IBM Support

ITM Nuggets: ITM KDE firewall gateway redundancy configurations

Technical Blog Post


Abstract

ITM Nuggets: ITM KDE firewall gateway redundancy configurations

Body

image

 

 

As normal, I like to blog about areas of ITM that I cover when working with you, either through PMRs or direct on customer site.

Today's series topics is all related to creating hot standby / failover of the KDE gateway.

 

Terminology

Before we start, here are some of the basic terminology you need to know as you read this blog....

 

image

 

 

 

 

Configurations

There are two types of configurations for the setup of the KDE_GATEWAY.  The examples below demonstrate each type in turn.

 

Configuration #1 - Redundant configuration

Configuration #2 - Failover configuration 

 

 

 

 

Configuration #1

This configuration uses no firewall redundancy,  but uses a secondary TEMS connection (CT_CMSLIST) in the agents configuration file to allow multiple connections.    

This configuration uses a secondary TEMS connection (CT_CMSLIST) for agents in the untrusted zone.

This configuration uses the proven logic in the agent to determine when it should switch to another TEMS (if it looses its primary connection)    

 

image

Configuration #2

Starting with configuration #1 as a base model, we are adding failover capability to the gateways in the trusted zones.  

There is additional capability in this set up. The configuration below will add a layer of resiliency to the Upstream Gateways and proxy TEMA clients requests to either of the two available TEMS. This is completed in the gateway XML configuration files. 

 

image

 

Required files

You will need four XML configuration files to achieve this setup. These will need to be placed on the same machines as the nominated OS agent gateways. 

 

 

imageGATEWAY1_Upstream.xml|View Details
imageDMZGW1_Downstream.xml|View Details
imageGATEWAY2_Upstream.xml|View Details
imageDMZGW2_Downstream.xml|View Details


 

 

Modifying the files

You will need to modify the following ****(stared) parts in the files to map them to your environments hostname or IP addresses for the various components.

 

***RTEMS1*** =   Hostname/IP of your primary RTEMS (RTEMS 01 in above diagram) 

***RTEMS2*** =   Hostname/IP of your secondary RTEMS  (RTEMS 02 in above diagram)

 

***WPA*** = Hostname/IP of your WPA

    ***DMZGW2*** = Hostname/IP of your DMZ Gateway 2 OS agent (Agent 4 in above diagram) 

***DMZGW1*** = Hostname/IP of your DMZ Gateway 2 OS agent (Agent 3 in above diagram) 

 

 

Example:

 

File shows:

<connection remoteport="3660">***RTEMS1***</connection>

 

Change ***RTEMS1*** to the IP of your RTEMS1 in this case . My RTEMS IP address is 1.1.1.1.

 

The line in the file now looks like this:

<connection remoteport="3660">1.1.1.1</connection>

 

 

 

 

How to enable the files

Setting the parameters 

As mentioned above you need to place these files on the same machine as the OS agent you wish to use as the gateway.  Once the files are on the machine you need to add the following line to the agents config file and specify the full path name and the file name.

 

Add this line to each of the agents configuration files that are being used as the gateway::

KDE_GATEWAY=Full path/<name>.xml 

 

 

Location of the configuration files

Windows OS agent located in the ITMHOME/tmaitm6/KNTENV file.

UNIX OS agent in the ITMHOME/config/ux.ini files.

Linux OS agent in the ITMHOME/config/lz.ini files.

 

Once the parameter has been added to the configuration file, The agent will need to be restarted for the configuration in the XML files to take effect.

 

 

 

Other information 

Here is some information on what some of the parameters in the files mean

 

Roles that can be defined in the KDE_GATEWAY xml file and what they mean (this will help you read the files and set any non default ports). 

§3 different functions can be defined at a Gateway:

role="connect“: TEMA opens the defined Port and tries a first time to connect to the defined server port –Counterpart of LISTEN

 

role="listen“: TEMA starts to listen on de defined Port for incoming connections from the defined server/port –Counterpart of CONNECT

 

role=“proxy“: TEMA can start 2 different kinds of Proxy:

•ClientProxy: runs in the Secure Zone and connects the incoming Gateway Connections to the TEMS or WPA

•ServerProxy: runs in any of the Less Secure Zones and starts listening on the TEMS (1918) and/or WPA (63358) port

 

 

 

 

Further Reading

The best source of information id the install and setup guide in the "appendices C" section for the version of the product you are using

 

Appendix C. Firewalls

 

 

 

 

Let's connect!

To follow my social updates on IBM software, please feel free to connect with me by clicking on the images below:

 

imageimageimage

 

Find all my other blogs here:

LINK ------------>   Full Index of My Blogs   <------------ LINK

 

 

 

Tutorials Point

 

Subscribe and follow us for all the latest information directly on your social feeds:

 

 

image

 

image

 

image

 

 

  

Check out all our other posts and updates:

Academy Blogs:https://goo.gl/U7cYYY
Academy Videos:https://goo.gl/FE7F59
Academy Google+:https://goo.gl/Kj2mvZ
Academy Twitter :https://goo.gl/GsVecH


image

[{"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Product":{"code":"","label":""},"Component":"","Platform":[{"code":"","label":""}],"Version":"","Edition":""}]

UID

ibm11082775