Hello, I am having a few dramas with TAD4D 7.5:
Our TAD4D Environment
Base WAS install used (to enable use of HTTP/Proxy)
TAD4D Server <=> |firewall_1| <=> |firewall_2| <=> HTTP/Proxy <=> TAD4D_Agent
Installed with agentToServerSecurityLevel=0
TAD4D server listens on PORT 9988 and 9999
HTTP/Proxy listens on PORT 9988 and 9999
Agents communicate on 9988
All working fine with configuration as per above
I perform the following actions as per Security section of TAD4D Infocenter:
Enbabling medium security:
Download and install unrestricted JCE policy files
Created a self-signed certificate (replacing existing one)
Extract the arm.cert
Replace arm.cert on TAD4D server
setserverconf -k agentToServerSecurityLevel -v 1
run ./tlmagent –p on agent and it fails as expected
copy new cert.arm file to agents
set tlmagent with ./tlmagent -set security_level 1
run ./tlmagent –p and it fails, check on TIP TAD4D and agents are not connecting
Am I doing anything wrong here?
Is the use of the HTTP/Proxy intermediary not supported with anything other than security level 0?
Any assistance here would be gratefully accepted!
This topic has been locked.
2 replies Latest Post - 2012-05-30T15:29:32Z by SystemAdmin
Pinned topic Enabling TAD4D agenToServerSecurityLevel 1
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2012-05-30T15:29:32Z at 2012-05-30T15:29:32Z by SystemAdmin
tdch 270001YMTK7 PostsACCEPTED ANSWER
Re: Enabling TAD4D agenToServerSecurityLevel 12012-05-28T09:43:06Z in response to SystemAdminAnthony,
Enabling security level 1 is described in the following section of documentation:
Please check it.
I can see at least two questionable points in your description:
-) usage of proxy: Did you configure the proxy usage on agent?
-) I can see two different names associated with server's certificate in your description: arm.cert and cert.arm.
You should import a private key together with certificate to WAS server? is it what you call arm.cert?
You should import only certificate (public key with a signature) to agents.
Is it what you call cert.arm?
Did the file disappear after running agent? It should if it was imported properly to agent's certificate container.
Please send anonymized configuration files of proxy and agent. I will check them for possible errors.
SystemAdmin 110000D4XK57 PostsACCEPTED ANSWER
Re: Enabling TAD4D agenToServerSecurityLevel 12012-05-30T15:29:32Z in response to tdchHi, thanks for your response.
To answer your questions:
Yes, Proxy config was performed at Agent install time via TCM :
winstsp -f -tn -uy -l priority=h -D agt_logs_dir=/opt/Tivoli/local/itlm/logs -D SecurityLevel=0 -D CITInstallPath=/opt/tivoli/cit -D UseProxy=y -D ProxyAddress=x.x.x.x -D ProxyPort=9988 -D ScanGroup=TEST_01 -D MessageHandlerAddress=x.x.x.x @SoftwarePackage:aix.tad4d_75^1.0 @Endpoint:ep_name
The above is for agentToServerSecurityLevel 0,
(-D SecurityLevel=1 -D InstallServerCertificate=y -D ServerCertFilePath=/opt/Tivoli/local/cert.arm) was added after configuring Server for security level 1 and copying the cert.arm file from the TAD4D server to the agent lpars (ServerCertFilePath=/opt/Tivoli/local/cert.arm)
The cert.arm/arm.cert was a typo
Original self signed server certificate was deleted then new certificate was created and extracted on TAD4D server and copied to locations as directed in documentation then server recycled
file did not disappear after manually reconfiguring existing agent and restarting
Agent would not install successfully via TCM when deploying as SecurityLevel=1 but works fine with no security
Am I correct in expecting that a keydb directory should be updated or created and populated with cert.ar when manually configuring existing agent to SecurityLevel=1