Chapter 6. Using a firewall and securing EWLM 165
and port of the SOCKS server that is protecting the zone where the domain manager is
located.
The sample definition in shown in Example 6-6.
Example 6-6 Sample commands to define SOCKS server configuration in DMZ
on the Domain manager:
./changeDM.sh /opt/ewlmDM -ma 9.12.6.142 -mp 3333 -fp 4444 -fb 9.12.10.150:5555:SOCKS
-sa 9.12.4.140 -sp 1080
on the Firewall broker:
./createFB.sh /opt/ewlmFB -ma 9.12.10.150 -mp 3333 -da 9.12.6.142 -dp 4444 -fp 5555
-auth None
./changeFB.sh /opt/ewlmFB -sa 9.12.8.151 -sp 1080
on the Managed server:
./createMS.sh /opt/ewlmMS -ma 9.12.10.150 -mp 3333 -auth None
Handling the firewall broker
As you have seen briefly in the sample, you need to run the createFB script to create and
configure a firewall broker and the changeFB script to change the firewall broker configuration.
You can create the firewall broker on the managed server or some other server in the same
trusted zone as the managed servers. This script and all of its parameters are supported on
AIX, Solaris, and Windows. The only difference is that AIX and Linux require a .sh extension
while Windows requires a .bat extension. To create a firewall broker on OS/400, you must
use the STRWLM CL command.
For the command syntax, refer to the InfoCenter at:
http://public.boulder.ibm.com/eserver/
6.1.3 Our EWLM firewall configurations
This section shows the two firewall configurations we used in our lab environment. The
StoneGate firewall was set up between the HTTP Plug-in managed server and the rest of the
managed servers and domain manager. In a production environment, there would probably
be more firewalls in place, but this will demonstrate the managed server and the domain
manager communication across a firewall. Therefore, in Figure 6-5, the only managed server
to domain manager communication across the firewall is from the HTTP Plug-in managed
server to the domain manager.
166 IBM Enterprise Workload Manager
Figure 6-5 Stateful inspection firewall lab configuration
Since there is no Proxy, no additional EWLM configuration needs to take place, but as
highlighted in “EWLM firewall support” on page 157, the stateful inspection firewall rules may
need to be updated to include this traffic.
Figure 6-6 StoneGate stateful inspection firewall and EWLM
IBM DNS server
9.12.6.7
Laptop
9.x.x.x
IBM
Router
9.12.11.1
9.12.11.3
9.12.4.149
10.2.2.1
EWLMFW
Managed
Server
HTTP Plugin
Server
EWLM1
9.12.11.2
Managed
Server
Managed
Server
Managed
Server
EWLM2
9.12.4.140
EWLM4
9.12.4.138
EWLM3
9.12.4.139
EWLMDM1
9.12.4.142
Domain
Manager
10.2.2.2
StoneGate
Management/Log
Server
Managed Server to domain manager Rule
Control Center and Admin Console Rule
Chapter 6. Using a firewall and securing EWLM 167
Figure 6-6 identifies the two rules that were added to the Stonegate firewall to allow traffic to
flow through the firewall from the HTTP Plug-in managed server on EWLM1 to the domain
manager on EWLMDM1 using port 3333. In addition, we were using EWLM1 as a browser in
the lab to get to the domain managers Control Center and the WebSphere Application Server
Admin Console. Therefore, we needed to add this traffic to EWLMDM1 using ports 20000,
200001, 200003, and 200004.
Once the StoneGate firewall was in place and we were sure the Management Domain was
communicating as expected, we introduced an open source Proxy server to our configuration
in addition to the StoneGate firewall, as shown in Figure 6-7.
Figure 6-7 Proxy firewall ITSO configuration
Including the Proxy firewall in this configuration required changes to the HTTP Plug-in
managed server. The HTTP Plug-in managed server now needed to communicate with the
Proxy and then the Proxy communicated with the domain manager on its behalf. The other
managed servers did not need to be changed because they are in the same network as the
domain manager. In a production environment, this probably would not be the case. In fact,
the domain manager might be in its own system management security zone protected by a
firewall.
In order to set up communications for the Proxy, first we had to alter the StoneGate firewall
rules to allow traffic through the Proxy from the HTTP Plug-in managed server, as shown in
Figure 6-8.
IBM DNS server
9.12.6.7
Laptop
9.x.x.x
IBM
Router
9.12.11.1
9.12.11.3
9.12.4.149
10.2.2.1
EWLMFW
Managed
Server
HTTP Plugin
Server
EWLM1
9.12.11.2
Managed
Server
Managed
Server
Managed
Server
EWLM2
9.12.4.140
EWLM4
9.12.4.138
EWLM3
9.12.4.139
EWLMDM1
9.12.4.142
Domain
Manager
10.2.2.2
StoneGate
Management/Log
Server
10.2.1.1
10.2.1.2
Proxy
Server
168 IBM Enterprise Workload Manager
Figure 6-8 StoneGate with Proxy configuration and EWLM
Now the HTTP Plug-in managed server must change to communicate with the Proxy instead
of directly to the domain manager. The changeMS command is executed at the managed
server. The address and port of the Proxy server are required.
Example 6-7 Managed server configuration for Proxy server
C:Program FilesIBMVEEWLMMSin>changeMS c:ewlmMS -va 10.2.1.2 -vp 8080
Processing changeMS request, Please be patient as this may take a while...
PROCESSING COMPLETE
Now you can execute a displayMS command that shows the proxy address and proxy port
that the managed server is communicating with as shown in Example 6-8.
Example 6-8 displayMS at the managed server
C:Program FilesIBMVEEWLMMSin>displayMS c:ewlmMS
Processing displayMS request. Please be patient as this may take a while...
WLMConfig - configurable property settings:
ViaProxyPort/vp(8080)
TracePlugin/tlog(Off)
InterBrokerPort/dp(null)
InterBrokerAddress/da(null)
JmxPort/jp(Off)
FirewallBrokerList/fb(null)
ReportingTrace/rt(250)
ViaProxyHost/va(10.2.1.2)
DomainName/dn(itsoewlm)
Managed Server to domain manager using Proxy Rules
Chapter 6. Using a firewall and securing EWLM 169
JniTrace/jt(250)
SSLKeystore/sslks(null)
ComponentTrace/ct(250)
DomainManagerPort/mp(3333)
MessageLog/ml(250)
CommunicationTrace/nt(250)
TraceDistHubBroker/tcomm(0)
SocksPort/sp(null)
FirewallBrokerPort/fp(null)
FailureLimit/fl(50)
SSLKeystorePassword/sslpw(password suppressed)
DomainManagerAddress/ma(ewlmdm1.itso.ibm.com)
AuthorityLevel/auth(None)
ProcessMode/mode(ManagedServer)
LBPublicPort/lbp(Off)
LBSecurePort/lbs(Off)
EventTrace/et(250)
TraceLevel/tl(Min)
TestComponent/t(null)
DumpRetentionQuantity/dpn(25)
DumpRetentionAge/dpa(30)
SocksHost/sa(null)
WLMConfig - non-configurable property settings:
ManagedServerFailureTime(null)
ManagedServerIdentity(439b9b2f6e14278da3f06539fe0bc139)
ManagedServerId(1)
StatisticsInterval(10)
DomainManagerIdentity(b05b63dad0404b3a5f460829852701c6)
PROCESSING COMPLETE
In order to check whether the managed server and domain manager are communicating as
expected, sign into the Control Center with a userid that has Monitor access and select
Managed servers from the Monitor menu in the left pane. This will give you a list of all the
managed servers in the domain and their states.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset