162 IBM Enterprise Workload Manager
After restarting the managed server, you should be able to log into the Control Center and
check the managed servers in the Monitor section. The managed server that you changed
should be in
active state. You will need to execute this procedure at each managed server
that needs to communicate with the domain manager via a Proxy.
SOCKS and EWLM
If your installation is using a SOCKS server for firewall protection, you must also configure a
firewall broker to allow the managed servers to communicate with the domain manager
through the SOCKS server. The firewall broker does not have to run on a server that is acting
as a managed server. However, it does have to be in the same trusted zone as the managed
servers. There are several configuration parameters that must match when you create and
configure the domain manager, the managed servers, and the firewall broker. If any of the
required parameters are incorrect, the entire communication stream will fail. The firewall
broker image is installed on the managed server as part of the EWLM code in the
<installation_path>/IBM/VE/EWLMMS directory. You can then plan to use the firewall broker
on the managed server itself or distribute it on the appropriate platform.
Table 6-1 is a summary of the different configurations with a SOCKS server and how they
affect the EWLM code, followed by two detailed examples.
Table 6-1 SOCKS server configurations and EWLM set up
In the following discussion, two sample SOCKS server configurations are shown that are
mainly describing different architecture solutions for the security zones.
Figure 6-3 shows the managed servers accessing the domain manager through a SOCKS
server through a firewall broker. In this configuration, the SOCKS server is protecting the
zone where the domain manager is located.
Target installation configuration EWLM configuration
Protecting the connections from the managed
servers to the domain manager using the SOCKS
server
- Need firewall broker.
- Domain manager must be configured to identify firewall broker
using the changeDM command with -fp and -fb parameters.
- Firewall broker must be configured to use SOCKS server using
changeFB command with the -sa and -sp parameters.
Protecting the connections from the domain
manager to the managed servers using the
SOCKS server
EWLM is not affected. It always connects from the managed
servers to the domain manager - EWLM is unaware of and
unaffected by the existence of the SOCKS server.
Protecting the connections from the managed
servers to the domain manager and the
connections from the domain manager to the
managed server (that is, through a DMZ) using
the SOCKS server
- Need firewall broker.
- Firewall broker must be configured to use SOCKS server using the
changeFB command with the -sa and -sp parameters.
- Domain manager must be configured to use SOCKS server using
the changeDM command with the -sa and -sp parameters.
- The domain manager must be configured to identify firewall broker
using changeDM command with the -fp and -fb parameters.
- The domain manager -fb list must use SOCKS tag for this firewall
broker.
Chapter 6. Using a firewall and securing EWLM 163
Figure 6-3 SOCKS Server protecting the domain manager zone
To define this configuration the following changes are required (sample commands are in
Example 6-5):
? On the managed servers specify the following parameters on the createMS command:
– -ma and -mp must point to the IP address or hostname and port of the firewall broker.
? On the firewall broker, run the createFB script with the following parameters:
– -ma, the IP address or hostname of the firewall broker. This parameter must match the
-ma parameter you set on the createMS script.
– -fp, the port used exclusively for domain manager to firewall broker communications.
This parameter maps to the port value passed on the -fb parameter of the changeDM
script.
– -da, the IP address of the domain manager. This parameter maps to the -ma parameter
on the changeDM script.
– -dp, the port used by the firewall broker to connect to the domain manager. This
parameter maps to the -fp parameter on the changeDM script.
? On the firewall broker, run the changeFB script with the following parameters:
– -sa, the IP address of the SOCKS server. Which server you specify in this parameter
depends on how the SOCKS server is set up. If the SOCKS server is protecting the
zone where the firewall broker and managed servers are located, then you set the -sa
parameter on the firewall broker, as in this example. If the SOCKS server is protecting
the zone where the domain manager is located, then you set the -sa parameter on the
domain manager. In a scenario where there are SOCKS servers protecting both
zones, as in a DMZ, you would set the -sa parameter on both the firewall broker and
the domain manager. An example of this setup is described in the next sample
configuration.
– -sp, the port of the SOCKS server. As with the -sa parameter, where you set -sp
depends on how the firewall protection is set up.
IP address 9.12.6.142
Subnet mask 255.255.255.0
Port to communicate with MS: 3333
Port to communicate with FB: 4444
Domain manager SOCKS server Firewall broker Managed server
IP address 9.12.6.140
Subnet mask 255.255.255.0
Port: 1080
IP address 9.12.10.150
Subnet mask 255.255.255.0
Port to communicate with MS: 3333
Port to communicate with DM: 5555
IP address 9.12.4.141
Subnet mask 255.255.255.0
Port to communicate with DM: 3333
IP address 9.12.6.142
Subnet mask 255.255.255.0
Port to communicate with MS: 3333
Port to communicate with FB: 4444
Domai n manager SOCKS server Firewall broker Managed server
IP address 9.12.6.140
Subnet mask 255.255.255.0
Port: 1080
IP address 9.12.10.150
Subnet mask 255.255.255.0
Port to communicate with MS: 3333
Port to communicate with DM: 5555
IP address 9.12.4.141
Subnet mask 255.255.255.0
Port to communicate with DM: 3333
164 IBM Enterprise Workload Manager
? On the domain manager specify the following parameters on the changeDM command:
– -fb, which identifies a list of firewall brokers with which the domain manager will
communicate. Each firewall broker is identified by:
• IP address, which maps to the -ma parameter on the createFB script.
• Port, which maps to the -fp parameter on the createFB script.
• A tag, SOCKS, that indicates that a SOCKS server is required to connect to the
firewall broker.
– -fp, which is the port the firewall broker uses to communicate with the domain
manager. This parameter maps to the -dp parameter on the createFB script.
Example 6-5 Sample commands to define the SOCKS server environment
on the Domain manager:
./changeDM.sh /opt/ewlmDM -ma 9.12.6.142 -mp 3333 -fp 4444 -fb 9.12.10.150:5555:SOCKS
on the Firewall broker:
./createFB.sh /opt/ewlmFB -ma 9.12.10.150 -mp 3333 -da 9.12.6.142 -dp 4444 -fp 5555
-auth None
./changeFB.sh /opt/ewlmFB -sa 9.12.6.140 -sp 1080
on the Managed server:
./createMS.sh /opt/ewlmMS -ma 9.12.10.150 -mp 3333 -auth None
In Figure 6-4 a SOCKS server protects the zone where the firewall broker and managed
servers are located and another SOCKS server protects the zone where the domain manager
is located.
Figure 6-4 SOCKS server with DMZ
This configuration is similar to the one described in Figure 6-3 with the difference that you
must also set the -sa and -sp parameters on the changeDM script to identify the IP address
DMZ
IP address 9.12.64.142
Subnet mask 255.255.255.0
Port to communicate with MS: 3333
Port to communicate with FB: 4444
Domain manager
SOCKS
server
SOCKS
server
Firewall broker Managed server
IP address 9.12.6.140
Subnet mask 255.255.255.0
Port: 1080
IP address 9.12.10.150
Subnet mask 255.255.255.0
Port to communicate with MS: 3333
Port to communicate with DM: 5555
IP address 9.12.8.151
Subnet mask 255.255.255.0
Port: 1080
DMZ
IP address 9.12.64.142
Subnet mask 255.255.255.0
Port to communicate with MS: 3333
Port to communicate with FB: 4444
Domain manager
SOCKS
server
SOCKS
server
Firewall broker Managed server
IP address 9.12.6.140
Subnet mask 255.255.255.0
Port: 1080
IP address 9.12.10.150
Subnet mask 255.255.255.0
Port to communicate with MS: 3333
Port to communicate with DM: 5555
IP address 9.12.8.151
Subnet mask 255.255.255.0
Port: 1080
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.