Troubleshooting [dynes:IN PROGRESS]

  1. General Information

    When setting up the Remote Link in OESS the name of the link needs to be the same as the link= string at the other end. The urns in the topology file for each end of the link must match exactly. Here are two ends of a link taken from the ION topology information at https://ndb7.net.internet2.edu/TopologyViewer/?domain=dynes.internet2.edu&ts_instance=http%3A%2F%2Fdcn-ts.internet2.edu%3A8012%2FperfSONAR_PS%2Fservices%2Ftopology. Note that the I2 NOC must set this information up for each remote site. So, whatever you tell the NOC to put in the link= field of the first item below is what you need to use at your end.

urn:ogf:network:domain=dynes.internet2.edu:node=sw-i2lab.dynes.internet2.edu:port=Te+0/0:link=internet2
urn:ogf:network:domain=ion.internet2.edu:node=rtr.chic:port=xe-7/1/2:link=lab-idc

In OESS when setting up a Remote Link the alert box you're presented with asks for Name and Remote URN. In the above example, Name should be "internet2" whatever follows link= in the first item above (what you told the NOC to put there). The second line is the urn of the link to you from the other end's perspective. This is what you should put in the Remote URN field when setting up the remote link in oess.

CERTS

CERTS are stored in /etc/pki/tls/certs (key in /etc/pki/tls/private). This CERT is a site cert. If this IDC is peered with 
Internet2 the CERT must be CA signed. Otherwise it can be self-signed.

Keystores are located in /etc/oscars/keystores: oscars.jks and localhost.jks. It appears that they can be the same (i.e.,
copy oscars.jks to localhost.jks). The keystore should contain the site cert and the certs of the signing authorities.

-- To insert the CERT for the site into /etc/oscars/keystores/oscars.jks and /etc/oscars/keystores/localhost.jks do
-- the following. mykey is the alias to use for the site cert. The last argument here is -capital Oh.

./idc-importkeypair -s /etc/oscars/keystores/oscars.jks -a mykey -k /path to/yourhost.key -c /path to/yourhost.crt -p changeit -O

---- copy oscars.jks to localhost.jks

----The keystores must also contain a CERT for localhost. See below for instructions
---- on generating that CERT.

---- Whatever you call the CERT and KEY you install in /etc/pki/tls you must also
---- update /etc/httpd/conf.d/ssl.conf

  SSLCertificateFile /etc/pki/tls/certs/your.host.crt
  SSLCertificateKeyFile /etc/pki/tls/private/your.host.key

---- Also these paths must be placed in /etc/oess/database.xml

  cert="/etc/pki/tls/certs/your.host.crt"
  key="/etc/pki/tls/private/your.host.key"

---- The owner and issuer fields for the local site CERT need to be placed in the local IDC
---- user in OSCARS. These also need to be placed in the IDC user at the peer host. See
---- below regarding changing the IDC peer.

---- In case all you have is the old (.5) OSCARS.jks do the following to get the cert and key:
keytool -v -importkeystore -srckeystore OSCARS.jks -srcstorepass changeit -srckeypass password -srcalias rutgers_idc -destkeystore temp.p12 -destalias mykey -deststorepass changeit -destkeypass changeit -deststoretype PKCS12

---- Now the cert and key are in a .pem file, do this:
openssl x509 -in temp.pem > yourhost.crt
openssl rsa -in temp.pem -out yourhost.key

---- Copy the cert and key to /etc/pki/tls as mentioned above. Don't forget to update ssl.conf!

  2. More CERT related information...

    -- Suffixes: .cer, .crt
CER is an X.509 certificate in binary form, DER encoded. CRT is a binary X.509 certificate, encapsulated in text (base-64) encoding. It is not the same encoding but they are otherwise interchangeable.

-- A .cer file containing PKCS#7-encoded data looks like this:

-----BEGIN PKCS7-----
MIIW4gYJKoZIhvcNAQcCoIIW0zCCFs8CAQExADALBgkqhkiG9w0BBwGggha1MIIH
...
POI9n9cd2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G
+bKhADEA
-----END PKCS7-----

-- To convert a pkcs7 .cer to .crt
openssl pkcs7 -print_certs -in certificate.cer -out certificate.crt


-- A PEM certificate data looks like this:

-----BEGIN CERTIFICATE-----
MIIHNjCCBh6gAwIBAgIQAlBxtqKazsxUSR9QdWWxaDANBgkqhkiG9w0BAQUFADBm
...
nv72c/OV4nlyrvBLPoaS5JFUJvFUG8RfAEY=
-----END CERTIFICATE-----

If the .cer is in PEM format it's the same as a .crt.

  3. To install/replace the CERT on the IDC

    The steps to import the cert and key and update the user in the OSCARS webUI. This works for both .pem and .crt files.

-- If cert is in a .pem file do this:
openssl x509 -in yourcert.pem > yourhost.crt
openssl rsa -in yourcert.pem -out yourhost.key

-- Import the cert and key to the oscars.jks and localhost.jks to overwrite the previous entry
cd /opt/oscars/tools/bin/
./idc-importkeypair -s /etc/oscars/keystores/oscars.jks -a mykey -k /path to/yourhost.key -c /path to/yourhost.crt -p changeit -O
./idc-importkeypair -s /etc/oscars/keystores/localhost.jks -a mykey -k /path to/yourhost.key -c /path to/yourhost.crt -p changeit -O

-- (Optional) To check the owner, issuer, and validation date stored in oscars.jks
-- See below for instructions to extract the cert and key
keytool -list -v -alias mykey  -keystore /etc/oscars/keystores/oscars.jks |egrep "Owner|Issuer|Valid"

-- Retrive the updated subject and issuer and update the Local IDC Account (yoursite-idc) in the OSCARS webUI: https://yourhost.edu:8443/OSCARS/
keytool -printcert -file /path to/yourhost.crt|egrep "Owner:|Issuer:"
Owner: CN=<whatever is there>, OU=Services, DC=doegrids, DC=org
Issuer: CN=DOEGrids CA 1, OU=Certificate Authorities, DC=DOEGrids, DC=org

-- Copy the new cert and key to the proper places
-- Make sure permissions are 644
-- Also make sure that only one cert is inthe cert file
-- and the CN in the cert must match the host name
cp /path to/yourhost.crt /etc/pki/tls/certs
cp /path to/yourhost.key /etc/pki/tls/private

-- To check that the keys are the same
openssl rsa -in /etc/pki/tls/private/yourhost.key
openssl x509 -in /etc/pki/tls/certs/yourhost.crt

-- Update the new cert and key locations in the relevant places (if they've changed)
-- If you make a mistake in database.xml you'll get "Could not send Message" in the OSCARS UI
/etc/oess/database.xml
/etc/httpd/conf.d/ssl.conf

-- Restart OSCARS
service oscars restart
-- Restart HTTPD
service httpd restart
-- Restart OESS (may not be necessary)
service oess restart

  4. To generate a new self-signed CERT

    -- -nodes means no PEM pass phrase is used
-- -days 1825 = 5 years use what makes sense
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 1825 -nodes
-- Enter relevant information at the prompts
-- Common Name (eg, your name or your server's hostname) must match the actual server name or use localhost

Generating a 2048 bit RSA private key
............................................+++
........................................+++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:MI
Locality Name (eg, city) [Newbury]:.   <- Note period entered here to blank out default
Organization Name (eg, company) [My Company Ltd]:OSCARS
Organizational Unit Name (eg, section) []:OSCARS DEFAULT
Common Name (eg, your name or your server's hostname) []:localhost
Email Address []:.   <- Note period entered here to blank out default

-- Copy resulting cert.pem and key.pem to the appropriate files in /etc/pki/tls
-- If you don't overwrite what was already in /etc/pki/tls
-- then you must update /etc/httpd/conf.d/ssl.conf
-- E.g.,
cp cert.pem /etc/pki/tls/certs/your.host.crt
cp key.pem /etc/pki/tls/private/your.host.key

-- Now update the cert used by OSCARS
cd /etc/oscars/keystores/

-- First delete the old one
keytool -delete -alias mykey -keystore oscars.jks -storepass changeit

-- Now add in the new one
/opt/oscars/tools/bin/idc-importkeypair -s oscars.jks -a mykey -c /etc/pki/tls/certs/your.host.crt -k /etc/pki/tls/private/your.host.key -p changeit -O
-- Hit return when prompted Enter PEM pass phrase:

-- IMPORTANT!! oscars.jks and localhost.jks need a cert corresponding to the actual local host name but also one for localhost.
openssl req -x509 -newkey rsa:2048 -keyout localhostkey.pem -out localhostcert.pem -days 1825 -nodes
Generating a 2048 bit RSA private key
................+++
..........................................................................................+++
writing new private key to 'localhost.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:CA
Locality Name (eg, city) [Default City]:.   <- Note period entered here to blank out default
Organization Name (eg, company) [Default Company Ltd]:OSCARS
Organizational Unit Name (eg, section) []:OSCARS DEFAULT
Common Name (eg, your name or your server's hostname) []:localhost
Email Address []:   <- Note period entered here to blank out default

-- Verify that the stupid CERTs were inserted correctly
keytool -list -alias mykey -v -keystore /etc/oscars/keystores/oscars.jks -storepass changeit
keytool -printcert -file /etc/pki/tls/certs/your.host.crt

-- Update localhost.jks
cp oscars.jks localhost.jks

-- Restart everything
service httpd restart
service oscars restart
service oess restart

  5. To install/replace the CERT on the FDT server

    The cert and the key are stored under:
    /home/dynes/FDTAgent/conf/OSCARS.jks

To import a new certificate and the key:
1) Go to /home/dynes/FDTAgent/bin
2) Import the certs using the `dynesfdt cert` command:

./dynesfdt cert -import -key </path/to/private/key> -cert </path/to/cert>

The certs will be imported under a new file
  (in case the user wants to backup the previous one):

/home/dynes/FDTAgent/conf/OSCARS.jks.NEW

This file must be copied over:
/home/dynes/FDTAgent/conf/OSCARS.jks

3) To list the certificate currently installed in the OSCARS.jks file:
./dynesfdt cert

should print the certificate and the validity.

  6. Virtual Machine Issues

    The IDC platform runs one or more virtual machines. Each VM typically runs an instance of OSCARS along with software that controls the DYNES switch. Running task is /usr/libexec/qemu-kvm. It might show up in top as qemu-kvm. service libvirtd restart if you need to kill and restart the task.

Some useful VM related commands:

  Command                  Function
  virsh                    The virsh program is the main interface for managing virsh guest domains.
                           See man virsh for details.
  virsh list --all         List all the VMs.
  virsh start <domain>     Start the domain (either by name or number as given by virsh list --all
  virsh shutdown <domain>  Shutdown the domain
  virsh console <domain>   Connect to the VM's console. Ctrl-] to exit.
  virsh autostart <domain> Set the domain to automatically start at boot time.
  virsh edit <domain>      Edit the domain's XML.
  virsh dominfo <domain>   Print out info about the domain.

The XML files for each domain are at /etc/libvirt/qemu. Setting a domain to autostart puts a link to the aforementioned XML file in /etc/libvirt/qemu/autostart. To stop a domain from autostarting delete the link.

yum install libguestfs-tools will install a set of useful VM related tools. Please see http://libguestfs.org/.

  7. OSCARS Error Messages

    More information about errors can be retrieved from the log files in /var/log/oscars. The GRI (e.g., dynes.internet2.edu-505) can be used to narrow down the search. Another place to look is /var/log/httpd (typically in ssl_error_log).

+------------------------------------------------------------------------------------------------------+

Error Code	REQUEST_TIMED_OUT
Error Message	Watchdog Terminated CreatePath-dynes.internet2.edu-522 in status INSETUP
Error Type	system

+------------------------------------------------------------------------------------------------------+

Error Code	COULD_NOT_CONNECT
Error Message	OSCARSSoapService.invoke:Exception connecting to setup on https://vm-i2lab.dynes.internet2.edu/idc/idc.cgi Message is: Could not send Message.
Error Type	system
Error Code	PATH_TEARDOWN_FAILED
Error Message	PSSReplyRequest.execute no CreatePathRequest,TearDownPathRequest or CancelReservation associated with this PSSReply
Error Type	system

This error almost always is due to a problem with httpd on the VM. Things to check are whether the cert and key are valid. Cert is in /etc/pki/tls/certs and the key is in /etc/pki/tls/private. The path to both the cert and key must be in /etc/httpd/conf.d/ssl.conf.

+------------------------------------------------------------------------------------------------------+

Error Code	RESERVATION_CREATE_FAILED
Error Message	There are no VLANs available on link al2s.net.internet2.edu:sdn-sw.ashb.net.internet2.edu:et-3/0/0.0:uva on reservation dynes.internet2.edu-520 in VLAN PCE
Error Type	RESERVATION_CREATE_FAILED

This error means that a vlan that was specified in the setup is in use.

+------------------------------------------------------------------------------------------------------+

Error Code	PATH_TEARDOWN_FAILED
Error Message	PSSReplyRequest.execute no CreatePathRequest,TearDownPathRequest or CancelReservation associated with this PSSReply
Error Type	system

+------------------------------------------------------------------------------------------------------+

Error Code	REQUEST_TIMED_OUT
Error Message	Watchdog Terminated createReservation in status INPATHCALCULATION
Error Type	system

This usually means there's a problem with a site's topology file. As mentioned above, the information in the topology file at each end of a circuit being set up must match EXACTLY. Topology files can be viewed at https://ndb7.net.internet2.edu/TopologyViewer/. You need to enter the domain of the site as configured in DYNES. Unfortunately there isn't a standard naming convention.

+------------------------------------------------------------------------------------------------------+

Error Code	PCE_CREATE_FAILED
Error Message	Unable to find link with id al2s.net.internet2.edu:sdn-sw.ashb.net.internet2.edu:et-3/0/0.0:* on reservation dynes.internet2.edu-505 in Dijkstra PCE
Error Type	user

Another instance of a problem with a topology file.

+------------------------------------------------------------------------------------------------------+

Error Code	COULD_NOT_CONNECT
Error Message	OSCARSSoapService.invoke:Exception connecting to setup on https://vm-i2lab.dynes.internet2.edu/idc/idc.cgi Message is: Could not send Message.
Error Type	system
Error Code	PATH_TEARDOWN_FAILED
Error Message	PSSReplyRequest.execute no CreatePathRequest,TearDownPathRequest or CancelReservation associated with this PSSReply
Error Type	system

This error can be due to a problem with httpd on the local host but can also be due to a problem with the X509 certs. When two sites peer (e.g., your site and Internet2) each site must configure the X509 owner and issuer information of the other site in OSCARS. On the local site the user id corresponding to the peer site must have the peer's owner and issuer information entered. Likewise the peer site must enter your site's information into its OSCARS. When Internet2 is the peer, a ticket sent to the Internet2 NOC (noc@internet2.edu) will trigger the set up process.

+------------------------------------------------------------------------------------------------------+

Error Code	RESERVATION_CREATE_FAILED
Error Message	OSCARSSoapService.invoke:Exception connecting to createReservation on https://localhost.localdomain:9002/OSCARSInternal Message is: net.es.oscars.utils.soap.OSCARSServiceException: no location for IDC controlling domain whatever.edu
Error Type	RESERVATION_CREATE_FAILED

In at least one case this was due to a typo in the command that set up the site's IDC on the peer idc:

# /opt/oscars/lookup/bin/oscars-idclist
Loading manifest from /etc/oscars/LookupService/conf/manifest.yaml

ID: 2
Type: IDC
Expiration: NEVER
Protocols:
    Type: http://oscars.es.net/OSCARS/06
    Location: https://al2s.net.internet2.edu:9001/OSCARS
Relationships:
    [controls] urn:ogf:network:domain=al2s.net.internet2.edu

Check to see that Type: is http (not https) and Location: is https (and not http)

+------------------------------------------------------------------------------------------------------+

This error might occur when running the BridgePSS (i.e., not OESS).

Error Code	CONFIGURATION_ERROR
Error Message	Could not locate config generator for device <your switch> java.lang.ClassNotFoundException: net.es.oscars.pss.bridge.dell.DellConfigGen
Error Type	system

The file /etc/oscars/PSSService/conf/defs-models.yaml needs this:

- id: "dell"
  services:
    - id:               bridge
      configGenerator:  "net.es.oscars.pss.bridge.generic.GenericConfigGen"
      templateConfig:
        templates:
          "SETUP":          "dell-setup.txt"
          "TEARDOWN":       "dell-teardown.txt"
          "MODIFY":         ""
          "STATUS":         ""

The above two scripts need to be in /etc/oscars/PSSService/conf/templates/.

*cat dell-setup.txt*
configure terminal

class-map match-all class-map-vlan-${vlan} ipv4
          match vlan ${vlan}
exit

policy-map policy-map-vlan-${vlan} in
           class class-map-vlan-${vlan}
                 police-simple ${bandwidth}000 128 conform-action transmit violate-action drop
           exit
exit


interface ${portA}
          service-policy in policy-map-vlan-${vlan}
          switchport trunk allowed vlan add ${vlan}
exit

interface ${portZ}
          service-policy in policy-map-vlan-${vlan}
          switchport trunk allowed vlan add ${vlan}
exit

exit

cat dell-teardown.txt
configure terminal

interface ${portA}
no service-policy in policy-map-vlan-${vlan}
switchport trunk allowed vlan remove ${vlan}
exit

interface ${portZ}
no service-policy in policy-map-vlan-${vlan}
switchport trunk allowed vlan remove ${vlan}
exit

no policy-map policy-map-vlan-${vlan}

no class-map class-map-vlan-${vlan}

exit

+------------------------------------------------------------------------------------------------------+

This error can indicate an expired cert. It means one OSCARS wasn't able to talk to another

Error Code  COULD_NOT_CONNECT
Error Message OSCARSSoapService.invoke:Exception connecting to createReservation on https://al2s.net.internet2.edu:9001/OSCARS Message is: Problem writing SAAJ model to stream
Error  Type system

CERTs are in: 

/etc/pki/tls/certs 
keytool -printcert -file /etc/pki/tls/certs/<your_cert.cer>
 
/etc/oscars/keystore
keytool -list -v -alias mykey  -keystore oscars.jks (don't forget localhost.jks)

+------------------------------------------------------------------------------------------------------+
 

  8. Instructions on how to interact with the OESS database

    OESS data is stored in a mysql database. It should not be necessary to query or change this information but just in case...

# mysql -u root -p
Enter password: <password should be the same as the root password>

mysql> use oess;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with \-A

Database changed
mysql> show tables;
+-----------------------------------+
| Tables_in_oess |
+-----------------------------------+
| circuit |
| circuit_edge_interface_membership |
| circuit_edge_mac_address |
| circuit_instantiation |
| interface |
| interface_acl |
| interface_instantiation |
| link |
| link_instantiation |
| link_path_membership |
| network |
| node |
| node_instantiation |
| oess_version |
| path |
| path_instantiation |
| path_instantiation_vlan_ids |
| remote_auth |
| scheduled_action |
| schema_version |
| urn |
| user |
| user_workgroup_membership |
| workgroup |
| workgroup_node_membership |
+-----------------------------------+
25 rows in set (0.00 sec)

mysql> describe oess_version;
+---------+-------------+------+-----+---------+-------+
| Field   | Type        | Null | Key | Default | Extra |
+---------+-------------+------+-----+---------+-------+
| version | varchar(32) | YES  |     | NULL    |       |
+---------+-------------+------+-----+---------+-------+
1 row in set (0.00 sec)

mysql> select version from oess_version;
+---------+
| version |
+---------+
| 1.1.4   |
+---------+
1 row in set (0.00 sec)

  9. Error in signature with X509Token

    log into your OSCARS UI: https:idc.net.<site>.edu:8443/OSCARS/
lookup the reservation
examine the error message.
  10. Can't access both the IDC and FDT iDRAC using Firefox. This is due to all Dell iDRACs using the same cert serial number. Firefox (for some reason) doesn't allow this to be ignored and continue. The workaround is to delete the certs from the first iDRAC accessed or use another browser. Details on removing the certs can be found here.

  11. Mistakenly "Decommissioned" the switch

    # mysql -u root -p
Enter password: <enter mysql root password>
mysql> use oess;
mysql> select * from node; <- Your switch will likely be node=1

Decoming the device sets an end_epoch for it in the node_instantiation table. You must login to mysql as root.

mysql> select * from node_instantiation;
+----------------------------------------------------------------------------+
node_id 	end_epoch 	start_epoch 	management_addr_ipv4 	admin_state 	dpid

+----------------------------------------------------------------------------+
1 	1376100241 	1374712867 	2170417085 	active 	281483173139793

+----------------------------------------------------------------------------+
1 row in set (0.00 sec)

Set the end_epoch to -1 and it'll be active.

mysql> update node_instantiation set end_epoch =-1 where node_id =1;
Query OK, 1 row affected (0.04 sec)
Rows matched: 1 Changed: 1 Warnings: 0

mysql> select * from node_instantiation;
+---------------------------------------------------------------------------+
node_id 	end_epoch 	start_epoch 	management_addr_ipv4 	admin_state 	dpid

+---------------------------------------------------------------------------+
1 	-1 	1374712867 	2170417085 	active 	281483173139793

+---------------------------------------------------------------------------+
1 row in set (0.00 sec)

  12. Reported by MAX

    Problem:
-- Decommissioned the node
-- Lost the node and could not rediscover
-- Deleted oess database
-- Reran oess_setup.pl to restore database to clean state
-- Discovered and re-added the node and all interfaces
-- re-add remote link and click "Submit Topology"

This didn't re-submit the topology

I believe the correct steps are:
-- Go 'admin' page
-- Click 'Workgroups' then choose 'OSCARS IDC'
-- Add new interfaces in "Allowed Edge Ports"
-- Click "Remote Links" then click "Submit Topology"

  13. Change IDC peer link (needed if moving from ION OSCARS to AL2S OSCARS)

    -- NOTE!
Be sure to specify https in the url of the IDC!

Changing or adding a peer consists of the following steps:
1. oscars-idcadd to add the new peer or oscars-idcdel to delete a peer
2. in the OSCARS web ui add a new user for the new peer
    X.509 Subject
    X.509 Issuer
    Set Role to OSCARS-service
3. If peering with Internet2, ask the NOC to add you as a peer.
    Send your domain and location for oscars-idcadd
    Send your X.509 Subject and Issuer
    Ask the NOC to add an OSCARS user with Role: OSCARS-service

-- To display the current IDC peer(s)
# /opt/oscars/lookup/bin/oscars-idclist

-- This will list domain= under Relationships:
-- Example output for Internet2 as the current peer
--
ID: 1
Type: IDC
Expiration: NEVER
Protocols:
Type: http://oscars.es.net/OSCARS/06
Location: https://ion.net.internet2.edu:9001/OSCARS
Relationships:
[controls] urn:ogf:network:domain=ion.internet2.edu

ID: 2
Type: IDC
Expiration: NEVER
Protocols:
Type: http://oscars.es.net/OSCARS/06
Location: https://ion.net.internet2.edu:9001/OSCARS
Relationships:
[controls] urn:ogf:network:domain=ion.internet2.edu

--
-- To delete the current peer, specify -d using the domain= from the above output for your site
--
# /opt/oscars/lookup/bin/oscars-idcdel
./oscars-idcdel
A domain must me specified
Option                                  Description
#- #-- #--- #---- #----- -----------
-c, --context                           context in which to run the client
-d, --domain                            required. the domain with the IDC to
delete
-h, --help                              prints this help screen
-u, --url                               the URL of the OSCARS lookup module to
contact
--

--
-- Example: To delete the Internet2 ION IDC peer
--
# /opt/oscars/lookup/bin/oscars-idcdel  -d ion.internet2.edu

--
-- Now add the new peer
-- Both -l location and -d domain must be specified
--
/opt/oscars/lookup/bin/oscars-idcadd
A domain must me specified
Option Description
#-- #--- #---- #----- -----------
-c, --context context in which to run the client
-d, --domain required. the domain to add
-h, --help prints this help screen
-l, --location required. the URL of the IDC
-p, --protocol the protocol spoken by the IDC. May be
OSCARS5, OSCARS6, or a namespace
URL. Defaults to OSCARS6.
-u, --url the URL of the OSCARS lookup module to
contact

--
-- Example: Add Internet2's AL2S as a peer)
--
/opt/oscars/lookup/bin/oscars-idcadd -d al2s.net.internet2.edu -l https://al2s.net.internet2.edu:9001/OSCARS

Note: The new peer must also do oscars-idcadd or equivalent.
If Internet2 is being added as a peer please contact the Internet2 NOC and
ask that they add your IDC as a peer and add an OSCARS user if needed.

Send the NOC your location and domain information

  domain: dynes.internet2.edu
  location: https://vm-i2lab.dynes.internet2.edu:9001/OSCARS

In addition, you must send the NOC your X.509 certificate Subject and Issuer.
This must be a signed certificate if peering with Internet2.

  Subject: CN=vm-i2lab.dynes.internet2.edu, O=Internet2, STREET=1000 Oakbrook Drive, STREET=Suite 300, L=Ann Arbor, ST=MI, OID.2.5.4.17=48104, C=US
  Issuer:  CN=InCommon Server CA, OU=InCommon, O=Internet2, C=US

Lastly, you must add a user in the OSCARS User List for the new peer. For example,
to add Internet2's AL2S OSCARS, create a new user, name it something meaningful.
The password, first name, last name, email, and phone number can be your choice.

  X.509 Subject: CN=al2s.net.internet2.edu, OU=Internet2 NOC, O=Internet2, L=Bloomington, ST=Indiana, C=US
  X.509 Issuer:  CN=InCommon Server CA, OU=InCommon, O=Internet2, C=US

Organization should be Internet2, create this if needed.

Set the new user's role to:

  OSCARS-service -> make reservations and view topology

Save/Modify this.


--
-- To modify a current peer's information.
--
# /opt/oscars/lookup/bin/oscars-idcmod
A domain must me specified
Option                                  Description
#- #-- #--- #---- #----- -----------
-c, --context                           context in which to run the client
-d, --domain                            required. the domain with the IDC to
modify
-h, --help                              prints this help screen
-l, --location                          the URL of the IDC
-p, --protocol                          the protocol spoken by the IDC. May be
OSCARS5, OSCARS6, or a namespace
URL. Defaults to OSCARS6.
-u, --url                               the URL of the OSCARS lookup module to
contact

  14. Errors due to OSCARS not being able to access localhost.jks or oscars.jks

    #- Make sure both files are owned by the id oscars
# ll /etc/oscars/keystores/
total 32
-rw------- 1 oscars oscars 7083 Feb  4 19:30 localhost.jks
-rw------- 1 oscars oscars 7083 Jan 17 16:48 oscars.jks

  15. Extract cert and key from oscars.jks

    # Find out what the alias is of the cert you want
keytool -v -list -keystore oscars.jks

# Extract cert from oscars.jks (see also below for extracting the cert from a .pem file)
keytool -exportcert -alias <whatever> -rfc -keystore oscars.jks -file oscars.crt

#
# Extract the private key from oscars.jks
#
# -srckeypass may have to change depending on which jks file is being accessed
keytool -v -importkeystore -srckeystore oscars.jks -srcstorepass changeit -srckeypass <password> -srcalias <whatever> -destkeystore temp.p12 -destalias mykey -deststorepass changeit -destkeypass changeit -deststoretype PKCS12

# Turn the resulting pkcs12 file into a pem
openssl pkcs12 -in temp.p12 -out oscars.pem

# Turn the pem file into a key file
openssl rsa -in oscars.pem -out oscars.key

# The pem file can also give you the cert
openssl x509 -in oscars.pem -out oscars.crt

# Result is oscars.crt and oscars.key both of which can be moved to /etc/pki/tls certs or private
# You may need to service restart httpd

# To check that the key corresponds to the cert

openssl x509 -noout -modulus -in oscars.crt |openssl md5
openssl rsa -noout -modulus -in oscars.key |openssl md5

  16. Missing required permissions manifest attribute in main jar

    This might occur when trying to run the java iDRAC Virtual Console Client. (Click Details in the Application Error alert.)
Solution:
Start the Java Console (in System Preferences)
Click Security tab
Add site to Exception list, e.g. [http://idrac.site.edu:443]
Set Security Level to Medium (remember to set it to High afterwards!)

  17. Set up remote dynes host to allow X11 interaction

    #- #-- #--- Run XQuartz or equivalent on your base workstation (may need to xhost+ in the xterm window)
#--- On remote host change X11Forwarding to yes in /etc/ssh/sshd.config
service restart sshd
#--- Make sure xauth is available. If not:
yum install xauth
#--- Might want to add an innocuous X app
yum install xclock
#--- Back on your base workstation use -Y on ssh
ssh -Y dynes@idc.yourhost.edu
#--- This should result in the following message:
/usr/bin/xauth:  creating new authority file /home/dynes/.Xauthority
#--- To allow root to also run X11 apps:
cd
cp ~dynes/.Xauthority .

  18. VM won't start

    #--- If you get errors like these when trying to manually start the VM on the IDC
# virsh
error: unable to connect to 'localhost:8000': Connection refused
error: failed to connect to the hypervisor

This may be due to a reload of the IDC loading a kernel with xen support. Look at /boot/grub/grub.conf and
determine which kernel was chosen. The statement "default=0" selects the kernel. If the name includes "xen"
then pick a different kernel and reboot.

  19. Resync OSCARS and OESS

    #--- OSCARS shows the circuit as either FAILED or UNKNOWN but it still appears in OESS

# Find the circuit_id in the oess mysql database
# Log in to vm as root

mysql -u root –p 
# Enter password at the prompt

mysql> use oess;
mysql> select * from circuit where external_identifier ="iol.unh.edu-46"; # for this specific circuit
or
mysql> select * from circuit; # to display all circuits

# It prints out the matched row. From this obtain the circuit-ID and workgroup_id. Copy the numbers down. 
# circuit_id = 66. workgroup_id = 2
    
+------------+-------------------------------------------------+-------------+--------------+---------------------+--------------------+------------+
| circuit_id |               name                              | description | workgroup_id | external_identifier | restore_to_primary | static_mac |
+------------+-------------------------------------------------+-------------+--------------+---------------------+--------------------+------------+
|         66 | OSCARS DC-39b5bd22-1da6-11e4-b52f-5452005fb176  | Test        |            2 | iol.unh.edu-46      |                  0 |          0 |
+------------+-------------------------------------------------+-------------+--------------+---------------------+--------------------+------------+     

# In a Web browser window, type this URL: 
     https://your_idc/oess/services/provisioning.cgi?action=remove_circuit&workgroup_id=2&circuit_id=66

#The result should print on the browser as"
      “{"results":[{"success":1}]}”

At this point the circuit has been removed from oess. It may still be configured on the switch. 
To take care of that simply do this on the vm (as root):

service oess restart
  • No labels