Configuring IBM Rational Change to run with ESD or in a firewall environment with ESD.
- All server Hosts are UNIX
Assumptions for firewall setup:
- IBM Rational Change is installed on a machine in the DMZ, with backend sessions running on a machine in the protected network
- There is no Network Address Translation (NAT) between the DMZ and the protected network.
- The user that will start Rational Synergy backend sessions for Rational Change is a user on the DMZ machine as well as the machine in the protected network. The name and password must be the exact same for this user on both systems.
This document is intended for use by Rational Change/Synergy administrators who want to modify Rational Change to use the UNIX Engine Startup Daemon (ESD) instead of relying on R* protocols for starting and communicating with Rational Synergy sessions. The reasons for wanting to use ESD would be to eliminate use of the R* protocols or to allow Rational Change to be installed in a DMZ and start sessions on a machine in the protected network.
Steps to allow Rational Change to use the ESD to start up and communicate with Rational Synergy sessions with a firewall and without the use of a firewall.
For non-firewall setups skip to step F.
A. Test your network for the presence of NAT.
From your DMZ machine you should be able to ping (or make a network connection) to the machine in the protected network using the same IP address the protected machine has inside of the protected network. (ex: Inside the protected network machine A has an IP of 192.168.1.10, you should be able to ping 192.168.1.10 from the DMZ machine)
If you have NAT you cannot currently install Rational Change in a DMZ and start sessions on a machine in the protected network.
B. Install Rational Synergy in the protected network or modify an existing installation you want to use.
- Write down address in CCM_HOME/etc/.router.adr. This will be used when installing Rational Synergy in the DMZ.
- Set up a fixed ESD port for this Rational Synergy installation.
In the CCM_HOME/etc/esd.adr file (create one if it does not currently exist) add hostname:port to the list.
- Make sure that PAM is configured correctly. (see the Rational Synergy 6.2 release notes for how to do this.)
- Start all of the daemons
- Unpack a database for Rational Change to connect to and store information. (If you all ready have databases you want to connect to skip this step)
- If this is a brand new installation or new database(s) were unpacked check to make sure that Rational Synergy can start a session against the database(s).
- Edit Rational Synergy to use ESD instead of the R* protocols for engine startup. (Optional)
Add the following line to the [Options] section of the CCM_HOME/etc/ccm.ini. engine_daemon=true
- Start the Rational Change installation program on the Rational Synergy machine and click: 'Update Synergy/CM Installation directory only' . Follow the prompts.
C. Install Rational Synergy on the DMZ machine
- Make both Rational Synergy installations appear at the same path. You can use symbolic links to do this, but always use the common path for CCM_HOME.
If the Rational Synergy installation in the protected machine is installed at /usr/local/ccm62 then the installation on the DMZ machine needs to be installed with /usr/local/ccm62 as well.
- Open the CCM_HOME/etc/.router.adr file, set this file to have the same IP address that was assigned during the install of Rational Synergy in the protected network. This is the address that you should have previously written down.
D. Configure the firewall to allow for TCP connections from the DMZ machine, to the host:ports as defined in the following files in the CCM_HOME/etc directory on the protected networked installation.
- The router file - .router.adr (example: trapeze:5643:192.168.43.24).
- The ESD file - esd.adr (example: trapeze:8543).
- If you want to run Rational Synergy sessions on the DMZ machine, you will also need to configure the object registrar to run on a fixed port. (The objreg file - .objreg.adr) (for example: trapeze:32655)
- Configure the firewall to allow TCP connections from the unprotected network (internet) into the Rational Change server port in the DMZ. (The port you are using or will be using for your Rational Change installation.)
E. Test to make sure the firewall is configured correctly.
- From the DMZ machine, you should be able to run ccm monitor successfully. It should connect to the router on the protected machine and you should see all processes currently running there. If needed double check the results by running ccm monitor on the protected machine.
- If you are not able to successfully run ccm monitor then something is misconfigured, or the firewall is blocking the connection.
F. Steps to setup your CM Synergy installation for non-firewall ESD use. (Skip if setting up Rational Change to run with a firewall)
- Open CCM_HOME/etc/esd.adr file, or create one if one does not current exist.
- Add the following line to the file. hostname:port
Where the hostname is the name of the computer and port is any open port on the machine.
- Start the ESD daemon CCM_HOME/bin/ccm_esd
- Repeat these steps for all hosts on which Rational Change will start backend sessions.
G. Install Rational Change on the DMZ machine and set it up to use the Engine Startup Daemon.
- On the Admin - Server screen make sure that the host is set to the host name of the machine on the protected network.
- Open CS_HOME/cs_app/webapps/synergy/ WEB-INF/wsconfig/pt.cfg
- Locate the following line in the pt.cfg file. [CCM_SYSTEM][ENGINE_DAEMON]false[/ENGINE_DAEMON][/CCM_SYSTEM]
- Replace the above line with the following line. [CCM_SYSTEM][ENGINE_DAEMON]true[/ENGINE_DAEMON][/CCM_SYSTEM]
- Stop and start the Jetty web server.
When Rational Change restarts it will now be using the Engine Startup Daemon to talk with the Rational Synergy sessions and will no longer be using the R* Protocols.
- For problems with Rational Change check the pt.log in CS_HOME/cs_app/webapps/synergy/WEB-INF/wsconfig/tmpdir
- For problems with the ESD check the ESD log in CCM_HOME/log/ccm_esd_hostname.log
- Rational Synergy related problems check the CCM UI and CCM Engine log files.
- Your firewall activity logs.