Broadband Provisioner exposes APIs for OSS and can also be administered through a web-based interface. Neither of these capabilities should be exposed to the public network. Although this step is not strictly necessary, if you expose your web and OSS interfaces to the public network then your customers will be able to make repeated attempts to log into your server through these mechanisms.

To prepare your system for a split service/admin configuration, you should have two NICs with separate IP addresses or one NIC with two separate IP addresses.

The Southbound interface is the one facing the public network. All subscriber traffic occurs through the southbound interface.

The Northbound interface is the one facing the administrative network. All web-based administration and OSS operations occur over the northbound interface.

Set Server Index

❗ If this is a single server install you can skip this section. There is no need to set the server index.

The default index is 0. Every server that will interoperate with another server must have a unique index. This index must be unique across all servers that can "see" each other.

⚠️ The server index may only be between 0 and 15!

To set this value, edit file /etc/dhcpt/dhcptd.conf:

system.index=0

Lock Remote Access port

This port can be anything you want, but it should be a pre-selected value so that we can configure it for firewalling. We assume port 5050 in the example below.

Edit the config file /etc/dhcpt/dhcptd.conf:

rconsole.listen_on=0.0.0.0:5050

Limit Public Access

You should configure the wsiwebui and wsiwsg daemons to listen on the Northbound interface only. These daemons provide the web interface and web API, and as such should not be accessible on the customer-facing network.

To change the listening interface, edit both files:

/etc/wsiwebui/wsiwebuid.conf
/etc/wsiwsg/wsiwsgd.conf

... and change this value in each file:

ssl.daemon.listen_on=[northbound ip address]

Configure Firewalling

Install UFW

sudo apt install ufw

Enable UFW

sudo ufw enable
sudo systemctl enable ufw
sudo systemctl start ufw

Open the service ports

sudo ufw allow 69/udp
sudo ufw allow 514/udp
sudo ufw allow 37/udp
sudo ufw allow proto udp to 0.0.0.0/0 port 67
sudo ufw allow proto udp to [::]/0 port 547

Open the interface ports (change northbound below to your administrative network):

sudo ufw allow from northbound to 5000/tcp
sudo ufw allow from northbound to 5005/tcp
sudo ufw allow from northbound to 5006/tcp
sudo ufw allow from northbound to 5050/tcp

❗ If your two servers cannot connect for replication, set rconsole.port=5067 in the DHCP server's configuration fle, and then add a firewall rule (same syntax as above) for this port.

Script Configuration

All scripts use a central configuration file located at /etc/wsi/wsi.cfg. You can set the user 'Admin' for the following settings or you can create a user account in Broadband Provisioner for scripts to use.

wsi_bp_api_user=Admin
wsi_bp_api_pass=some-password

Automatic Backups

Create directory /var/lib/wsi/database/db_backups, then edit the root user crontab and add the following line:

0 3 * * * /usr/bin/wsi_bp_backup.sh

Start the Services

sudo systemctl start dhcptd tftptd snmptd syslogtd todtd wsiwebuid wsiwsgd

Check Service Status

/usr/bin/wsi_show_services.sh

Open a web browser and point it at the address wsiweb is listening on, port 5005.

Configure CableLabs® auto-provisioning

Find the broadband_provisioner/configuration directory and execute:

dhcpti -p "" < /usr/share/broadband_provisioner/configuration/1.dhcp-cable-domains.txt
dhcpti -p "" < /usr/share/broadband_provisioner/configuration/2.dhcp-cable-policies.txt
dhcpti -p "" < /usr/share/broadband_provisioner/configuration/3.dhcp-cable-rules.txt
tftpti -p "" < /usr/share/broadband_provisioner/configuration/4.tftp-cm-packages.txt
tftpti -p "" < /usr/share/broadband_provisioner/configuration/5.tftp-mta-packages.txt

Enable SNMP for DOCSIS modems

The previous step created two SNMP policies in the TFTP server belonging to the CM domain. These policies are:

SNMP.Enabled (this policy is enabled by default)
SNMP.Disabled (this policy is disabled by default)

The first policy is used to enable SNMP on all modems, and the second policy is used to disable SNMP on all modems. Only one policy should be active at any time.

You should configure the following variables in each policy:

Set all 'docsDevNmAccessIp.N' to the management network address
Set all 'docsDevNmAccessIpMask' to the management network mask
Set all 'docsDevNmAccessCommunity.N' to the read and read/write communities if needed

Configuring Failover

Run dhcpti on the BACKUP server and enter this command:

set_system
mode=paused

Run dhcpti on the PRIMARY server and add a replication peer, assuming BACKUP is configured with two IP addresses, 192.168.6.6 (IPv4) and 2001:db8:0:2 (IPv6):

ON PRIMARY

insert_replicate_peer
classes=*
console_pass=
console_user=
description=
enabled=true
hb_monitor=192.168.6.6,2001:db8:0:2
logdir=backup1
mod_time=
target=192.168.6.6

Wait for the /var/lib/dhcptd/sync/backup1/resync directory to be removed. After removal, the backup is fully synchronized.

Run dhcpti on the BACKUP server and add a replication peer, assuming the PRIMARY is configured with two IP addresses, 192.168.6.3 (IPv4) and 2001:db8:0:1 (IPv6):

❗ This replication peer entry is initially disabled. This bypasses full automatic resync.

ON BACKUP

insert_replicate_peer
classes=*
console_pass=
console_user=
description=
enabled=false
hb_monitor=192.168.6.3,2001:db8:0:1
logdir=primary1
mod_time=
target=192.168.6.3

Note the OID of the new record, then update the record:

update_replicate_peer
where=T.oid=N
enabled=true

Run dhcpti on the BACKUP and set to standby mode:

set_system
mode=standby

Failover should now be fully functional.

Backup and Restore

Backup

gbak -g /var/lib/wsi/database/wsbp.fdb /var/lib/wsi/database/db_backups/wsbp.fbk

The resulting file is a backup, but it is not directly usable as a production database. Firebird will not even recognize it as a database, so you have to restore from this backup before you can use it.

❗ The -g option skips garbage collection, making the backup faster.

Restore

sudo gbak -c backup.fbk new-db.fdb

The source file for the restore +backup.fbk+ must be a gbak backup file that was originally created with gbak.

In the Event of Error

Manually invoking the database initializer

wsdbinit is responsible for creating the Broadband Provisioner database and/or updating its schema. This program is automatically run after the packages are installed, so there is rarely a need to run this program manually.

It's safe to run wsdbinit even if you already have a working database, but note that it may update your database schema.

⚠️ Ensure that no other processes are using the database before running this command.

sudo /usr/sbin/wsdbinit --config /etc/wsi/wsdbinit/bp.conf

Manually creating HTTPS certificates

An https certificate is automatically created after the wsiwebuid package is installed, so there is rarely a need to run this script manually.

To create an https certificate:

sudo /usr/bin/wsi_ssl_cert_gen.sh

Admin Interfaces