Remote Access

Overview

In order to use a local Config Editor and send jobs to a remote Directory Integrator server you must configure the server's firewall and edit the server's solution.properties file.

Configure the Server Firewall
Assuming you have a linux host, your first step is to configure the server's  IPTABLES firewall to allow in the ports listed below. You may also want to add the TIMSOL port of 8800 explicitly, to limit what Identity Management servers can talk to the dispatcher.

In an IPTABLES fragment file, it would look like this:

# The TDI WebServer Port
-A INPUT -s 10.17.0.0/16 -m tcp -p tcp --dport 1098 -j ACCEPT

# The Server RMI Naming Port and Passive Port Range
-A INPUT -s 10.17.0.0/16 -m tcp -p tcp --dport 1099 -j ACCEPT
-A INPUT -s 10.17.0.0/16 -m tcp -p tcp --dport 8700:8900 -j ACCEPT

# The TIMSOL RMI Dispatcher Port (allows access from another network range)
-A INPUT -s 10.17.0.0/15 -m tcp -p tcp --dport 8800 -j ACCEPT

# The Property Store Port
-A INPUT -s 10.17.0.0/16 -m tcp -p tcp --dport 1527 -j ACCEPT

The AMC Console HTTP,HTTPS,and Action Manager
-A INPUT -s 10.17.0.0/16 -m tcp -p tcp --dport 13100 -j ACCEPT
-A INPUT -s 10.17.0.0/16 -m tcp -p tcp --dport 13101 -j ACCEPT
-A INPUT -s 10.17.0.0/16 -m tcp -p tcp --dport 13104 -j ACCEPT

A standalone firewall's config would be similar.

Edit The solution.properties

This first step is finding the correct file. IBM details this information here, in their admin guide. Suffice to say though, you're interested in the one your server process is using. If you used the install folder as your solution folder, then it will be along the lines of:

/opt/IBM/TDI/V7.2/solution.properties

In that file, you want to find the block that contains the property com.ibm.di.store.hostname and change it so it looks like this: (make sure the IP is correct, of course). Also, uncomment the api.remote.server.ports property. The documentation instructs you to use the IP address, but that seems to make the host ignore localhost listening. Using 0.0.0.0 tells it to listen on all interfaces.


## Details for starting Cloudscape in network mode.
## Note: If the com.ibm.di.store.hostname is set to localhost then remote connections will not be allowed.
## If it is set to the IP address of the local machine - then remote clients can access this Cloudscape
## instance by mentioning the IP address. The network server can only be started for the local machine.
#
#com.ibm.di.store.start.mode=automatic
#com.ibm.di.store.hostname=localhost
com.ibm.di.store.hostname=0.0.0.0
com.ibm.di.store.port=1527
com.ibm.di.store.sysibm=true
...
...
api.remote.server.ports=8700-8900

Note: The derby server is not started by default and does not start and stop with the ibmdisrv process. Rather, it starts automatically when you connect to it with the Config Editor (or when needed by an assembly line). In order to test that your config change works, you must  stop it if it's running, start it again and attempt to connect from a remote host.


cd <TDI Install>

./bin/stopNetworkServer

./bin/startNetworkServer


Now you can test connecting from another host.

ssh some.other.host
telnet my.tdi.server 1527
Trying 192.168.1.1..
Connected to my.tdi.server (192.168.1.1).
Escape character is '^]'

telnet my.tdi.server 1099
Trying 192.168.1.1..
Connected to my.tdi.server (192.168.1.1).
Escape character is '^]'

If you want to make sure Derby and the DI servers are running:

ps -ef | grep derby
tdiuser   9610  9533  0 12:54 ?        00:00:03 java -classpath /opt/IBM/TDI/V7.1.1/jars/3rdparty/IBM/derbynet.jar:....

ps -ef | grep ibm
tdiuser   5148     1  0 Mar07 ?        00:00:00 /bin/sh /opt/IBM/TDI/V7.1.1//ibmdisrv -d
tdiuser   5158  5148  0 Mar07 ?        00:08:07 /opt/IBM/TDI/V7.1.1/jvm/jre/bin/java -cp /opt/IBM/TDI/V7.1.1/IDILoader.jar -Dlog4j.configuration=file:etc/log4j.properties com.ibm.di.loader.ServerLauncher -d


Accessing the DI Server though a SSH gateway

If you don't have direct access to the server, but have a SSH server in between, you can use a SOCKS proxy. Issue this command on your local host

ssh -f -N -D 1080 login

In the config editor, edit the Network Connection Proxy Entries to turn on the proxy

Window --> Preference --> Network Connection --> Active Provider = Manual


Note: this sends _all_  your connections out the proxy so some DB links may not work as you expect.

Troubleshooting

If you see errors about connections refused when accessing the property store at runtime (as opposed to in the config editor) you may need to ensure that you have used 0.0.0.0 and restarted the derby instances 






Comments