IBM Support

Configuring ACSLS communications through a firewall with IBM Spectrum Protect

Troubleshooting


Problem

Configuring external ACSLS library communications through a firewall with the IBM Spectrum Protect (Tivoli Storage Manager) server.

Environment

External ACSLS library users when there is a firewall between the IBM Spectrum Protect (Tivoli Storage Manager) server and the ACSLS server.

Resolving The Problem

When there is a firewall between the IBM Spectrum Protect (Tivoli Storage Manager) server (the Automated Cartridge System Library Software or ACSLS client) and the ACSLS server, use the following configuration steps to configure an external ACSLS library. Otherwise, the Tivoli Storage Manager server is unable to communicate with an ACSLS server on the other side of a firewall.

ACSLS Server options (CSI):

Configure the following options through the acsss_config program on the ACSLS server. Further information on this program and its options can be located within the Oracle ACSLS documentation.
    Select option 1 (Set CSI tuning variables)

    Accept default variables for all except the following:

    CSI_TCP_RPCSERVICE – Set to TRUE
    CSI_UDP_RPCSERVICE – Set to FALSE
    CSI_USE_PORTMAPPER – Set to NEVER
    CSI_FIREWALL_SECURE – Set to TRUE
    CSI_INET_PORT – Set to port that is opened for bidirectional communication through the firewall.

ACSLS Client options (SSI on Tivoli Storage Manager host):

Configure the following options by editing the rc.acs_ssi script provided with IBM Spectrum Protect (Tivoli Storage Manager) in the /opt/tivoli/tsm/devices/bin/ directory.
    Change the following line from: CSI_UDP_RPCSERVICE="TRUE";
    to: CSI_UDP_RPCSERVICE="FALSE";

    Add the following line:
    SSI_INET_PORT=30032;

Note: Set this port to the same port that is defined within the acsss_config program for the CSI_INET_PORT option. Also, the port must be enabled for bidirectional communication through the firewall.
    Add the following line:
    export SSI_INET_PORT

Other considerations and notes:

1. The port mapper must be enabled on the IBM Spectrum Protect (Tivoli Storage Manager) host workstation.
2. The ACSLS client daemons and ACSLS server processes must be recycled so that the new configuration is enabled. The ACSLS server processes must be recycled first, followed by the ACSLS client daemons on the Tivoli Storage Manager host.
3. The rc.acs_ssi file is overwritten if the IBM Spectrum Protect (Tivoli Storage Manager) software is upgraded. If this occurs, it is important to edit the server and client options into the new file instead of restoring the original file. This is because the script provided by IBM Spectrum Protect (Tivoli Storage Manager) might include changes. Recycle the ACSLS client daemons after making any changes to this script.
4. Port range 50001-50010 is invalid for the CSI_INET_PORT and SSI_INET_PORT options, as well as any port already used by another application.
5. There is no firewall support if the ACSLS library is controlled by a library station (HSC or HSC/LS)
6. There is no firewall support if UDP ports are blocked on the firewall.
7. If possible, use the most current version of the IBM Spectrum Protect (Tivoli Storage Manager) release to obtain the latest ACSLS client software (SSI).

Testing an ACSLS client connection:

Client applications, such as the IBM Spectrum Protect (Tivoli Storage Manager)server, communicate with the ACSLS server over TCP/IP using the Remote Procedure Call (RPC) protocol. If a client system is unable to communicate with the ACSLS server, you can use the rpcinfo command to test whether it is reachable from the client workstation.

1. From the ACSLS server, verify that ACSLS is running:
    psacs
2. From the ACSLS server, verify that the RPC daemon is running:
    ps -ef | grep rpc
3. From the ACSLS server, verify that program number 300031 is registered for TCP and IDP:
    rpcinfo | grep 300031

This program number confirms that ACSLS is running and that ACSLS has registered with RPC.

4. From the client workstation (Tivoli Storage Manager server), or any AIX, Linux, or UNIX workstation on the network, use the rpcinfo command to exchange a packet with program number 300031 on the ACSLS server. Specify the IP address of the ACSLS server also:
    rpcinfo -t <ip address> 300031

5. If the communication exchange is successful, this message is displayed:
    program 300031 version 1 ready and waiting
    program 300031 version 2 ready and waiting

This message confirms that ACSLS is available for client connections across the network.

Related Information

[{"Product":{"code":"SSEQVQ","label":"IBM Spectrum Protect"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Server","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Supported Versions","Edition":"Advanced","Line of Business":{"code":"LOB26","label":"Storage"}}]

Historical Number

1231145

Product Synonym

ITSM ADSM TSM IBM SPECTRUM PROTECT

Document Information

Modified date:
17 June 2018

UID

swg21597895