Overview

OpenClovis’s SAFplus Management Platform provides out-of-the-box comprehensive management functionality for your networking, computing and telecom products. Using your YANG (NETCONF) definition files, we provide NETCONF, SNMP, RESTCONF, and command line access protocols. The SAFplus manageability agents automatically route incoming requests to your applications, running anywhere on the cluster. And at development time, our software can read your YANG files, generating C++ objects for application instrumentation.

Features

Protocols

NETCONF: The SAFplus Management Platform uses the OpenYuma software to provide a NETCONF over SSH northbound interface

SNMP: The SAFplus Management Platform uses the Net-SNMP software to provide an SNMP northbound interface. Either V2, V2c or V3 operation is supported.

HTTP/HTTPS: The SAFplus Management Platform provides a REST API for access to Management data.

Access

• Any SSH capable NETCONF client and any v2, v2c or v3 SNMP client may be used.
• Any user program running on the network element may access the management information via C++ or Python APIs.
• The SAFplus Management CLI may also be used in either NETCONF or "local access" mode. In "local access" mode CLI accesses the management information via direct API calls.

Configuration Management

The SAFplus Management data may be imported and exported to XML using the "safplus_db" application provided on the network element. This facility allows configuration to be saved, analyzed, and modified in a human-understandable format. It also allows configuration to be managed using document revision control systems (i.e. subversion, git, ClearCase), if desired.

Access Control

NETCONF authentication is via SSH, so user accounts defined at the Linux level are available as NETCONF logins. Users can be added to groups and access permissions by group are available at the module, NETCONF operation, data element, and notification level as specified by the "Network Configuration Protocol (NETCONF) Access Control Model" (proposed as RFC 6536).

SNMP authentication and access control is via the standard mechanisms defined in V2c or V3.

HTTPS authentication and access control is via HTTPS session login and cookies. Access control follows the rules specified in the NETCONF Access Control Model.

Remote CLI access control is the same as NETCONF, since the CLI communicates via the NETCONF protocol. "Local access" CLI presumes that the user has already successfully logged into the network element and has permissions to execute the safplus_cli application. Access control therefore occurs via SSH and Linux user security mechanisms. But, if the local access CLI is available to the login user, the super-user role is assumed. In other words, all operations are available to the a user of the local access CLI.

Conversion between XML files and the database also occurs on the network element so access is limited by Linux SSH and the login user's capabilities.

RADIUS

RADIUS (Remote Authentication Dial In User Service) is a centralized authentication system. Commercial and open source (http://freeradius.org/, https://www.gnu.org/software/radius/) implementations of the protocol and RADIUS server exist.

SAFplus Management can be integrated with most RADIUS servers. Since the SAFplus NETCONF authentication uses SSH, an integration between SSH and your RADIUS server (HOWTOs are available for many Linux flavors and RADIUS implementations) means that RADIUS will be used for NETCONF. Likewise, SAFplus Management uses the NET-SNMP project as our SNMP front end. Many RADIUS servers provide integrations with NET-SNMP, please refer to your RADIUS server's documentation for details of such an integration. Additionally, it is possible to tunnel NET-SNMP inside SSH, although this feature may not be supported by your SNMP client. In this case, as with NETCONF, simply integrate RADIUS with SSH (i.e. using the Linux Pluggable Authentication Module (PAM) facility).

Auditing

Every change to configuration can be written to an audit log.

Application Programming Interface

SAFplus has infrastructure at the application layer that binds objects to the NETCONF path so that C++ objects, and even C++ variables, are management aware. This makes it very easy to connect management definitions to the running code. The binding is dynamic, so that if one process fails another can take over and rebind to the object.

Automatic Object and Object Class Creation. Full C++ Object classes and Object hierarchies can be automatically generated from the Yang file using SAFplus. This code generator is extensible and customizable.

It is also easy to manually create and bind your own management objects -- the programmer simply derives his objects from our base classes.

Provisioning and Statistical Objects Independently Supported. SAFplus supports provisioning (configuration) objects, which are database backed, and statistical objects, which are held in RAM and are read only. The objects are defined in NETCONF and Yang, and are fully supported down through the hierarchy. Since objects are split into two classes, the live running system is more efficient than if there was only a single class.

Easy upgrade to SAFplus High Availability Platform from SAFplus Management Platform. All SAFplus services use management natively. For example all of the Availability Management Framework (AMF) objects, log streams, groups, and messaging pipes are also visible through management interfaces. The resulting close ties between HA and manageability makes things very efficient from a programmer’s and user’s perspective.

High Availability / Redundancy

The SAFplus Management product can be fully integrated with the SAFplus High Availability/Scalability product. This product provides the most powerful and flexible High Availability solution in the market and can be applied to both SAFplus Management components (NETCONF and SNMP protocol handlers, for example) and to user applications. The SAFplus management components are modelled as 1+1 (Active/standby) components and a "virtual" IP address (an IP address that is moved to the active node) is employed to ensure that access to the network element always connects to the active components.

User applications can use any redundancy model supported by SAFplus High Availability/Scalability product. Applications dynamically "bind" in-RAM objects to locations within the management data tree at runtime. Typically a highly available user application binds to the the relevant management configuration and statistics data when it is told to assume the "active" role for a service. However, the "standby" application could, for example, bind to data that provides information about the availability of the standby node. Multiple "active" applications can simultaneously bind to different portions of the management data model to access the configuration or present information locally available in that application. If an active application subsequently fails, its redundant copy is told by the SAFplus HA framework to become active and can then bind its own in-RAM management objects into the management data tree, in effect "taking over" ownership of the management data from the failed application.

Any in-flight transactions are aborted and reissued, ensuring database consistency during application fail over.

SAFplus CLI