3.6.1.2.1 will be prepended.
l Value: Select the appropriate substitution token(s).
l Type: Select String, Integer, Counter, or IP Address.

3. Configure the fields as appropriate, and then click Save. The new SNMP Trap Action Profile
displays in the SNMP Trap Action Profile list.

Configuring Suppress Profiles

Create a suppression profile to allow a single event through, if it is greater than 0, and so that all
events are discarded up to the interval you set here.
Complete these steps to configure a suppression profile
1. Select Fault: Actions: Suppress Profiles. The Suppress Action Profiles table opens.

2. Click Add to open the Create Suppress Action Profile window.

Ensemble Controller R15.3 Administrator Manual - Issue: A 558

Pro-Vision – Service Provisioning and
Adtran
Management Platform

Field Description

Suppress Enter a Suppress Profile Name of up to 64 characters (this cannot

Profile Name contain a ‘, !, &, \, or TAB).

Interval If you set this to greater than 0 seconds, the first event is let through and
(secs) all others are discarded up to this time interval.

3. Configure the fields as appropriate and click Save. The new Suppress Action Profile appears
in the Suppress Action Profiles list.

Configuring System Command Profiles

Create a system command profile to automatically execute a system command.
To configure a system command profile
1. Select Fault: Actions: System Command Profiles. The System Command Profiles table opens.

2. Click Add to open the Create System Command Action Profile window.

Field Description

System Enter a System Command Profile Name of up to 64 characters (this

Command cannot contain a ‘, !, &, \, or TAB).
Profile Name

Command Click in the Command field to open the token selector window, where
you choose from among $text, $source, $entity, $time, $sourceType,
$severity, and $category and click Select to add them to the
Command field.

Abort Timeout The amount of time (in seconds) before aborting the execution of the
(secs) System Command.

Ensemble Controller R15.3 Administrator Manual - Issue: A 559

Pro-Vision – Service Provisioning and
Adtran
Management Platform

3. Configure the fields as appropriate and click Save. The new System Command Action Profile
appears in the System Command Action Profiles list.

Configuring Remark Action Profiles

Create a remark action profile to change the severity of an event or alarm.
To configure a remark action profile
1. Select Fault: Actions: Remark Profiles. The Remark Action Profiles table opens.

2. Click Add to open the Create Remark Action Profile window.

Field Description

Remark Profile Enter a Remark Profile Name of up to 64 characters (this cannot

Name contain a ‘, !, &, \, or TAB).

Severity Choose the appropriate severity. Options are Critical, Major, Minor,
Warning, Clear, and Info.

3. Configure the fields as appropriate and click Save. The new Remark Action Profile appears in
the Remark Action Profiles list.

Adding Alarm Filters

To add an Alarm Filter

Ensemble Controller R15.3 Administrator Manual - Issue: A 560

Pro-Vision – Service Provisioning and
Adtran
Management Platform

1. From the Filters table, click Add to open the Create Filter window.

Field Description

Filter Name Enter a filter name of up to 64 characters (this cannot contain a ‘, !, &, \, or
TAB).

Enabled This toggle switch enables or disables the filter.

Severity Choose a severity level, such as Critical, Major, Minor, Warning, Clear, and
Info. If you select Info, the filter will be classified as an Event. If you select
any other Severity, it is an Alarm. You can select multiple severity levels.
Note that if you want only alarms, you must select every severity except
Info.

Source Select a Source Type. Options are Device, Module, Port, Ethernet Service,
Type Optical Transport Service, ERP Service, Link, and Pro-Vision.

Source This field uses string based matching to filter. The special characters are
'*' to match zero or more characters and '?' to match one character. If
neither is specified then it must be an exact match.

Entity This field uses string based matching to filter. The special characters are
'*' to match zero or more characters and '?' to match one character. If
neither is specified then it must be an exact match.

Ensemble Controller R15.3 Administrator Manual - Issue: A 561

Pro-Vision – Service Provisioning and
Adtran
Management Platform

Field Description

Text This field uses string based matching to filter. The special characters are
'*' to match zero or more characters and '?' to match one character. If
neither is specified then it must be an exact match.

Action The selected Action Profile. Click on CLICK TO SELECT to choose from the
Select From Actions window or click Add in that same window to create a
new Action.

2. Click on CLICK TO SELECT in the Actions field to choose from the Select From Actions window.

3. Choose the appropriate action in the Select From Actions window and click Select. The
Select From Actions window closes and the profile you selected now appears in the Create
Filter window in place of CLICK TO SELECT. Perform this procedure for all appropriate filters.
To clear an action, click the highlighted row to un-highlight it, and then click Select. The
Select From Actions window closes and the action you cleared is replaced by CLICK TO
SELECT in the Create Filter window.
4. Configure the remaining fields as appropriate, and then click Save.

Configuring SNMP Trap Forwarding Profiles

Create an SNMP Trap Forwarding profile to forward all traps Pro-Vision receives to the
configured destination port. Note that only SNMPv1 and SNMPv2c traps are forwarded unless an
SNMPv3 user is configured in Server Options. SNMPv3 does not forward Pro-Vision generated
events.
To configure an snmp trap forwarder profile
1. Select Fault: SNMP Trap Forwarders. The SNMP Trap Forwarders table opens.

Ensemble Controller R15.3 Administrator Manual - Issue: A 562

Pro-Vision – Service Provisioning and
Adtran
Management Platform

2. Click Add to open the Create SNMP Trap Forwarder window.

Field Description

SNMP Trap Forwarder Enter a SNMP Trap Forwarder Name of up to 64 characters (this
Profile Name cannot contain a ‘, !, &, \, or TAB).

Destination The hostname of the destination.

Port Must be between 1 and 65,535.

3. Configure the fields as appropriate and click Save. The new SNMP Trap Forwarder Profile
appears in the SNMP Trap Forwarder list.
Trap forwarding includes IPv6 addresses of devices using this OID from FSP:
FSP-NM-MIB::neIpAddress OBJECT-TYPE
SYNTAX SnmpAdminString (for example, 1.3.6.1.4.1.2544.1.13.1.1.1.10)
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Network element ip address"
::= { trapObjects 10 }

Configuring Custom SNMP Traps

Create custom SNMP Traps so that Pro-Vision can process traps it does not know about from
third party devices or traps that Pro-Vision did not natively implement.
To configure a custom snmp trap
1. Select Fault: Custom SNMP Traps. The Custom SNMP Traps table opens.

Ensemble Controller R15.3 Administrator Manual - Issue: A 563

Pro-Vision – Service Provisioning and
Adtran
Management Platform

2. Click Add to open the Create Custom Trap window.

Field Description

Custom Trap Enter a Custom Trap Profile Name of up to 64 characters (this cannot
Profile Name contain a ‘, !, &, \, or TAB).

Enable This toggle switch enables or disables the trap.

Message Click in the Message field to open the token selector window, where you
choose from among $source, $name, and $N and click Select to add
them to the Message field.

Severity Choose the appropriate severity. Options are Unknown, Critical, Major,
Minor, Warning, Clear, and Info.

Category Match criteria based on an event object property with a category name
to which the event belongs. This is used to organize events. Options are
Topology or Pro-Vision.

V2/V3 OID Enter a V2/V3 Object ID of up to 255 characters (numeric or text).

V1 Enterprise Identifies the type of V1 managed object that generates the trap.

Ensemble Controller R15.3 Administrator Manual - Issue: A 564

Pro-Vision – Service Provisioning and
Adtran
Management Platform

Field Description

V1 Generic Indicates one of a number of generic V1 trap types.

Type

V1 Specific Indicates one of a number of specific V1 trap codes.

Type

3. Configure the fields as appropriate and click Save. The new Custom SNMP Trap appears in
the Custom SNMP Trap list.

Viewing Events
From the Fault menu, select Events to open the Events table. Click on the appropriate event in
the table to open a detail window for that event.

Viewing Events

Field Description

NMS Time The time of event creation.

Severity The event severity, either Critical, Informational, Minor, or Warning.

Source Type The source type the event is from. Source types are Device, Port, Module,
Ethernet Service, Optical Transport Service, ERP Service, Link, and Provision.

Source The IP address of the event source.

AID The event access identifier.

Text The event’s text description.

Viewing Alarms
From the Faultmenu, select Alarms to open the Alarms table. Click on the appropriate alarm in
the table to open a detail window for that alarm.

Ensemble Controller R15.3 Administrator Manual - Issue: A 565

Pro-Vision – Service Provisioning and
Adtran
Management Platform

Viewing Alarms

Field Description

NMS Time The time of alarm creation.

Severity The alarm severity, either Critical, Informational, Minor, or Warning.

Source Type The source type the alarm is from. Source types are Device, Port, Module,
Ethernet Service, Optical Transport Service, ERP Service, Link, and Provision.

Source The IP address of the alarm source.

AID The alarm access identifier.

Text The alarm’s text description.

Performing Alarm Operations

The administrative tasks that you can perform in the Alarm View are

Clearing Alarms 566

Configuring Alarm Severity 567

Clearing Alarms
The alarms that the system generates in the network, automatically clear during runtime. You
can also clear an alarm manually after resolved it or if it is inconsequential. Sometimes, the
agent sends fault only when there is a crisis and does not send notifications when that crisis is
resolved. In such a scenario, you can manually clear the alarm.
To clear an alarm:
1. Open the Alarm Viewer.
2. To select the alarm that you want to clear, click the corresponding row.
3. From the menu, select Clear Alarms.

If you clear an alarm, the system adds an event to the event table.

Ensemble Controller R15.3 Administrator Manual - Issue: A 566

Pro-Vision – Service Provisioning and
Adtran
Management Platform

Configuring Alarm Severity

You can now configure trap severities for filters defined in the trap.filters file. Set the
severities in the var/web/pvconf/trap_sev.conf file. The file is located at C:\Pro-
Vision\conf\trap_sev.conf.
This file is used to specify the trap severities for the trap filters defined in the trap.filters file.
Trap Severity Values:
l 1 is for Critical
l 2 is for Major
l 3 is for Minor
l 4 is for Warning
l 6 is for Info

Clear is set to Info.

For most traps, you need only specify either the clear_severity value or the fault_severity
value. However, in some cases, for example OamCcmAlarm, the same trap is generated for both a
fault and clear indication (you must look inside the trap varbind to determine which one it is). In
this case, you should specify both clear_severity and fault_severity values.

Auditing and Authorization

This chapter explains how to configure and view the auditing and authorization features.

Configuring the Auditing Feature 567

Configuring Authorization 569

Configuring the Auditing Feature

Use the auditing fields to enable and configure auditing.
1. From the Settings menu, select Server Options to open the Server Options window and
configure these fields:

Server Options – Auditing Settings

Field Description

Audit Select On to enable auditing at a system level. The default is enabled.

Enabled Selecting On disables any Pro-Vision generated audits, but does not
disable audits such as authentication.

Ensemble Controller R15.3 Administrator Manual - Issue: A 567

Pro-Vision – Service Provisioning and
Adtran
Management Platform

Server Options – Auditing Settings

Audit Enter 0 to 365 days for an audit clean (cleanup) interval. The default is 7.
Clean Any audit trails older than this value are deleted.
Interval
(Days)

2. Configure the fields appropriately, and then click Save.

Viewing Audit Information through the Task Manager 568

Sylsog Server Filters 569
Viewing the Audit Log 569

Viewing Audit Information through the Task Manager

You can view audit details in Task History and Task Schedules by selecting Tools, then Task
Management, and then History/Schedules.
In the Task Schedules window, you can see an Audit Clean task. This task runs when the server
starts and also every night. The task deletes any audit trails older than the configured value.

In the History window, you can view audit cleanup details to see how many rows or records the
system deleted and the how much time it took to delete them.

Ensemble Controller R15.3 Administrator Manual - Issue: A 568

Pro-Vision – Service Provisioning and
Adtran
Management Platform

Sylsog Server Filters

The audit log filters Audit Logs and All Alarms and Audit Logs are in the Filter field in the Syslog
table Editing Table Entry window. Use these to filter for the appropriate alarms and audit logs.
See the Pro-Vision User Manual for more information.

Viewing the Audit Log

To view the audit details in the Audit Log window, select Settings, and then Audit Log. Select the
appropriate audit username and operation to open a detailed view, shown here:

Configuring Authorization
You create, update, list, and delete authorized users in the User Management window, Pro-
Vision ENC Users table.
Complete these steps to configure an ENC user.
1. From the Settings menu, select User Management. The ENC Users table opens.

Ensemble Controller R15.3 Administrator Manual - Issue: A 569

Pro-Vision – Service Provisioning and
Adtran
Management Platform

2. Click Add to open the Create a new ENC User window.

Create a New ENC User

Field Description

User Name Enter a Pro-Vision user name that has 1 to 64 characters.

Full Name Enter a user name that has 1 to 1000 characters.

Description Enter a description that has 1 to 10,000 characters.

Email Enter an email address that has 1 to 255 characters.

Password Enter a password that has 1 to 32 characters.

Re-enter Re-enter the password you entered in the previous field.

Password

Enabled Select to set Enabled to On.

Ensemble Controller R15.3 Administrator Manual - Issue: A 570

Pro-Vision – Service Provisioning and
Adtran
Management Platform

Create a New ENC User

Groups Select the applicable group name.

l Administrator: Select to set administrator as the role name for this
group. With this privilege level, all group members have full read-
and-write access to all Pro-Vision features, including system and
user administration.
l Configurator: Select to set configurator as the role name for this
group. With this privilege level, all group members have full read-
and-write access to all Pro-Vision features. This group has no
system or user administration access.
l Operator: Select to set operator as the role name for this group.
With this privilege level, all group members can:
o Use SSH to communicate with devices.
o Toggle the EService administration status.
o Run tests.
o Clear alarms.
o Generate reports.
l Monitor: Select to set monitor as the role name for this group. With
this privilege level, all group members have read-only access to
devices and services. This access includes topology views,
inventory views, and making upgrades. This group has no system or
user administration access.
Depending on which role you select, some views are either visible or
invisible in the menus.

3. Configure the fields as appropriate, and then click Save. The new Pro-Vision user is displayed
in the ENC Users list.

Modifying an ENC User 571

Deleting an ENC User 571
Viewing Authentication Type LDAP Users 572

Modifying an ENC User

1. From the ENC Users table, right-click the appropriate ENC User entry.
2. Select View to open a detailed information view of that user. The fields are the same as
those of the Create a new ENC User window.
3. Modify the appropriate fields, and then click Save.

Deleting an ENC User

1. From the ENC Users table, right-click the appropriate ENC User entry.
2. Select Delete to delete the user.

Ensemble Controller R15.3 Administrator Manual - Issue: A 571

Pro-Vision – Service Provisioning and
Adtran
Management Platform

Viewing Authentication Type LDAP Users

When you log in through LDAP, Ensemble Controller creates a user with the authentication type
LDAP in the database. Pro-Vision shows this additional user in the ENC Users table. This user is
not editable.
From the Settings menu, select User Management to open the ENC Users table.

Ensemble Controller R15.3 Administrator Manual - Issue: A 572

The Westing Game Study Guide
74% (54)
The Westing Game Study Guide
24 pages
ENC Administrator Manual
No ratings yet
ENC Administrator Manual
646 pages
OSA542211 5 1CLIReferenceGuide
No ratings yet
OSA542211 5 1CLIReferenceGuide
884 pages
3BUA000500-610 - B - en - System 800xa 6.1 Reference - Third Party Software Versions
100% (2)
3BUA000500-610 - B - en - System 800xa 6.1 Reference - Third Party Software Versions
26 pages
SiOME MAN V3 0 en
No ratings yet
SiOME MAN V3 0 en
156 pages
FSP3000R7 R19.2 Maintenance and Troubleshooting Manual IssA
No ratings yet
FSP3000R7 R19.2 Maintenance and Troubleshooting Manual IssA
1,256 pages
SIMATIC WinCC OA Security Guideline v317
No ratings yet
SIMATIC WinCC OA Security Guideline v317
330 pages
(The Bedford Series in History and Culture) Brent D. Shaw (Eds.) - Spartacus and The Slave Wars - A Brief History With Documents-Palgrave Macmillan US (2001)
100% (2)
(The Bedford Series in History and Culture) Brent D. Shaw (Eds.) - Spartacus and The Slave Wars - A Brief History With Documents-Palgrave Macmillan US (2001)
206 pages
Automation Framework DOC V1 2 en
No ratings yet
Automation Framework DOC V1 2 en
232 pages
Simple Trading Techniques, Powerful Results-1
67% (3)
Simple Trading Techniques, Powerful Results-1
103 pages
Easy Read - LCON 1523 Slides For Students
No ratings yet
Easy Read - LCON 1523 Slides For Students
167 pages
Network Element Director FSP3000
No ratings yet
Network Element Director FSP3000
483 pages
SecurityGuidelineUnified V10 en
No ratings yet
SecurityGuidelineUnified V10 en
43 pages
2PAA101888-610 A en System 800xa 6.1 Tools
No ratings yet
2PAA101888-610 A en System 800xa 6.1 Tools
118 pages
System 800xa Information Management Technical Support Reference
100% (1)
System 800xa Information Management Technical Support Reference
166 pages
ENC Integration Manual
No ratings yet
ENC Integration Manual
164 pages
UMAC With TIA Portal V19 DOC V1 0 en
No ratings yet
UMAC With TIA Portal V19 DOC V1 0 en
45 pages
Kim Il Sung - Memórias No Transcurso Do Século Vol. 5 (INGLÊS) PDF
No ratings yet
Kim Il Sung - Memórias No Transcurso Do Século Vol. 5 (INGLÊS) PDF
450 pages
Chapter 11: Virtual Wan Part 1 - S2S VPN and Vnet Connections
No ratings yet
Chapter 11: Virtual Wan Part 1 - S2S VPN and Vnet Connections
40 pages
Library Guideline DOC v13 en
No ratings yet
Library Guideline DOC v13 en
101 pages
AppNote Run MyVirtual Machine Open en
No ratings yet
AppNote Run MyVirtual Machine Open en
51 pages
Unmodified Audit Report
No ratings yet
Unmodified Audit Report
2 pages
CertificateHandlingTIAPortal V1 0 en
No ratings yet
CertificateHandlingTIAPortal V1 0 en
100 pages
UsingCertificatesWithTIAPortal DOC V2 0 en
No ratings yet
UsingCertificatesWithTIAPortal DOC V2 0 en
69 pages
9ARD000014-610 A en Control AC 800M Ethernet IP DeviceNet Configuration
No ratings yet
9ARD000014-610 A en Control AC 800M Ethernet IP DeviceNet Configuration
244 pages
SmartAdvisor V20.4.1 Manual V4.1 en
No ratings yet
SmartAdvisor V20.4.1 Manual V4.1 en
37 pages
System 800xa Information Management Display Services
No ratings yet
System 800xa Information Management Display Services
352 pages
WinCC CloudConnector DOC V2 en
No ratings yet
WinCC CloudConnector DOC V2 en
59 pages
Authenticated E-Statement 06dec2024 165020718 4501
100% (1)
Authenticated E-Statement 06dec2024 165020718 4501
12 pages
MultiUser Engineering DOC v15 en
No ratings yet
MultiUser Engineering DOC v15 en
62 pages
PCS7 OpenOS 3rdparty Integration ABB V9.0 en
No ratings yet
PCS7 OpenOS 3rdparty Integration ABB V9.0 en
57 pages
2PAA111691-610 A en System 800xa 6.1 Central Licensing System
No ratings yet
2PAA111691-610 A en System 800xa 6.1 Central Licensing System
56 pages
Chapter Inventories
No ratings yet
Chapter Inventories
38 pages
Alrc V2
No ratings yet
Alrc V2
56 pages
Checklist SCALANCE IBS V20 en
No ratings yet
Checklist SCALANCE IBS V20 en
32 pages
Loadmanagement DOC PCS7 V90 SP1 en
No ratings yet
Loadmanagement DOC PCS7 V90 SP1 en
43 pages
SINAMICS S120 Parallelschaltung Active Line Modules V1 2 en 2023-12-22 2
No ratings yet
SINAMICS S120 Parallelschaltung Active Line Modules V1 2 en 2023-12-22 2
34 pages
doCONTROL - Guide Utilisateur
No ratings yet
doCONTROL - Guide Utilisateur
53 pages
ColorImages
No ratings yet
ColorImages
40 pages
2PAA110154-610 A en System 800xa 6.1 Operator Workplace Support For Mobile Device
No ratings yet
2PAA110154-610 A en System 800xa 6.1 Operator Workplace Support For Mobile Device
180 pages
Whitepaper: Delancer - Io
No ratings yet
Whitepaper: Delancer - Io
15 pages
Act 649 Government Loans Notice of Trusts Act 1947
No ratings yet
Act 649 Government Loans Notice of Trusts Act 1947
7 pages
Instant Access To Nahuatl As Written Lessons in Older Written Nahuatl With Copious Examples and Texts 1st Edition James Lockhart Ebook Full Chapters
100% (1)
Instant Access To Nahuatl As Written Lessons in Older Written Nahuatl With Copious Examples and Texts 1st Edition James Lockhart Ebook Full Chapters
25 pages
CMD
No ratings yet
CMD
18 pages
Handout 8 Comparative Table of Hearsay Exceptions (Unavailability of Declarant Immaterial)
No ratings yet
Handout 8 Comparative Table of Hearsay Exceptions (Unavailability of Declarant Immaterial)
1 page
Schedule 1 Forms: Claim Submission/ Joint Valuation Conducted On (Date), Etc.) of Contract)
No ratings yet
Schedule 1 Forms: Claim Submission/ Joint Valuation Conducted On (Date), Etc.) of Contract)
3 pages
Constituciones Web
No ratings yet
Constituciones Web
57 pages
FM - Chapter 3 - Quiz
No ratings yet
FM - Chapter 3 - Quiz
8 pages
Accountancy XI Half Yearly Worksheet
No ratings yet
Accountancy XI Half Yearly Worksheet
8 pages
SIMIT-GettingStarted DOC V1.0 en
No ratings yet
SIMIT-GettingStarted DOC V1.0 en
26 pages
Reviewer 1 Philippine History LET
No ratings yet
Reviewer 1 Philippine History LET
2 pages
Chapter 6 Accounting Equations: Short Answer Question
No ratings yet
Chapter 6 Accounting Equations: Short Answer Question
16 pages
Commands SNMP
No ratings yet
Commands SNMP
6 pages
Exercises - Apportionment and Voting
No ratings yet
Exercises - Apportionment and Voting
5 pages
Pound Mech.J. (1908) MM
No ratings yet
Pound Mech.J. (1908) MM
31 pages
SFA Licence To Manufacture and Process of Animal Feed 2022
No ratings yet
SFA Licence To Manufacture and Process of Animal Feed 2022
3 pages
Avenido Vs Avenido
100% (4)
Avenido Vs Avenido
2 pages
Current Affairs - 2016 Events: Smriti Irani Launches ISBN Portal
No ratings yet
Current Affairs - 2016 Events: Smriti Irani Launches ISBN Portal
5 pages
Annex 29 Final Inspection Report
No ratings yet
Annex 29 Final Inspection Report
2 pages
Order of Assessment by The Assessing Officer Violating Principles of Natural Justice Is Void and Bound To Be Set Aside: Rajasthan High Court
No ratings yet
Order of Assessment by The Assessing Officer Violating Principles of Natural Justice Is Void and Bound To Be Set Aside: Rajasthan High Court
2 pages
Chordu Guitar Chords The White Buffalo The House of The Rising Sun Subtitulada Al Español Chordsheet Id - Gn6G8eS4WeE PDF
No ratings yet
Chordu Guitar Chords The White Buffalo The House of The Rising Sun Subtitulada Al Español Chordsheet Id - Gn6G8eS4WeE PDF
3 pages
Week 1 Overview of Forensic Science PDF
No ratings yet
Week 1 Overview of Forensic Science PDF
6 pages
03-05-2019 - Qoutation Project Goody Shop at Toul Tompung
No ratings yet
03-05-2019 - Qoutation Project Goody Shop at Toul Tompung
1 page
History of Homeschooling in America: Homeschooling Makes A Comeback
No ratings yet
History of Homeschooling in America: Homeschooling Makes A Comeback
3 pages
Artificial Intelligence Development in Sensors and Computer Vision for Health Care and Automation Application
From Everand
Artificial Intelligence Development in Sensors and Computer Vision for Health Care and Automation Application
Minh Long Hoang
No ratings yet
Human-Computer Interaction and Beyond: Advances Towards Smart and Interconnected Environments (Part II)
From Everand
Human-Computer Interaction and Beyond: Advances Towards Smart and Interconnected Environments (Part II)
PublishDrive
No ratings yet
Practical Digital Forensics: A Guide for Windows and Linux Users
From Everand
Practical Digital Forensics: A Guide for Windows and Linux Users
Akashdeep Bhardwaj
No ratings yet
Thyroid Toxicity
From Everand
Thyroid Toxicity
PublishDrive
No ratings yet
COVID 19 – Monitoring with IoT Devices
From Everand
COVID 19 – Monitoring with IoT Devices
Ambika Nagaraj
No ratings yet
Dominant Algorithms to Evaluate Artificial Intelligence:From the View of Throughput Model
From Everand
Dominant Algorithms to Evaluate Artificial Intelligence:From the View of Throughput Model
Waymond Rodgers
No ratings yet
The Future of Computing: Ubiquitous Applications and Technologies
From Everand
The Future of Computing: Ubiquitous Applications and Technologies
Neha Kishore
No ratings yet
Amazon Web Services: The Definitive Guide for Beginners and Advanced Users
From Everand
Amazon Web Services: The Definitive Guide for Beginners and Advanced Users
Parul Dubey
No ratings yet
Deep Learning for Healthcare Services
From Everand
Deep Learning for Healthcare Services
Parma Nand
No ratings yet
Advances in Time Series Forecasting: Volume 2
From Everand
Advances in Time Series Forecasting: Volume 2
Cagdas Hakan Aladag
No ratings yet
Computational Intelligence for Sustainable Transportation and Mobility: Volume 1
From Everand
Computational Intelligence for Sustainable Transportation and Mobility: Volume 1
Deepak Gupt
No ratings yet
Soft Robotics
From Everand
Soft Robotics
Gareth J. Monkman
No ratings yet
Video Data Analytics for Smart City Applications: Methods and Trends
From Everand
Video Data Analytics for Smart City Applications: Methods and Trends
Abhishek Singh Rathore
No ratings yet
Digital Transformation in African SMEs: Emerging Issues and Trends Volume 3
From Everand
Digital Transformation in African SMEs: Emerging Issues and Trends Volume 3
Mohammed Majeed
No ratings yet
Smart Home and Industrial IoT Devices: Critical Perspectives on Cyberthreats, Frameworks and Protocols
From Everand
Smart Home and Industrial IoT Devices: Critical Perspectives on Cyberthreats, Frameworks and Protocols
Akashdeep Bhardwaj
No ratings yet
Data Science for Agricultural Innovation and Productivity
From Everand
Data Science for Agricultural Innovation and Productivity
S. Gowrishankar
No ratings yet
Quick Guideline for Computational Drug Design (Revised Edition)
From Everand
Quick Guideline for Computational Drug Design (Revised Edition)
Sheikh Arslan Sehgal
No ratings yet
The Role of AI in Enhancing IoT-Cloud Applications
From Everand
The Role of AI in Enhancing IoT-Cloud Applications
Ambika Nagaraj
No ratings yet
Introduction to Sensors in IoT and Cloud Computing Applications
From Everand
Introduction to Sensors in IoT and Cloud Computing Applications
Ambika Nagaraj
No ratings yet
Artificial Intelligence and Multimedia Data Engineering: Volume 1
From Everand
Artificial Intelligence and Multimedia Data Engineering: Volume 1
Suman Kumar Swarnkar
No ratings yet
Cyber Forensics and Investigation on Smart Devices: Volume 1
From Everand
Cyber Forensics and Investigation on Smart Devices: Volume 1
Akashdeep Bhardwaj
No ratings yet
Cross-Industry Blockchain Technology: Opportunities and Challenges in Industry 4.0
From Everand
Cross-Industry Blockchain Technology: Opportunities and Challenges in Industry 4.0
Rajesh Singh
No ratings yet
Trends in Future Informatics and Emerging Technologies
From Everand
Trends in Future Informatics and Emerging Technologies
PublishDrive
No ratings yet
Medical Imaging Technologies and Methods for Health Care
From Everand
Medical Imaging Technologies and Methods for Health Care
PublishDrive
No ratings yet
IoT-enabled Sensor Networks: Architecture, Methodologies, Security, and Futuristic Applications
From Everand
IoT-enabled Sensor Networks: Architecture, Methodologies, Security, and Futuristic Applications
Samayveer Singh
No ratings yet
Digital Innovation Adoption: Architectural Recommendations and Security Solutions
From Everand
Digital Innovation Adoption: Architectural Recommendations and Security Solutions
Muhammad Ehsan Rana
No ratings yet
Polarity Index In Proteins - A Bioinformatics Tool
From Everand
Polarity Index In Proteins - A Bioinformatics Tool
Carlos Polanco
No ratings yet
Introduction to Machine Learning with Python
From Everand
Introduction to Machine Learning with Python
Deepti Chopra
No ratings yet
Coherent Wireless Power Charging and Data Transfer for Electric Vehicles
From Everand
Coherent Wireless Power Charging and Data Transfer for Electric Vehicles
Chih-Cheng Huang
No ratings yet
Modern Intelligent Instruments - Theory and Application
From Everand
Modern Intelligent Instruments - Theory and Application
Changjian Deng
No ratings yet
Arduino and Scilab based Projects
From Everand
Arduino and Scilab based Projects
Anita Gehlot
No ratings yet

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

ENC Administrator Manual

Uploaded by

ENC Administrator Manual

Uploaded by

Administrator Manual

Product Release: 15.3

Ensemble Controller R15.3 -Administrator Manual - Issue: A 2

Ensemble Controller R15.3 Administrator Manual - Issue: A 3

Ensemble Controller R15.3 Administrator Manual - Issue: A 4

Ensemble Controller R15.3 Administrator Manual - Issue: A 5

Ensemble Controller R15.3 Administrator Manual - Issue: A 6

Ensemble Controller Server Filter 65

Ensemble Controller R15.3 Administrator Manual - Issue: A 7

Viewing and Deleting Installed Clients 95

Ensemble Controller R15.3 Administrator Manual - Issue: A 8

Configuring FSP Network Manager Files 127

Ensemble Controller R15.3 Administrator Manual - Issue: A 9

Editing Roles 140

Ensemble Controller R15.3 Administrator Manual - Issue: A 10

Requirement to Use the Fallback Solution 154

Ensemble Controller R15.3 Administrator Manual - Issue: A 11

Enabling or Disabling Automatic Switchover for Standard High Availability 183

Enhancing the Database Password Encryption Security 204

Ensemble Controller R15.3 Administrator Manual - Issue: A 13

Setting the Client Time Zone 235

Ensemble Controller R15.3 Administrator Manual - Issue: A 14

Setting the Shared Buffer Size 261

Ensemble Controller R15.3 Administrator Manual - Issue: A 15

Automatic Database Backups 292

Ensemble Controller R15.3 Administrator Manual - Issue: A 16

Exporting Database Content from the Source Server 323

Ensemble Controller R15.3 Administrator Manual - Issue: A 17

Configuring the Service in the Services Window 342

Ensemble Controller R15.3 Administrator Manual - Issue: A 18

Requirements to Upgrade Ensemble Controller 367

Ensemble Controller R15.3 Administrator Manual - Issue: A 19

Requirements to View the CPc Manager 396

Ensemble Controller R15.3 Administrator Manual - Issue: A 20

Resolving Installation Issues 415

Ensemble Controller R15.3 Administrator Manual - Issue: A 21

The Ensemble Controller Client cannot connect to the Server 433

Ensemble Controller R15.3 Administrator Manual - Issue: A 22

Hardware or Software Support and Compatibilities 447

Ensemble Controller R15.3 Administrator Manual - Issue: A 23

Ensemble Controller R15.3 Administrator Manual - Issue: A 24

Ensemble Controller R15.3 Administrator Manual - Issue: A 25

Ensemble Controller R15.3 Administrator Manual - Issue: A 26

Ensemble Controller R15.3 Administrator Manual - Issue: A 27

Ensemble Controller R15.3 Administrator Manual - Issue: A 28

FSP 150CM 518

Ensemble Controller R15.3 Administrator Manual - Issue: A 29

Configuring Suppress Profiles 558

Ensemble Controller R15.3 Administrator Manual - Issue: A 30

Safety Symbol and Message

Icon Meaning Description

Notice Indicates the risk of equipment damage, malfunction,

Note Indicates supplemental information or helpful

Ensemble Controller R15.3 Administrator Manual - Issue: A 31

Release Old Name / New Name New Remark

11.1.1 Network Ensemble ENC

Network Ensemble ENC Server

Network Ensemble ENC Client

Service Manager Ensemble Optical EOD

Sync Manager Ensemble Sync ESD

Ethernet Ensemble ECBM

Encryption Ensemble ECGD

Bandwidth Ensemble EBM

12.2.1 Network Centralized CPc User

12.3.1 Ensemble CryptoManager

Ensemble Controller R15.3 Administrator Manual - Issue: A 32

Release Old Name / New Name New Remark

13.1.1 Control Plane Centralized CPc Manager

Ensemble Controller Documentation Suite

These manuals especially address licensed Ensemble Controller features:

World Wide Web

Documentation Portal https://advadocs.com/

Ensemble Controller R15.3 Administrator Manual - Issue: A 33

Obtaining Ensemble Controller

Ensemble Controller R15.3 Administrator Manual - Issue: A 34

Creating a System Health Report 35