Update runtime environment to use secure TCP communication (PARMGEN)

Edit online

Use PARMGEN to update your runtime environment to use secure TCP communication.

Before you begin

If you are using a TCP protocol that is non-secure (IP.PIPE, IP6.PIPE) and want to update your runtime environment to use a secure TCP protocol (IP.SPIPE, IP6.SPIPE), you must modify settings for the runtime environment by using Configuration Manager or PARMGEN. This task describes the process using PARMGEN.
Note: If you use Configuration Manager, see Update runtime environment to use secure TCP communication (Configuration Manager).
Before you begin this task, complete the following steps:

About this task

To change the TCP protocol that your runtime environment uses, you must modify the communication protocol setting for both the Tivoli Enterprise Monitoring Server and the monitoring agents. Optionally, you can also modify the ports that are used, if you want to use a port other than the default secure communications port, 3660.

You will use the following parameters when updating your runtime environment to use a secure TCP communication using PARMGEN:
Table 1. Parameters for setting secure TCP communication using PARMGEN
Component Parameter Description
Tivoli Enterprise Monitoring Server KDS_TEMS_COMM_PROTOCOLn Communication protocol to be supported by the Tivoli Enterprise Monitoring Server, where n corresponds to a number between 1 and 7 to indicate the priority sequence for the communication protocols.
KDS_TEMS_TCP_PIPES_PORT_NUM Well-known port for the monitoring server for the IP.SPIPE communication protocol (the TCP/IP protocol that supports Secure Sockets Layer communications over IPv4). The default port number is 3660.
KDS_TEMS_TCP_PIPE6S_PORT_NUM Well-known port for the monitoring server for the IP6.SPIPE communication protocol (the TCP/IP protocol that supports Secure Sockets Layer communications over IPv6). The default port number is 3660.
Remote monitoring server KDS_HUB_TCP_PIPES_PORT_NUM Well-known port for the hub monitoring server for the IP.SPIPE communication protocol (the TCP/IP protocol that supports Secure Sockets Layer communications over IPV4), specified during configuration of a remote monitoring server. The default port number is 3660.
KDS_HUB_TCP_PIPE6S_PORT_NUM Well-known port for the hub monitoring server for the IP6.SPIPE communication protocol (the TCP/IP protocol that supports Secure Sockets Layer communications over IPV6), specified during configuration of a remote monitoring server. The default port number is 3660.
Monitoring agents Kpp_AGT_COMM_PROTOCOLn Communication protocol to be supported by the monitoring agent, where n corresponds to a number between 1 and 7 to indicate the priority sequence for the communication protocols.
Kpp_TEMS_TCP_PIPES_PORT_NUM Port number for agent connection to the monitoring server for the IP.SPIPE communication protocol.
KDS_TEMS_TCP_PIPE6S_PORT_NUM Port number for agent connection to the monitoring server for the IP6.SPIPE communication protocol.
Note: You can set up your runtime environment to use both IP.SPIPE and IP.PIPE concurrently. This configuration might be useful when transitioning from a non-secure protocol to a secure protocol. For a secure environment, it is recommended that you disable the non-secure protocol after transitioning to the secure protocol as soon as possible.
Note: If multiple protocols are specified, you must have a corresponding port assigned for each specified protocol.

The following procedure describes how to specify the use of secure TCP communication (IPSPIPE, IP6SPIPE) for your runtime environment using PARMGEN.

Procedure

  1. Update the settings for the monitoring server to use secure TCP communication. In member WCONFIG(rte_name), make the following updates:
    1. Assign a secure communication protocol (IPSPIPE, IP6SPIPE) as the first priority protocol. The following example sets the first priority protocol to use secure TCP over IPv4:
      KDS_TEMS_COMM_PROTOCOL1      IPSPIPE  * Secure TCP over IPv4
      Note: If you use IPv6, set the protocol value to IP6SPIPE.
    2. If you want to use a secure communication port other than default port 3660, assign the port number by using the corresponding parameter for the specified protocol (IPv4 or IPv6):
      KDS_TEMS_TCP_PIPES_PORT_NUM  3660     * Secure IP.PIPE for IPv4
      KDS_TEMS_TCP_PIPE6S_PORT_NUM 3660     * Secure IP.PIPE for IPv6
    3. If this monitoring server is a remote monitoring server, specify the port number of the hub monitoring server by using the corresponding parameter for the specified protocol (IPv4 or IPv6):
      KDS_HUB_TCP_PIPES_PORT_NUM   3660     * Secure IP.PIPE for IPv4
      KDS_HUB_TCP_PIPE6S_PORT_NUM  3660     * Secure IP.PIPE for IPv6
  2. Update the settings for each of the monitoring agents to use secure TCP communication. In member WCONFIG(rte_name), make the following updates:
    1. Assign a secure communication protocol (IPSPIPE, IP6SPIPE) as the first priority protocol. The following example sets the first priority protocol to use secure TCP over IPv4:
      Kpp_AGT_COMM_PROTOCOL1       IPSPIPE  * Secure TCP over IPv4
    2. If you want to use a secure communication port other than default port 3660, assign the port number by using the corresponding parameter for the specified protocol (IPv4 or IPv6):
      Kpp_TEMS_TCP_PIPES_PORT_NUM  3660     * Secure IP.PIPE for IPv4
      Kpp_TEMS_TCP_PIPE6S_PORT_NUM 3660     * Secure IP.PIPE for IPv6
  3. Submit the $PARSE job to refresh the profile.
  4. Recycle the started tasks for the monitoring server and the monitoring agents.

Example

The following example shows the parameters required for a configuration that specifies multiple protocols. If you are transitioning to a secure protocol from a non-secure protocol, you might use this configuration to add the secure protocol before disabling the non-secure protocol. After all components are communicating securely, you can then disable the non-secure protocol. Note that each specified protocol requires a corresponding port number.

For the monitoring server:
In member WCONFIG(rte_name):
  • Use the KDS_TEMS_COMM_PROTOCOLn parameters to specify the protocols in priority order:
    KDS_TEMS_COMM_PROTOCOL1      IPSPIPE  * First choice: secure TCP over IPv4
KDS_TEMS_COMM_PROTOCOL2      IPPIPE   * Second choice: non-secure TCP over IPv4
  • Use the KDS_TEMS_TCP_*_PORT_NUM parameters to specify corresponding ports, if you want to use values other than the default values:
    KDS_TEMS_TCP_PIPE_PORT_NUM   1918     * IP.PIPE for IPv4
KDS_TEMS_TCP_PIPES_PORT_NUM  3660     * Secure IP.PIPE for IPv4
  • If the monitoring server is a remote monitoring server, use the KDS_HUB_TCP_*_PORT_NUM parameters to specify the ports to use:
    KDS_HUB_TCP_PIPE_PORT_NUM    1918     * IP.PIPE for IPv4
KDS_HUB_TCP_PIPES_PORT_NUM   3660     * Secure IP.PIPE for IPv4
For the monitoring agents:
In member WCONFIG(rte_name):
  • Use the Kpp_AGT_COMM_PROTOCOLn parameters to specify the protocols in priority order:
    Kpp_AGT_COMM_PROTOCOL1       IPSPIPE  * First choice: secure TCP over IPv4
Kpp_AGT_COMM_PROTOCOL2       IPPIPE   * Second choice: non-secure TCP over IPv4
  • Use the Kpp_TEMS_TCP_*_PORT_NUM parameters to specify corresponding ports, if you want to use values other than the default values 
    Kpp_TEMS_TCP_PIPE_PORT_NUM   1918     * IP.PIPE for IPv4
Kpp_TEMS_TCP_PIPES_PORT_NUM  3660     * Secure IP.PIPE for IPv4
Tip: Configuration Manager simplifies the process of configuring communication protocols and ports by offering an easy way to set all components to the same values, rather than setting parameters individually for each component. If you are a PARMGEN user, consider moving to Configuration Manager.