IBM Support

T3-T6 communications across firewalls

Question & Answer


Question

How do you configure ports so that the T3 and T6 agents can communicate across firewalls?

Answer


You define and edit profiles through the AMC (Application Management Configuration) Editor in the TEP (Tivoli Enterprise Portal) console. The T3 agent distributes scripts to the T6 agents that appear in the profile distribution list.

This process is supported by the T1 (File Transfer Enablement) component on the T3 host and on each T6 server.

Note: Starting in ITCAM for Transactions 7.4, the T1 (File Transfer Enablement) logic is embedded in the T3 and T6 agents. Consequently, when you run a cinfo (Unix/Linux) or kincinfo (Windows) report, the T1 (File Transfer Enablement) component does not appear in the report on new ITCAM for Transactions 7.4 installations unless those servers include the TEMS. In V7.4, the embedded T1 (File Transfer Enablement) logic calls the T1 (File Transfer Enablement) component directly on the TEMS to which the T3 or T6 agent is connected.

Note: When you upgrade to ITCAM for Transactions 7.4, an existing T1 (File Transfer Enablement) component from the earlier build still appears in cinfo/kincinfo reports. However, these visible instances of the T1 (File Transfer Enablement) component are ignored.

Note: Starting in ITM 6.22 FP02, the T1 (File Transfer Enablement) component became an integral part of the infrastructure on the HTEMS (hub TEMS) or RTEMS (remote TEMS). The ITM version of the T1 (File Transfer Enablement) component is a superset of the T1 (File Transfer Enablement) component that the ITCAM for Transactions agents use locally.

Note: The T3 agent is also known as the Application Management Console (AMC) or as the ITCAM Console.

There are two halves to T3-T6 communications:



1) Uploading scripts to T3
2) Distributing scripts and profiles to T6 agents

All T3-T6 data transfers go through the TEMS (Tivoli Enterprise Monitoring Server) using a predefined TEMS port. The default base port is 1918 for TCP, or 3660 for secure TCP. This port needs to be open bidirectionally – inbound to the TEMS, and outbound from the TEMS. Here, ‘TEMS port’ refers to the port on the HTEMS or RTEMS where the agent connects.

The T6 agents poll T3 periodically. If there are new scripts or profiles, or changes to existing scripts or profiles, T6 agents download the files from T3 using the T1 (File Transfer Enablement) component on the standard TEMS/TEMA connection.



In order for the Multi File Uploader and the ITCAM Export Plugin to upload scripts to the T3 agent, port 1976 (default) must be open bidirectionally on the T3 agent host and on the server where the script upload occurs.

Connect the T3 agent directly to the HTEMS. Connecting the T3 agent directly to the HTEMS improves communication between the T3 and T6 agents, compared to connecting the T3 agent to an RTEMS.

You can connect the T6 agents to the hub TEMS or to a remote TEMS.

Ephemeral Ports

When a client initiates a TCP/IP socket connection to a server, the client typically connects to a specific port on the server and requests that the server respond to the client over an ephemeral, or short lived, TCP or UDP port.



The T3 and T6 agents connect to the TEMS port (1918 or 3660) on the HTEMS or RTEMS using an ephemeral port. The operating system provides an available source port for use when a TCP connection to the TEMS port is required.

You don’t generally need to be concerned about source ports when setting up firewall rules. Firewall rules usually restrict on LISTENING ports.



Use the netstat command with the findstr filter on Windows, or use the netstat command with the grep filter on Unix/Linux to surface this information.

netstat -an | findstr 1918
netstat –an | grep 1918

Examples:

1) The T3 agent is connected to the hub TEMS on port 1918. Ephemeral port 59164 is open on the T3 host for communication with the hub TEMS. The T3 agent is ready to receive a workspace query or to transmit data to the hub TEMS.



2) The following example shows an ESTABLISHED connection between the T3 agent and the HTEMS.
The HTEMS is listening on port 1918, and T3 connects to HTEMS via an ephemeral port 45166.

Configuring Ephemeral Modifier in KDC_FAMILIES Variable

The EPHEMERAL:Y modifier allows the agent to open a single port for bidirectional communication with the TEMS. This modifier appears in the KDC_FAMILIES variable in the agent environment configuration file, like this:



KDC_FAMILIES="EPHEMERAL:Y IP.PIPE PORT:1918 IP use:n SNA use:n IP.SPIPE use:n"

Note: If you do not use the EPHEMERAL:Y modifier, the agent opens a second socket connection from the TEMS to the agent base+N*4096 port used for real time data, such as workspace queries. The EPHEMERAL:Y modifier allows the agent to open a socket to the TEMS port for both purposes. Internally, virtual ports are multiplexed together.

Some agents use the KDE_TRANSPORT variable instead of KDC_FAMILIES. Both variables are used for the same purpose. In the agent RAS1 trace logs, you may see one variable equated to the other, like this:

KDE_TRANSPORT=KDC_FAMILIES="EPHEMERAL:Y IP.PIPE PORT:1918 IP use:n SNA use:n IP.SPIPE use:n"

Note: The ‘EPHEMERAL:Y’ modifier should appear first in the in the list of modifiers. Modifiers that appear first act globally on all protocols.

Windows:

1) Open the MTEMS (Manage Tivoli Enterprise Monitoring Services) GUI.

2) Right-click the entry for the ITCAM for Robotic Response Time (T6 agent) or ITCAM Console (T3 agent).

3) Select Advanced > Edit Variables....

4) The following message displays if the agent is running. Click Yes.



5) The following settings dialog displays.



If the KDC_FAMILIES variable is not defined, click Add. Enter the following in the Variable and Value fields. @Protocol@ represents the current configured value. Click OK. Verify the information in the T6 configuration panels that display. These are the same panels that display when you reconfigure the agent.



If the KDC_FAMILIES variable is already defined, click Edit. Enter EPHEMERAL:Y as the first modifier in the list. Click OK. Verify the information in the T6 configuration panels that display.

6) Restart the agent.

Unix/Linux

The method you use for adding the EPHEMERAL:Y modifier to the KDC_FAMILIES variable is slightly different between ITM 6.22 and ITM 6.23 and later. Here are the step-by-step instructions.

ITM 6.23 and later uses a <pc>.environment file to define KDC_FAMILIES modifiers that override the originally defined modifiers. Here, <pc> is the product code like T3 and T6. In contrast, ITM 6.22 uses a <pc>.override file to define the override modifiers.

ITM 6.23 and later:

1) Add or edit a t3.environment or t6.environment file in the ITM_HOME/config directory on the T3 or T6 host.

2) Add a copy of the current KDC_FAMILIES variable to the file. You can obtain the content of the KDC_FAMILIES variable from the current T3 or T6 RAS1 trace log:

ITM_HOME$/logs/${HOSTNAME}_t3_*.log
ITM_HOME$/logs/${HOSTNAME}_t6_*.log



Example:

KDC_FAMILIES="ip.pipe port:1918 ip use:n ip.spipe use:n sna use:n"

3) Add the EPHEMERAL:Y modifier to the beginning of the list of modifiers in the KDC_FAMILIES variable in the t3.environment or t6.environment file.

Example:

KDC_FAMILIES=EPHEMERAL:Y ip.pipe port:1918 ip use:n ip.spipe use:n sna use:n

Note: Do not enclose the list of modifiers in quotation marks.

4) Save the file.

5) Stop and restart the agent.

ITM 6.22:

1) Add or edit a t3.override or t6.override file in the ITM_HOME/config directory on the T3 or T6 host.

2) Add a copy of the current KDC_FAMILIES variable to the file. You can obtain the content of the KDC_FAMILIES variable from the current T3 or T6 RAS1 trace log:

ITM_HOME$/logs/${HOSTNAME}_t3_*.log
ITM_HOME$/logs/${HOSTNAME}_t6_*.log



Example:

KDC_FAMILIES="ip.pipe port:1918 ip use:n ip.spipe use:n sna use:n"

3) Add the EPHEMERAL:Y modifier to the beginning of the list of modifiers in the KDC_FAMILIES variable in the t3.override or t6.override file.

Example:

KDC_FAMILIES='EPHEMERAL:Y ip.pipe port:1918 ip use:n ip.spipe use:n sna use:n'

Note: Enclose the list of modifiers in single quotation marks.

4) Save the file.

5) Add a line like the following to the ITM_HOME/config/t3.ini or t6.ini file on the T3 or T6 server. The syntax is period, space, fully qualified path to the t3.override file or to the t6.override file.

Example:



6) Stop and restart the agent.

[{"Product":{"code":"SS5MD2","label":"Tivoli Composite Application Manager for Transactions"},"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Component":"ITCAM TRANSACT RRT 5724S79RR v710","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.4","Edition":""}]

Historical Number

75137.999.649

Document Information

Modified date:
17 June 2018

UID

swg21574141