Configuring anchors
You can configure anchors for discovery when a firewall is present.
The anchor must be located in the same network section as the target for discovery and meet the same software requirements as the TADDM server.
Before you can discover systems that have a firewall between them and the TADDM server, the TADDM server must allow SSH traffic to the anchor. Make sure that your network administrator configures the firewall to enable SSH traffic between the TADDM server and the anchor. You must use SSH version 2 network protocol when exchanging the data.
TADDM_userid ALL=(ALL) NOPASSWD:nmap_path
where- TADDM_userid is the TADDM discovery service account on the anchor system.
- nmap_path is the full path to the location of the nmap command.
Defaults
requiretty
line, comment it out.The anchor is created by the AnchorSensor through an SSH session that connects to the system defined as the anchor. The user for the SSH session is the first Computer System (or Computer System (Windows)) entry in the Access List that completes a successful connection. On the anchor system, the home directory for this user must be writable by the user and have at least 1.2 GB of free space. The TADDM files, including the Java SDK, are transferred to this directory by using scp and extracted. Since these files contain executable code, you must either disable antivirus programs or configure them to allow the anchor user to transfer and extract this code. Anchors are also automatically redeployed by the AnchorSensor after TADDM maintenance changes, such as fix packs.
If the network connection between the TADDM server and the anchor system is slow, or if the TADDM server and the anchor server are far apart, the AnchorSensor might time out before it completes the creation of the anchor. The default timeout value is 20 minutes. To change the timeout value for the AnchorSensor to another value, modify the setting for com.collation.discover.agent.AnchorSensor.timeout value in the COLLATION_HOME/etc/collation.properties file. The value is in milliseconds, so the default value is 1200000, which equals 20 minutes.
After the firewall setup is complete, define the anchor by using the Discovery Management Console. When you define the anchor, you must include it in the scope of the root server. The scope of the anchor must be restricted to the systems in that network section. When discovery is initiated from the Discovery Management Console, the TADDM server deploys the necessary files to the anchor. After the files are deployed, the anchor runs the discovery and returns the results to the TADDM server.
If there are multiple zones or firewalls, you must specify at least one anchor in each adjacent zone so that communications can be relayed from each anchor across each firewall. To do this, SSH traffic must be enabled between each pair of adjacent anchors, starting with the root server. Each anchor in the next adjacent network subnet must be included in the scope of the anchor in the previous subnet. Anchors chained in this way must be running on the same operating system type.
See Adding an anchor or gateway for information about defining anchors using the Discovery Management Console.
Also note that the TADDM user interface does not indicate which NAT zone an object is in. To avoid confusion, make sure hosts with the same IP address in different NAT zones have different host names, which makes it possible to distinguish them. Assign different domains (for example, nat1.lab.company.com, nat2.lab.company.com) to each NAT zone. This ensures that the fully-qualified host names from different NAT zones are unique. Note that if the same DNS server is used for different NAT zones with identical subnet addresses, then different DNS views must be used for each zone.
- Set the anchor port.
- In the Anchors and Gateways pane of the Discovery Management Console, click Set Anchor Port. The Edit Port Number window is displayed.
- In the Port No. field, type the port number. Ensure that the port number is different for each TADDM server.
- Click OK.
- Set the anchor directory.
- Open the $COLLATION_HOME/etc/collation.properties file.
- Set the com.ibm.cdb.taddm.anchor.root property value to the anchor directory name. Ensure that the property is not commented out and that the directory is different for each TADDM server.
anchor_location_n
attribute
in the $COLLATION_HOME/etc/anchor.properties file.
The following sample entries from the anchor.properties file
indicate how location information for anchors is set:anchor_host_1=192.168.1.13
anchor_scope_1=FIRST_SCOPE
anchor_zone_1=FIRST_ZONE
anchor_location_1=FIRST_LOCATION
anchor_host_2=192.168.2.22
anchor_scope_2=SECOND_SCOPE
anchor_location_2=SECOND_LOCATION
Port=8497
If a location tag is not specified for an anchor, the location of each of the CIs that are created on the anchor is set to the location that is specified for the TADDM server to which the CIs are connected. If the location tag is not specified for the anchor or the TADDM server, no location information is set for that CI.