Documentation

Centralized O&M Management Using FusionDirector

The FusionDirector is unified O&M management software for Huawei and third-party edge devices, allowing public cloud and enterprise customers to perform simple and efficient O&M management on edge devices throughout their lifetime. It implements visualized management and fault diagnosis for servers, and provides lifetime management capabilities such as device management, device configuration, firmware update, device monitoring, and OS deployment for edge devices, helping O&M personnel improve O&M efficiency and reduce O&M costs. For more FusionDirector-related operations, see the FusionDirector Operation Guide.

This section describes how to interconnect with the FusionDirector to manage devices deployed with an edge management system in batches.

Prerequisite

The system time of the edge device to be managed must be the same as that of the FusionDirector. Otherwise, the management may fail.

After the device is successfully managed on the FusionDirector, you can view operation logs in the background environment. The log path is /var/plog/redfish/redfish_operate.log, and the run log path is /var/plog/redfish/redfish_run.log.

Procedure

  1. Log in to the WebUI of the edge management system.
  2. Choose Management > NMS Registration.
    Figure 1 NMS registration
  3. In the Configuration area, select FusionDirector.
    • Point-to-point Management (default): By default, the edge management system uses this mode to independently manage an edge device. You can enter the management IP address of the edge device in the address box of a browser to perform point-to-point device management.
    • FusionDirector: Connect an edge device (used as an edge node) to the FusionDirector central management system for unified management. Set the parameters based on the actual situation.
      Figure 2 FusionDirector
      1. If multiple IP addresses are configured on the same NIC, a random IP address is displayed on the FusionDirector. As a result, the device cannot be identified. You can specify the IP address to be managed by the FusionDirector by binding the IP address to an egress route. For example, if the IP address of the FusionDirector is 192.168.100.15 and the NIC on the device has two IP addresses 192.168.1.100 and 192.168.1.101, you can run the ip route add 192.168.100.15 via 192.168.1.1 src 192.168.1.100 command to enable the FusionDirector to manage 192.168.1.100.
      2. When the management status of FusionDirector is Ready, the FusionDirector root certificate cannot be uploaded on the WebUI. You need to go to the WebUI of the managed FusionDirector and import the root certificates of other FusionDirectors to implement NMS switchover between FusionDirectors.
      Table 1 Item description

      Item

      Mandatory/Optional

      Description

      Node ID

      Mandatory (automatically identified)

      ID of the device connected to the FusionDirector. Retain the default value.

      The value of this parameter must be a character string in UUID format. A UUID is a 128-bit identifier and is usually used to identify an entity on a network.

      A UUID string consists of digits and lowercase letters (a to f) in the following format: a string of eight digits and letters (32 bits)-a string of four digits and letters (16 bits)-a string of four digits and letters (16 bits)-a string of four digits and letters (16 bits)-a string of 12 digits and letters (48 bits)

      Example: 1aab2222-abc3-de45-123d-56789abcfdff

      NOTE:

      If an edge device is faulty, the node ID of the new edge device must be the same as that of the original one. Choose Menu > Devices > Device List > Edge Devices on the FusionDirector WebUI to query the node ID of the faulty device.

      Server Name

      Optional

      If you import a user-defined service certificate to the FusionDirector, you need to import the root certificate of the corresponding CA to the edge device to verify the user-defined service certificate of the FusionDirector. You can import the root certificate by clicking FusionDirector Root Certificate File on the WebUI. In addition, you need to set the Server Name parameter to verify the domain name of the user-defined service certificate of the FusionDirector. The value must be the same as the CN (Common Name) field of the user-defined service certificate of the FusionDirector.

      If the service certificate preconfigured by Huawei is used, you do not need to set this parameter.

      NOTICE:

      The CN field of the user-defined service certificate cannot contain "huawei". Otherwise, the device fails to interconnect with the FusionDirector.

      If the server name is a domain name starting with "*.", after the configuration is saved, "*." will be replaced with "fd.".

      IP Address

      Mandatory

      IP address for accessing the FusionDirector. The value is an IPv4 address.

      Port

      Mandatory

      Port for accessing the FusionDirector. The value range is [1, 65535]. Currently, only 443 is supported.

      Account

      Mandatory

      Account for accessing the FusionDirector. The default value is EdgeAccount.

      NOTE:

      After the interconnection is successful, the interconnection account automatically uses the new one-device-one-secret authentication mode delivered by the FusionDirector for interconnection. The account and password of one-device-one-secret are automatically generated by FusionDirector microservices. For details, see the FusionDirector Maintenance Guide.

      Password

      Mandatory
      Password for accessing the FusionDirector.
      • If the FusionDirector version is 1.7 or later, obtain the password by referring to "Configuration Quick Start > Edge Device > Adding an Edge Device" in the FusionDirector Operation Guide.
      • If the FusionDirector version is earlier than 1.7, obtain the password by referring to "Configuration Quick Start > Edge Device > Registering FusionDirector NMS Information" in the FusionDirector Operation Guide.

      FusionDirector Root Certificate File

      Optional

      The root certificate file must be uploaded when the FusionDirector is interconnected for the first time. Click to upload the root certificate file. If there are multiple levels of certificates, combine all the certificates into one file and import it. You are advised to place the upper-level certificates after the lower-level certificates in the file.

      This parameter is optional. You do not need to set this parameter when the preconfigured certificate is used. For security purposes, you are advised to use your own certificates and public and private key pairs and periodically update them to ensure certificate validity and security. If the device fails to connect to the FusionDirector because the certificate has expired or is revoked, import the root certificate file again. For security purposes, the root certificate must meet the following requirements on asymmetrical encryption algorithms and key lengths:
      • A key of 3072 bits or more is recommended if RSA is used.
      • A key of 256 bits or more is recommended if ECC is used.
      Certificate format requirements are as follows:
      • The certificate must be in PEM format.
      • The signature in the root CA certificate is correct.
      • The root CA certificate is valid.
      • The digest algorithm can be SHA-256, SHA-384, or SHA-512.
      • The signing algorithm can be sha256WithRSAEncryption, sha384WithRSAEncryption, sha512WithRSAEncryption, or ecdsa-with-SHA256.
      • The certificate must be an X.509v3 digital certificate. For a root CA, the "Basic Constraints" extensions must be "CA", and the "Key Usage" extensions must contain the "Certificate Signature".
      • The certificate extension field must contain the "SAN" field and the IP address.

      You are advised to upload the custom root certificate. In addition, Huawei provides a root certificate on its official website. To obtain it, perform the following steps:

      Log in to the FusionDirector, choose Menu > System Management > Security Management > Certificates, click Service Certificates, click Export on the right of FusionDirectorServer to download the rootCerts.zip certificate package to the local PC. Decompress the downloaded certificate package to obtain the rootCertChain.crt certificate.

      NOTE:

      If the device is in the managed state, the certificate cannot be uploaded again.

      FusionDirector CRL File

      Optional

      After uploading the FusionDirector root certificate, import the CRL to check whether the FusionDirector root certificate is revoked for security purposes. If it is revoked, the device will not be able to communicate with the FusionDirector. The certificate is provided by the user.

      FusionDirector Interconnection Test

      Mandatory

      The interconnection test is performed by default.

      • If you select Test, the node ID and the connectivity between the device and FusionDirector are tested. If the test fails, the NMS mode switchover fails.
      • If you select Not Test, the node ID and the connectivity between the device and FusionDirector will not be tested. The NMS mode switchover is successful, but the device may not be managed by the FusionDirector.

      For offline centralized configurations of edge devices (when the FusionDirector cannot be connected), you can skip the interconnection test. However, the FusionDirector parameters must be valid. That is, the node ID of each device must be unique on the FusionDirector, and the IP address, user name, and password are valid. The interconnection test is recommended in other scenarios to prevent management failures caused by incorrect input.
  4. Click Save.

    If the message indicating that NMS mode switches successfully is displayed, the NMS registration is configured successfully.