Juniper Paragon Automation (On-premises) Installation guide

Brand: Juniper

Model: Paragon Automation (On-premises)

Type: Installation guide

This manual is also suitable for

Paragon Active Assurance (formerly Netrounds)

Paragon Acve Assurance Installaon

Guide

Published

2023-08-27

RELEASE

4.2

Table of Contents

Introducon

Prerequisites and Preparaons

Installing Required OS and Soware

Downloading Control Center and Test Agent Repositories

Installing Control Center and Related Tasks

Geng Started with Paragon Acve Assurance

Service Conguraon

Orchestraon with NETCONF & YANG

Troubleshoong

LDAP Authencaon

Introducon

Paragon Acve Assurance Control Center can either be hosted by Juniper Networks or be installed at

the customer site. This document describes how to perform an on-site installaon of Control Center, to

be operated and maintained by the customer's own sta.

Control Center is delivered as an applicaon that is installed on an exisng Ubuntu OS. (For precise OS

requirements, see the secon "Operang System Requirements" on page 5.)

Prerequisites and Preparaons

IN THIS SECTION

Hardware Requirements | 1

Disk Usage and Data Retenon Periods (RRDs) | 2

Disk Usage and Data Retenon Periods (TimescaleDB) | 3

Required Communicaon Ports | 4

Operang System Requirements | 5

Hardware Requirements

• Control Center in producon handling up to 2000 Test Agents and up to 20,000 acve streams:

• 8 vCPUs

• 40 GB RAM

• 2000 IOPS

• 1.5 TB disk space

• Control Center in producon handling up to 8000 Test Agents and up to 100,000 acve streams:

• 36 vCPUs

• 72 GB RAM

• 15,000 IOPS

• 7.5 TB disk space

• Lab trials of a Control Center with up to 20 Test Agents and up to 1000 acve streams:

• 2 vCPUs

• 8 GB RAM

• 100 IOPS

• 30 GB disk space

Deployments larger than the limits indicated for each case will require mulple Control Centers.

Disk Usage and Data Retenon Periods (RRDs)

Below is some data on disk space taken up when tesng various services. The total disk space required

for a service is calculated by mulplying with the number of streams.

Service tested Disk usage, standard resoluon Disk usage, high resoluon

TWAMP 3.6 MB 180 MB

Bidireconal UDP 2 x 1.5 MB = 3.0 MB 2 x 110 MB = 220 MB

The measurement data resoluons "standard" and "high" are dened according to the tables that follow.

As detailed below, each is composed of a set of progressively lower resoluons for progressively longer

me spans. The total number of data points is that stored in the me series database for each metric

from a stream for a me period of either one year (standard resoluon) or ve years (high resoluon).

When data points become older than that, they are purged from the database.

Standard resoluon

Data points are stored for one year.

The total number of data points is 13,566 (the sum of all entries in the Number of data points column).

This is the default resoluon in Paragon Acve Assurance.

Time span Data point resoluon Number of data points Percentage of data points

Last 12 hours 10 s 4,320 31.8%

Last 2 days 1 min 2,880 21.2%

Last week 5 min 2,016 14.9%

Last month 20 min 2,160 15.9%

Last year 4 h 2,190 16.1%

High resoluon

Data points are stored for ve years.

The total number of data points is 963,385.

Time span Data point resoluon Number of data points Percentage of data points

Last 90 days 10 s 777,600 80.7%

Last 1.5 years 5 min 157,680 16.4%

Last 3 years 1 h 26,280 2.7%

Last 5 years 1 day = 24 h 1,825 0.2%

Disk Usage and Data Retenon Periods (TimescaleDB)

The table below shows the number of data points and retenon periods for TimescaleDB rollups used

for monitor data. Data for tests are not rolled up, nor are they automacally deleted over me.

Granularity Default retenon period Number of data points

10 s (raw) 3 days 25,920

1 min 7 days 10,080

5 min 30 days 8,640

(Connued)

Granularity Default retenon period Number of data points

30 min 180 days 8,640

1 h 365 days 8,760

Required Communicaon Ports

When conguring a rewall, trac on the following ports needs to be allowed to and from Control

Center.

• Inbound:

• TCP port 443 (HTTPS): Web interface

• TCP port 80 (HTTP): Web interface (used by Speedtest, redirects other URLs to HTTPS)

• TCP port 6000 (default): Encrypted OpenVPN connecon for Test Agent Appliances

• TCP port 6800: Encrypted WebSocket connecon for Test Agent Applicaons

• Outbound:

• TCP port 25 (SMTP): Mail delivery

• UDP port 162 (SNMP): Sending SNMP traps for alarms

• UDP port 123 (NTP): Time synchronizaon

Advanced:

As menoned above, the communicaon between the Test Agent Appliance and Control

Center is done over an OpenVPN tunnel on port 6000. If you want to rewall this OpenVPN connecon

running on the tun0 tunnel interface, you must allow these ports:

• Inbound:

• TCP port 4334: General interacon with Test Agents

• HTTP port 80: Test Agent rmware update requests

• Outbound:

• TCP port 4334: General interacon with Test Agents

Operang System Requirements

• Ubuntu Server 22.04 LTS

A major release of Control Center will be "locked" to a version of the base OS, so a patch release of

Control Center will not support a newer base OS than the original version.

Installing Required OS and Soware

NOTE: Please note that this only describes a "fresh install". For upgrades, please refer to the

Upgrade Guide

1. Install a clean Ubuntu 18.04 server.

• The system user name does not maer,

except

that the name "netrounds" is not allowed since

PostgreSQL creates a user with that name (as described in "this paragraph" on page 7).

• Install only standard components (do not change the default selecon).

• The following disk paroning is recommended, especially for snapshot backups (but it is up to

you as a user to decide):

• Recommended paroning for lab setup:

•/: Whole disk, ext4.

• Recommended paroning for producon setup:

•/: 10% of disk space, ext4.

•/var: 10% of disk space, ext4.

•/var/lib/netrounds/rrd (this includes TimescaleDB if you make use of that technology): 80% of

disk space, ext4.

• No encrypon

• Set the me zone to UTC, for example as follows:

sudo timedatectl set-timezone Etc/UTC

• Set all locales to en_US.UTF-8.

• One way to do this is to manually edit the le /etc/default/locale. Example:

LANG=en_US.UTF-8

LC_ALL=en_US.UTF-8

LANGUAGE=en_US.UTF-8

• Make sure the following line is NOT commented out in the le /etc/locale.gen:

en_US.UTF-8 UTF-8

• Regenerate the locale les to make sure selected language is available:

sudo apt-get install locales

sudo locale-gen

2. Install NTP:

• First disable timedatectl:

sudo timedatectl set-ntp no

• Run this command:

timedatectl

and verify that

systemd-timesyncd.service active: no

• Now you can run the NTP installaon:

sudo apt-get update

sudo apt-get install ntp

• Make sure that the congured NTP servers are reachable:

ntpq -np

The "reach" value should normally be "all ones" expressed in octal.

(In the output, the "reach" value for the NTP servers is an octal value indicang the outcome of

the last eight NTP transacons. If all eight were successful, the value will be octal 377 [= binary

0b11111111]. However, when you have just installed NTP, it is likely that fewer than eight NTP

transacons have occurred, so that the value will be smaller: one of 1, 3, 7, 17, 37, 77, or 177 if all

transacons were successful.)

3. Install PostgreSQL, set up a user for Control Center, and create databases:

sudo apt-get update

sudo apt-get install postgresql

sudo -u postgres psql -c "CREATE ROLE netrounds WITH ENCRYPTED PASSWORD 'netrounds' SUPERUSER

sudo -u postgres psql -c "CREATE DATABASE netrounds OWNER netrounds ENCODING 'UTF8' TEMPLATE

'template0';"

Using an external PostgreSQL server is not recommended.

4. Install and congure an email server.

• Control Center will send emails to users:

• when they are invited to an account,

• when sending email alarms (i.e. if email rather than SNMP is used for this purpose), and

• when sending periodic reports.

• Run the command

sudo apt-get install postfix

• For a simple setup where postx can send directly to the desnaon email server, you can set

General type of mail conguraon to "Internet Site", and System mail name can usually be le as-

is. Otherwise, postx needs to be congured according to the environment. For guidance, refer to

the ocial Ubuntu documentaon at ubuntu.com/server/docs/mail-postx.

Downloading Control Center and Test Agent

Repositories

These are the requisite les:

• Control Center

paa-control-center_4.2.0.54.tar.gz

• Test Agent repositories

paa-test-agent_4.2.0.34_all.deb

paa-test-agent-application_4.2.0.20_all.deb

• Plugin package

paa-test-agent-plugins_4.2.0.29_all.deb

This soware is available at support.juniper.net/support/downloads (search for "Paragon Acve

Assurance").

Also click the Checksums link for each le and note down the SHA256 checksum. These will be used to

verify the integrity of the downloaded les (as detailed in the chapter "Installing Control Center and

Related Tasks" on page 8).

Installing Control Center and Related Tasks

IN THIS SECTION

Standard Procedure | 9

Installing ConfD | 11

Standard Procedure

1. Install Control Center.

export CC_BUILD=4.2.0.54

# Compute the SHA256 checksum for the tar file and verify that it is equal to the SHA256

# checksum provided on the download page

sha256sum paa-control-center_${CC_BUILD}.tar.gz

# Unpack the tarball

tar -xzf paa-control-center_${CC_BUILD}.tar.gz

# Make sure packages are up to date

sudo apt-get update

# Start the installation

sudo apt-get install ./paa-control-center_${CC_BUILD}/*.deb

An error "Download is performed unsandboxed as root ..." may occur during this installaon. This is a

harmless warning which can be ignored.

2. Run the database migraon.

NOTE: This is a sensive command, and care should be taken when execung it on a remote

machine. In such a scenario it is strongly recommended that you use a program like screen

(generally installed by default on popular Linux distribuons) or tmux (run sudo apt-get install

tmux to install) so that the migrate command will connue running even if the ssh session

breaks.

sudo ncc migrate

The ncc migrate command takes considerable me to execute (many minutes). It should print the

following (details omied below):

Migrating database...

Operations to perform:

<...>

Synchronizing apps without migrations:

<...>

Running migrations:

<...>

Processing models <...>:

<...>

Migrating plugin service database...

<...>

Creating cache table...

<...>

Syncing test scripts...

Pre-creating kafka topics...

<...>

When the migraon has nished, restart all Paragon Acve Assurance services:

sudo ncc services restart

3. Install the Test Agent repositories and plugins.

The plugins are used by Test Agent Applicaons.

export TA_APPLIANCE_BUILD=4.2.0.34

export TA_APPLICATION_BUILD=4.2.0.20

export PLUGIN_BUILD=4.2.0.29

# Compute SHA256 checksums for the repositories and verify that they match the

# SHA256 checksums provided on the download page

sha256sum paa-test-agent_${TA_APPLIANCE_BUILD}_all.deb

sha256sum paa-test-agent-application_${TA_APPLICATION_BUILD}_all.deb

sha256sum paa-test-agent-plugins_${PLUGIN_BUILD}_all.deb

# Start the installation

sudo apt-get install ./paa-test-agent_${TA_APPLIANCE_BUILD}_all.deb

sudo apt-get install ./paa-test-agent-application_${TA_APPLICATION_BUILD}_all.deb

sudo apt-get install ./paa-test-agent-plugins_${PLUGIN_BUILD}_all.deb

NOTE: A message similar to the following may appear during plugin installaon. It can safely

be ignored.

W: APT had planned for dpkg to do more than it reported back (0 vs 4).

Affected packages: paa-test-agent-plugins:amd64

4. In the le /etc/netrounds/netrounds.conf, assign a URL to Control Center by seng SITE_URL appropriately.

This URL is displayed for example in emails and reports.

Restart all Paragon Acve Assurance services for this change to take eect:

sudo ncc services restart

This concludes the installaon of Control Center. Before you can log in to the system you also need to

go through the chapter "Geng Started with Paragon Acve Assurance" on page 12.

Installing ConfD

This installaon is needed only if you want to use the NETCONF & YANG API to communicate with

Control Center. For full details on this topic, see the document

NETCONF & YANG API Orchestraon

Guide

ConfD (a product from Tail-f) is used as an intermediary between the Paragon Acve Assurance system

and NETCONF. ConfD connects Paragon Acve Assurance conguraon and operaonal data to the

NETCONF & YANG API.

ConfD must be installed aer Control Center has been installed.

Proceed as follows:

1. Get the Paragon Acve Assurance NETCONF & YANG tarball:

export CC_BUILD=4.2.0.54

paa-netconf-yang_${CC_BUILD}.tar.gz

2. Compute the SHA256 checksum for the tar le and verify that it matches the SHA256 checksum

provided on the download page:

sha256sum paa-netconf-yang_${CC_BUILD}.tar.gz

3. Unpack the tarball:

tar -xzf paa-netconf-yang_${CC_BUILD}.tar.gz

4. Install the paa-netconf-yang package:

sudo apt-get install ./paa-netconf-yang_${CC_BUILD}/*.deb

Some conguraon is needed once you have set up your Paragon Acve Assurance account; see the

"Geng Started" on page 16 page.

Geng Started with Paragon Acve Assurance

1. Create a user in Control Center by running this command:

ncc user-create <email> --password

Example: [email protected]

2. Create an account in Paragon Acve Assurance with the user just created as owner:

ncc account-create --owner <email> --name "<full name of product account>" <short name of

product account>

Example: Full name = "Example Corporation", short name = example.

The full name should be enclosed in double quotes. If it is not, any spaces in the name must be

escaped with "\".

In the short name, only the following characters are allowed: a-z, 0-9, "-", and "_".

NOTE: The account names are not the same as the owner's or some other user's personal

name. The short account name will be used (for example) in the Control Center URL, while the

full account name is what will normally be displayed to the user.

The ncc account-create command should normally be run only once, since by default you will have only

one account in Paragon Acve Assurance. The user specied as owner automacally gets admin

permissions on the account.

3. Acvate licenses.

Control Center will not be fully operaonal unl valid licenses have been acvated. Follow these

steps to acvate licenses:

• Generate a UUID string with the command

ncc license license-request

You will need this UUID later on.

• Log in to the Juniper EMS Portal at license.juniper.net/licensemanage/ with the credenals you

have received from Juniper.

• In the My Product Licenses view, expand My Entlements.

• You will typically have a set of entlements. The contents of the set may vary, but will include

some of the following:

• Control Center (generic)

• Control Center with a given feature er (Standard, Advanced, or Premium) and a specied

number of tenants (= accounts), also encompassing Test Agents

• A given number of

streams

entling you to use product features

• A set of entlements for each of a number of Test Agents, licensed separately.

• For each entlement that you want to acvate (it is possible to acvate only a subset), do the

following:

• Click the Acvate buon on the right.

• In the dialog that appears, under Soware Version, select 3.0 and Above.

• The eld Universal Unique ID (UUID) appears. Enter the UUID string you generated in Control

Center.

• Check the box I Agree with Terms & Condions.

• Click the Acvate buon at the boom of the screen.

• A license key will now be generated. Download it and save it as a plain-text le with a

descripve name, for example, cc_license.txt for the Control Center license.

You will thus end up with a set of license les in plain-text format.

NOTE: It is vital that you enter the UUID exactly as received from Juniper, using the standard

UUID format in lowercase with hyphens: for example, 0a1b2c3d-4e5f-6789-a0b1-c2d3e4f5678.

NOTE: If the acvaon of a license failed for some reason, for example because you mistyped

the UUID, you can click the Revoke buon in the My Product Licenses view (under My

Acvaons) to revoke the license. You then need to start over with the ncc license license-

request command as described above.

• Now acvate the licenses in Control Center. You can do this for all license les at once as follows:

cat [list license files here] > all-licenses.txt

ncc license activate all-licenses.txt

Alternavely, run the command ncc license activate for each license le in turn.

This step is necessary in order to give the correct permissions to the account you just created. By

default the account will be granted the full range of permissions granted by your licenses.

•

(Normally not needed:)

If you are using a

proxy

together with Control Center, you need to enter

the following addional line in the le /etc/environment:

"no_proxy=localhost, 127.0.0.1"

This is necessary for the license manager to work correctly, so that the product licenses can be

acvated.

4. You are now ready to log in to Control Center with a user and account that you have created.

•Open the URLSITE_URL in your browser and log in with the credenals specied when creang the

user.

NOTE: By default, Control Center including the REST API uses self-signed (snakeoil) SSL

cercates. The web browser will issue a warning about this. It is strongly advised that you

obtain real cercates (signed by a cercate authority). See also the chapter Service

Conguraon, secon "SSL Cercate Conguraon" on page 19.

5. An account in Control Center is like a tenant that mulple users can have access to. Creang

addional users can be done either from the command line or in the Control Center web GUI:

• To create new users from the command line, repeat the command

ncc user-create <email> --password

with dierent email addresses as desired.

To grant a user permissions on your Paragon Acve Assurance account, use the command

ncc user-permission <email> <short name of product account> <permission>

where <permission> is one of "none", "read", "write", or "admin".

• To invite new users and grant them permissions via the Control Center web GUI, go to Account >

Permissions.

For details on what a user is allowed to do at each permission level, see the in-app help under

"Seng up your account" > "Administering users and permissions".

6. If you have a license allowing mulple accounts, you can create further accounts by using the

command

ncc account-create --owner <email> --name "<full name of product account>" <short name of

product account>

as detailed "above" on page 12. If the admin of such an account is to be the same as for the rst

account, simply assign the same user as owner; there is then no need to create an addional user.

7. If you have installed ConfD, you need to congure users as follows:

• Add permissions to the ConfD user in the Paragon Acve Assurance account that will be managed

by ConfD. This can be done either in the Control Center web GUI or from the command line. In

the laer case, give the following command:

ncc user-permission [email protected] <account> admin

• To enable access from NETCONF, a user and password need to be set up. Run this command:

sudo /opt/netrounds-confd/ncc-netconf user create --username=<user name> --

password=<password>

Here, <user name> and <password> are unrelated to your Control Center user name and password. A

simple expedient is to use "confd" for both.

8. Please turn to the in-app help under "Test Agents" for instrucons on how to download, install,

• Download and installaon on various plaorms (including virtualizaon plaorms): "Test Agents"

> "Installaon"

NOTE: For installing Test Agent Applicaons on Juniper routers, please turn to the Junos®

OS Evolved Soware Installaon and Upgrade Guide. This document is found in

TechLibrary under "Junos OS Evolved". Follow the links provided in the in-app help.

•Registraon: "Test Agents" > "Conguring from Test Agent local console" > "Registraon"

•Conguraon:

• From the Test Agent local console: "Test Agents" > "Conguring from Test Agent local console"

• From the Paragon Acve Assurance GUI: "Test Agents" > "Conguring from Paragon Acve

Assurance GUI"

You access the in-app help by clicking the queson mark at top right in the Paragon Acve Assurance

GUI.

Service Conguraon

IN THIS SECTION

Main Sengs File | 18

SSL Cercate Conguraon | 19

Apache | 20

TimescaleDB Conguraon | 20

Plugin Service Database Conguraon | 20

Conguraon of OpenVPN Keys | 21

HSTS Conguraon | 21

Conguring the Lifeme of REST API Tokens | 21

Liming the REST API Rate | 22

Conguring Password Strength | 22

Services are congured by eding various conguraon les, as detailed below. Go through this chapter

and congure your sengs as appropriate.

Summary of relevant conguraon les:

•/etc/apache2/sites-available/netrounds-ssl.conf

•/etc/apache2/sites-available/netrounds.conf

•/etc/environment

•/etc/netrounds/consolidated.yaml

•/etc/netrounds/metrics.yaml

•/etc/netrounds/netrounds.conf

•/etc/netrounds/plugin.yaml

•/etc/netrounds/probe-connect.conf

•/etc/netrounds/restol.conf

•/etc/netrounds/test-agent-gateway.yaml

•/etc/netrounds/timescaledb.conf

•/etc/openvpn/netrounds.conf

Main Sengs File

•/etc/netrounds/netrounds.conf

This le has inline documentaon and examples for all supported sengs. The SITE_URL seng is one

that

always needs to be modied

to get the correct URL to Control Center, for example in emails and

reports.

Summary of sengs in this le:

Page is loading ...

Juniper Paragon Automation (On-premises) Installation guide

Brand: Juniper

Model: Paragon Automation (On-premises)

Type: Installation guide

This manual is also suitable for

Paragon Active Assurance (formerly Netrounds)

Download PDF

report

Juniper Paragon Automation (On-premises) Installation guide

This manual is also suitable for

Juniper Paragon Automation (On-premises) Installation guide

Related papers

Other documents