[AIX Solaris HP-UX Linux Windows]

Requirements for using Remote Execution and Access (RXA)

You can use Remote Execution and Access in WebSphere Application Server Version 8.x and 7.x. WebSphere® Application Server Network Deployment provides management features, such as initiating installations of product packages and maintenance from the administrative console. The product uses the Tivoli Remote Execution and Access (RXA) toolkit to access your remote workstations.

Windows target requirements

[8.5.5.14 or later]Deprecated feature: [Windows]The Server Message Block (SMB) protocol enables remote method execution on the Windows operating system and is used by Job Manager. Version 1 of the SMB protocol (SMBv1) is insecure. As an alternative, disable SMBv1 on your Windows system, and install an SSH service as the replacement for remote method execution.

RXA supports the SMB1 protocol, which is insecure. It is strongly recommended that you install an SSH service, such as the SSH daemon from Cygwin, and disable the SMB1 protocol. For more information about how to enable and disable the SMB1 protocol, see How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server.

Many RXA operations require access to resources that are not generally accessible by standard user accounts. Therefore, the account names that you use to log onto remote Windows targets must have administrative privileges.

Simple file sharing

Windows XP system targets must have simple file sharing disabled for RXA to work. Simple networking requires that you log in as guest. A guest login does not have the authorization necessary for RXA to function correctly.

To disable Simple File Sharing, open Windows Explorer and click Tools > Folder Options > View > Use Simple File Sharing. Clear the Use Simple File Sharing check box. Click Apply and OK.

[Windows 2008 Server][Windows Vista][Windows 7]You must enable file sharing for the Guest or Everyone accounts, and disable password protected sharing. To disable password protected sharing, perform the following steps:
  1. Click Control Panel > Network and Sharing Center > Sharing and Discovery.
  2. Expand the Password protected sharing list.
  3. Select Turn off password protected sharing.
  4. Click Apply, and exit the control panel.

User Account Control (UAC) on Microsoft Windows 2008, VISTA, and 7

In order for RXA to connect to a user on a host on Microsoft Windows 2008/Vista/7, User Account Control (UAC) must be disabled. If UAC is not disabled, the connection fails. To Disable UAC, follow these steps:

[Windows 2008 Server][Windows Vista]
  1. Open User Accounts. Click Start > Control Panel.
  2. Click User Accounts and Family Safety > User Accounts. If you are connected to a network domain, click User Accounts from the control panel.
  3. Click Turn User Account Control on or off. If you are prompted for an administrator password or confirmation, enter the password or provide confirmation.
  4. To turn off UAC, uncheck the Use User Account Control (UAC) to help protect your computer check box. Click Ok.
[Windows 7]
  1. Open the Control Panel from the start panel.
  2. Click System and security.
  3. Click Action Center.
  4. Click Change User Account Control settings.
  5. To set User Account Control to the least secure setting, click and drag the bar to Never Notify.

Firewalls

Windows XP systems include a built-in firewall called the Internet Connection Firewall (ICF), which is disabled by default. For Windows XP Service Pack 2 systems, the Windows firewall is enabled by default. If either firewall is enabled on a Windows target workstation, RXA cannot access the target workstation. On Windows XP Service Pack 2, you can select the File and Printer Sharing check box in the Exceptions tab of the Windows Firewall configuration to allow access. Do not block port 445.

File sharing and printer sharing

RXA cannot establish a connection unless file sharing and printer sharing are enabled. To enable file sharing and printer sharing, follow these steps:

  • Microsoft Windows XP
    • Open Windows Network Connections in the Start menu and right-click My Network Places.
    • Right-click all connected connections. Click Properties.
    • Verify that the File and Printer Sharing for Microsoft Networks check box is selected.
  • Microsoft Windows Vista
    • Click Network in the Start menu.
    • Under Sharing and discover, enable file sharing and printer sharing.
  • Microsoft Windows 2008
    • Select the Control Panel from the Start menu.
    • Click Network and Sharing center.
    • Enable file and printer sharing.
  • Microsoft Windows 7
    • Select the Control Panel from the Start menu.
    • Click Network and internet.
    • Click Network and sharing center.
    • Click Change advanced sharing settings.
    • Enable file and printer sharing.

Remote Registry

You must enable the remote registry administration, which is the default configuration, on the target workstation for RXA to run commands and scripts. To verify that the remote registry is enabled and started, follow these steps: [Windows 2008 Server][Windows 7]
  • On Control panel, click Run.
  • Enter "services.msc". Click OK.
  • Scroll down. Click Remote Registry.
  • To enable Remote registry, right-click Remote Registry > All Tasks > Start.
  • To enable the Remote registry service to start during system start up, right-click Remote Registry > Properties. Change the start up type to Automatic.

Administrative sharing

You must enable administrative sharing to successfully use RXA to connect to your Windows systems targets. Examples of the default administrative disk share are C$ and D$ . If you disable sharing, RXA considers directories that are located within the drives as hidden. In this case, the following message is displayed:

XCIM0009E: Error connecting to remote target <host_name>. Exception: java.io.FileNotFoundException: 
CTGRI0003E The remote path name specified cannot be found: file_or_directory_path>. 
Cause: com.starla.smb.SMBException: The network name is incorrect.

Follow these steps to enable administrative sharing:

  1. Click My Computer.
  2. Right-click the disk drive that you are enabling for administrative sharing.
  3. Click Sharing and Security.
  4. Select Share this folder.
  5. Specify the share name, such as C$ or D$, and click OK.
[Windows 2008 Server][Windows 7]

Connecting to Windows Vista, Windows 7, or Windows 2008 Server R2 targets

To connect to Windows 7 and Windows 2008 Server R2 targets, use either option 2 or option 3 that follows disabling the User Account Control in step 1. Before you begin, ensure that the Remote Registry in Windows Services is started, and port 445 is unblocked in the firewall.

  1. Disable the User Account Control that is enabled by default if you are using a different user account to connect to the target workstation. To disable User Account Control perform the following steps:
    1. Select Control Panel > Administrative Tools > Local Security Policy > Security Settings > Local Policies > Security Options.
    2. Next, double-click User Account Control: Run all administrators in Admin Approval Mode.
    3. Select Disable, and click OK.
  2. Configure both the deployment manager machine and the Windows Vista, Windows 7, or Windows 2008 Server R2 target as members of a Windows domain. Use a user account in that domain, or in a trusted domain, when you connect to the target.
  3. Enable and use the built-in administrator account to connect to the target workstation. To enable the built-in administrator account perform the following steps:
    1. Select Control Panel > Administrative Tools > Local Security Policy > Security Settings > Local Policies > Security Options.
    2. Next, double-click Accounts: Administrator account status.
    3. Select Enable, and click OK.
Avoid trouble: For the configuration changes to take effect, you must restart the workstation.

Linux and UNIX target requirements

The centralized installation manager, through RXA, uses SSH Version 2 to access UNIX and Linux target workstations. This usage requires the use of either OpenSSH 3.6.1 (or, if accessing AIX targets, OpenSSH 4.7), or Sun SSH 1.1 on the target hosts.

Note that OpenSSH 3.7.1, or higher, contains security enhancements not available in earlier releases, and is recommended.

Avoid trouble: OpenSSH Version 4.7.0.5302 for IBM AIX Version 5.3 is not compatible with Remote Execution and Access Version 2.3. If your target systems are running AIX Version 5.3 with OpenSSH Version 4.7.0.5302 installed, the file transfer might stop in the middle of the transfer. To avoid this problem, revert the OpenSSH version from Version 4.7.0.5302 to Version 4.7.0.5301.

Using Secure Shell (SSH) protocol

Remote Execution and Access does not supply SSH code for UNIX operating systems. You must ensure SSH is installed and enabled on any target you want to access using CIM.

In all UNIX environments except Solaris, the Bourne shell (sh) is used as the target shell. On Solaris targets, the Korn shell (ksh) is used instead due to problems encountered with sh.

To communicate with Linux and other SSH targets using password authentication, you must edit the /etc/ssh/sshd_config file on the targets and set the following property: 
PasswordAuthentication yes

The default value for the PasswordAuthentication property is no.

After changing this setting, stop and restart the SSH daemon using the following commands: 
/etc/init.d/sshd stop 
/etc/init.d/sshd start

IBM i targets

Use of SSH public/private key authentication to IBM® i targets is not supported.