Topic
2 replies Latest Post - ‏2012-05-30T15:29:32Z by SystemAdmin
SystemAdmin
SystemAdmin
57 Posts
ACCEPTED ANSWER

Pinned topic Enabling TAD4D agenToServerSecurityLevel 1

‏2012-05-24T10:05:29Z |
Hello, I am having a few dramas with TAD4D 7.5:

Our TAD4D Environment

Base WAS install used (to enable use of HTTP/Proxy)
TAD4D Server <=> |firewall_1| <=> |firewall_2| <=> HTTP/Proxy <=> TAD4D_Agent

Installed with agentToServerSecurityLevel=0

TAD4D server listens on PORT 9988 and 9999
HTTP/Proxy listens on PORT 9988 and 9999

Agents communicate on 9988

All working fine with configuration as per above

I perform the following actions as per Security section of TAD4D Infocenter:

Enbabling medium security:

Download and install unrestricted JCE policy files
recycle server
Created a self-signed certificate (replacing existing one)
recycle server
Extract the arm.cert
Replace arm.cert on TAD4D server
recycle server
setserverconf -k agentToServerSecurityLevel -v 1
recycle server
run ./tlmagent –p on agent and it fails as expected
copy new cert.arm file to agents
set tlmagent with ./tlmagent -set security_level 1
restart tlmagent
run ./tlmagent –p and it fails, check on TIP TAD4D and agents are not connecting

Am I doing anything wrong here?
Is the use of the HTTP/Proxy intermediary not supported with anything other than security level 0?

Any assistance here would be gratefully accepted!

Anthony
Updated on 2012-05-30T15:29:32Z at 2012-05-30T15:29:32Z by SystemAdmin
  • tdch
    tdch
    7 Posts
    ACCEPTED ANSWER

    Re: Enabling TAD4D agenToServerSecurityLevel 1

    ‏2012-05-28T09:43:06Z  in response to SystemAdmin
    Anthony,

    Enabling security level 1 is described in the following section of documentation:

    http://pic.dhe.ibm.com/infocenter/tivihelp/v54r1/index.jsp?topic=%2Fcom.ibm.tad4d75.doc%2Fcom.ibm.license.mgmt.security.doc%2Ft_enabling_medium_security.html

    Please check it.

    I can see at least two questionable points in your description:
    -) usage of proxy: Did you configure the proxy usage on agent?
    -) I can see two different names associated with server's certificate in your description: arm.cert and cert.arm.
    You should import a private key together with certificate to WAS server? is it what you call arm.cert?
    You should import only certificate (public key with a signature) to agents.
    Is it what you call cert.arm?
    Did the file disappear after running agent? It should if it was imported properly to agent's certificate container.

    Please send anonymized configuration files of proxy and agent. I will check them for possible errors.

    tdch
    • SystemAdmin
      SystemAdmin
      57 Posts
      ACCEPTED ANSWER

      Re: Enabling TAD4D agenToServerSecurityLevel 1

      ‏2012-05-30T15:29:32Z  in response to tdch
      Hi, thanks for your response.

      To answer your questions:

      Yes, Proxy config was performed at Agent install time via TCM :

      winstsp -f -tn -uy -l priority=h -D agt_logs_dir=/opt/Tivoli/local/itlm/logs -D SecurityLevel=0 -D CITInstallPath=/opt/tivoli/cit -D UseProxy=y -D ProxyAddress=x.x.x.x -D ProxyPort=9988 -D ScanGroup=TEST_01 -D MessageHandlerAddress=x.x.x.x @SoftwarePackage:aix.tad4d_75^1.0 @Endpoint:ep_name

      The above is for agentToServerSecurityLevel 0,

      (-D SecurityLevel=1 -D InstallServerCertificate=y -D ServerCertFilePath=/opt/Tivoli/local/cert.arm) was added after configuring Server for security level 1 and copying the cert.arm file from the TAD4D server to the agent lpars (ServerCertFilePath=/opt/Tivoli/local/cert.arm)

      The cert.arm/arm.cert was a typo

      Original self signed server certificate was deleted then new certificate was created and extracted on TAD4D server and copied to locations as directed in documentation then server recycled

      file did not disappear after manually reconfiguring existing agent and restarting

      Agent would not install successfully via TCM when deploying as SecurityLevel=1 but works fine with no security

      Am I correct in expecting that a keydb directory should be updated or created and populated with cert.ar when manually configuring existing agent to SecurityLevel=1

      Cheers

      Anthony