14.5.1 Initial configuration of security and multi-tenancy in global network management
After a global network management (GNM) is first configured, the regional manager updates the global manager with information about the nodes in the regional topology (according to the GNM configuration).
- Topology synchronization with the Default Tenant only
For GNM environments with custom security groups and the Default Tenant, on the global manager all nodes managed remotely are added to the global manager topology with the following configuration:
Default Tenant
The security group that is set as the Initial Discovery Security Group for the Default Tenant
- Topology synchronization with custom tenants
For GNM environments with custom security groups and custom tenants, on the global manager all nodes managed remotely are added to the global manager topology with the UUID of the tenant assigned to the node. If that tenant UUID does not exist on the global manager, the GNM processes create that tenant in the NNMi configuration of the global manager as follows:
The tenant UUID is the same value as on the regional manager.
The tenant name is the same value as on the regional manager.
The value of the Initial Discovery Security Group is set to the security group with the same name as the tenant. (NNMi creates this security group if it does not already exist on the global manager.)
As the node is added to the topology on the global manager, it is assigned to the Initial Discovery Security Group for the tenant UUID as configured on the global manager. That is, the security group association on the global manager is independent of the security group association on the regional manager.
- Tip
The following are suggestions for simplifying security configuration on the global manager:
Maintain a spreadsheet or other record of the nodes managed by each regional manager. For each node, note the expected security group on the regional manager and that on the global manager. After GNM configuration completes, use the nnmsecurity.ovpl command to verify and update the security group assignments.
If the GNM environment will include multiple regional managers updating a single global manager, enable the GNM configuration from one regional manager at a time to the global manager.
If appropriate, you can change the value of the Initial Discovery Security Group of the Default Tenant (or a custom tenant) before adding each regional manager to the GNM configuration. Note that this approach can have mixed results if new nodes are being added to the topology on the previously configured regional managers.
Before enabling GNM, on the global manager set the Initial Discovery Security Group of each tenant used on the regional manager to be a private security group that operators cannot access. An administrator on the global manager then needs to explicitly move the nodes to the appropriate security groups for other NNMi console operators.