Configuring remote code load

Remote code load (RCL) is a service that allows remote support engineers to complete code updates on the storage system.

IBM® storage implemented a remote capability to upgrade code on clients’ entitled storage products. RCL is the process of having IBM support personnel securely connect to and update the microcode on the storage system. The RCL service is the preferred code delivery method, which proves to be both efficient and secure for IBM clients. RCL is fast and easy to coordinate because it does not require an onsite visit of an IBM services technician and is the preferred alternative to the existing on-premises microcode upgrade service.

Remote code load requires a set of firewall settings to be open in the client network to facilitate the following activities.
  • Access IBM Fix Central to download code
  • Access Enhanced Customer Data Repository (ECUREP) system to upload logs
  • Remote dial in to complete code load
Note: This access is the same set of access requirements that is needed for normal remote support operations.
The following network connections between IBM and the system are required to enable support assistance.
esupport.ibm.com
The esupport.ibm.com network connection is used to for the following actions:
  • Uploading logs to the IBM Enhanced Customer Data Repository (ECUREP)
  • Connecting to Call home with cloud services (Cloud Call Home)
  • Downloading software from FixCentral (new for 8.4.2)
Note: The esupport.ibm.com network connection is fully certified to securely transmit data for Blue Diamond (HIPPA) users and General Data Protection Regulation (GDPR) protected users.
If you are using a firewall to route traffic instead of an HTTP proxy server, use the following information to configure a firewall rule.
Source Target Port Protocol Direction
The service IP address of every node or node canister. esupport.ibm.com 443 https Outbound only
Remote Access
IBM can remotely connect to your system to perform maintenance actions by using remote access. Remote access can be permanently enabled, or it can be enabled as needed. The system supports three methods of enabling remote access to the system:
HTTP internal proxy server
It is recommended that you specify a HTTP proxy server for better security. If a HTTP proxy is configured, then the system connects through HTTP proxy server. For more information, see Defining an HTTP proxy server. If you currently have Remote Proxy Server configured on the system, you must remove the Remote Proxy Server from your configuration. For more information, see Removing a Remote Proxy Server page.
Direct network connection
If the Remote Support Proxy server is not installed and configured, use the following information to configure a firewall rule.
Source Target Port Protocol Direction
The service IP address of every node or node canister 170.225.126.11, 170.225.126.12, 170.225.127.11 and 170.225.127.12 22 ssh Outbound only
Remote Proxy Server (deprecated for 8.4.2)
With the addition of the HTTP proxy support, Remote Support Proxy servers are no longer necessary, but they are still fully supported for existing configurations.
Note: One Remote Support Proxy server can be used by multiple systems, as well as other IBM storage products.

Use the following information to configure a firewall rule after you install and configure the Remote Support Proxy server.

Source Target Port Protocol Direction
IP address of the Remote Proxy Server 170.225.126.11, 170.225.126.12, 170.225.127.11, and 170.225.127.12 443 https Outbound only

You also need to configure the IP address of the Remote Support Proxy server into the system.

FixCentral (deprecated in 8.4.2)
Previous methods of downloading software upgrade packages from FixCentral over SFTP are still supported, but are not required on systems running 8.4.2 or later. Software upgrade packages can be downloaded onto the system by using the FixCentral network connection. Use the following information to configure a firewall rule.
Source Target Port Protocol Direction
The service IP address of every node or node canister. delivery04.dhe.ibm.com 22 SFTP (FTP over SSH) Outbound only

If a domain name cannot be used for configuring firewall rules, you can use the following IP address: 170.225.126.44.

Note: For more information on firewall, see Configuring support assistance.