Managing ITM Port Usage

download report

Transcript Managing ITM Port Usage

Managing ITM Ports
IBM Corporation
5 June 2012
Why Manage Ports?
• Avoid conflict with other applications
–
–
–
–
ITM is designed to avoid conflicts
Customer applications not so much
Other vendors sometimes conflict
When a conflict occurs – crisis level impact
• Customer Security Concerns
– Every open port is a potential route for unauthorized
processing or hacking
– Security scanner products work to find open ports and
eliminate unauthorized use
TCP Sockets
• If a process wants to receive
communications it asks TCP to create a
socket and listen on a port.
• A socket has two full-duplex FIFO queues.
• The socket can listen to all interfaces [IP
addresses] or specific ones.
• A Caller will create a socket specifying the
target ip address and port number.
TCP Ports
• Numbered from 0 to 65535
• Some ports are registered with the Internet
Assigned Number Authority - IANA
• 1918/1919/1920/3660/3661 are registered.
• IANA registered ports reduce potential for
conflict between applications and so make
applications easier to configure.
ITM Ports usage at Agent
• ITM processes listen on a port
• Base port defined in KDE_TRANSPORT
[or KDC_FAMILES]
– Default 1918 for ip.pipe, 3660 for ip.spipe
• Listening Ports
– TEMS: Base Port
– Agent: Base Port + N*4096, N=1..15
ITM Internal Web Server
• By default every ITM process has an
internal web server.
• The web server can be disabled by adding
HTTP_SERVER:N to communication
string [Never for TEMS or TEPS]
• The web server listens on 1920 and 3661
and ports can be configured with HTTP:
and HTTPS: in the communication string
ITM Internal Web Servers
• Every internal Web Server tries to connect
as owner of 1920/3661
• If connect fails, Web server creates socket
to local 1920/3661 connection – thus
creating a local ephemeral socket
• If connection fails, all web servers repeat
the initial action and a new 1920/3661
owner is created.
Agent Socket Usage
• Listening socket at base+N*4096 N=1..15
• One local socket which is connected to a
TEMS listening socket.
• One local socket which is connected to a
WPA listening socket.
• Two listening ports for the ITM web server
• Except for first ITM process, a local socket
connected to the active ITM web server.
TCP Connection
• A connection consists of a socket pair.
– IP address and port - local
– IP address and port – remote listener
• One listener can host many callers
because the socket pairs are distinct
ITM Listening port
• The listening port default is base address plus
N*4096, 1..15
• Use SKIP:N to start at N*4096
– that can be used to avoid using lower port numbers
– N ends at 15 and does not wrap
• Use COUNT:M to only test for M different ports
• ip.pipe port:1918 SKIP:15 COUNT:1 use:y
– Will test and use only 63358 or will fail
ITM Process: Local Ports
• These are local ports associated with the
connection to a remote socket.
• pool:20000-21023 ip.pipe base:1918 use:y
• As leading modifier it applies to all protcols
• A single pool can specify a maximum of
1024 ports, but you can have multiple pool
modifiers.
ITM No Listening Port Option
• EPHEMERAL:Y means the socket
connection to TEMS is used for all traffic
• ephemeral:y ip.pipe port:1918 use:y
• Historical Data side effects
– Collect historical data on the TEMS or
– Add a WPA to same server as TEMS
Localhost Ports
• ITM basic services makes use of localhost
[127.0.0.1] ports for in-server ITM
communication.
• Some of those ports are created before
ITM basic services begins
• These ports are invisible to other servers.
• These ports are not configurable
IP V6 Support
• IP V6 is fully supported
• Protocol names are different
Universal Agent Ports
• UA uses all the same ports and…
• By default UA will also use port 1919 to
communicate with collectors [IANA registered]
• Each data collector process will use an
ephemeral port to form the socket is created
• KUMP_LOCAL_DATA=Y configures non-socket
communication on a single server
• In a very few cases that configuration causes
collection issues
• Consider use of Agent Builder instead
tacmd createNode
• Used for first install of OS Agent
• Linux/Unix uses SSH/RSH/REXEC from
the hub TEMS to the target agent
• For example, SSH usually uses port 22
• During agent createNode the service port
and port 1918 from agent to hub will be
used.
• After - agent will usually connect to a
remote TEMS.
ITM Outbound Communication
• ITM does not control outbound traffic.
• ITM writes to socket and TCP manages
what interfaces get used
• TCP systems have commands [route] to
control that flow when needed.
• KDEB_INTERFACELIST control with
agent using ephemeral:y has the effect of
controlling outbound data traffic.
Managing ITM Ports
•
•
•
•
•
Update communications string
EPHEMERAL:Y to eliminate listening port
POOL: control ports used for local sockets
SKIP: and COUNT: to control listening port
HTTP: and HTTPS: or HTTP_SERVER:N
to control internal web server ports
• UA use KUMP_LOCAL_DATA=Y
Simpler Communication String
• Start with a use:n which disables all
protocols by default.
• Enable only the protocols needed.
• use:n ip.pipe use:y ip.tcp.http use:y
• Technote with all protocol modifiers
• http://www.ibm.com/support/docview.wss?
uid=swg21422918
Implementing Config Changes
• On ITM 623
– create xx.environment file to include in
runtime environment
• On ITM 622 and earlier
– Create the xx.environment file and place
value within single quotes
– Source include into the xx.ini file
• http://www.ibm.com/support/docview.wss?
uid=swg21589289
Further research
• Which TCP/IP ports will my Tivoli
monitoring address space use?
•
http://www-01.ibm.com/software/tivoli/features/ccr2/ccr2-2008-10/monitoring-port-pooling.html