How does a DMI device establish a connection to NSM?

How does a DMI device establish a connection to NSM?

 

Summary:

Information on DMI device connection to NSM

 

Problem or Goal:

 

Solution:

When a device is first added into NSM as reachable or unreachable mode, the first required step will manually or automatically setup the device DMI agent settings.  This setting is required in order for the device to connect to NSM. This first initial setup phase is the only time NSM will try to initiate a TCP session from NSM to the device using SSH when done in automatic mode. Some devices support only a manual configuration of the DMI agent and must be added using the unreachable workflow.

The client side settings for a DMI agent are the following:

• NSM server Primary and Secondary IP address: The agent will try to connect to the primary IP first and then the secondary if no response is received. The agent tries indefinitely to connect to the NSM server.
• Device-ID: Unique identifier provided by NSM which is associated with a specific device in the database of the NSM server.
• OTP (One Time Password): Also referred as “HMAC” or “secret”, is a passphrase which is shared between the NSM server and the device used to perform an initial or first phase authentication.
• Admin User/Password: The local user which the DMI agent will use to perform a 2nd phase authentication for the management channel and establishes the privilege level and access to the device configuration for NSM.

Once the DMI agent is correctly configured, the following procedure is followed:

1. The device opens a TCP connection to the NSM server on port 7804.
2. The transport used inside the TCP port 7804 is an SSH connection
3. The device sends its Device-ID and OTP.
4. NSM validates the Device-ID against the list of added devices and verifies the HMAC/OTP and allow/denies the device connection.
5. If allowed, NSM will then open a new tunnel within the existing SSH TCP 7804 connection to the DMI agent. This will serve as the management channel for NSM directives.
6. The NSM server needs to authenticate to the device using a device-side configured admin or privileged user and password in order to gain access to manage the device.
7. If authenticated by the device, NSM will now report the connection as “Up” and will be able to manage the device with import or update of the configuration.
8. NSM and the device will open several other tunnels inside the SSH transport connection in order to allow for other channels to be created. For example, device logs are sent to the NSM server on a specific channel opened for logging.

 

 

Purpose:

Configuration