IPSec filtering can be enabled post an IBM Business Intelligence Pattern deployment on an IBM PureApplication System 1700 server. If the environment requires the additional security which IPSec filtering provides, additional pre-deployment planning consideration must be taken.
Resolving the problem
When you add this additional layer of hardening, a deviation from the common user experience is required. Additional manual administration is required to manage and maintain the IPSec rules wanted on each LPAR node in the deployment.
For this reason, it is recommended to:
- Perform 'Static Deployments'.
- Enable IPSec on all instances/LPARs in the deployments.
- Allow all required ports, hosts, and protocols between LPAR hosts in the deployment for IBM Cognos Business Intelligence, including the NFS server. For more information, see the IBM Cognos Business Intelligence Administration and Security Guide.
- Allow all required ports, hosts, and protocols for incoming and outgoing traffic with relation to data source, content store, and audit store connections. For more information, reference your database vendor's documentation for required inbound and outbound ports and protocols.
- Allow all incoming and outbound host, port, and protocol traffic for client installs like IBM Cognos Framework Manager to at least one of the application tiers installs in the deployment.
For more information about setting up a firewall with AIX TCP/IP filtering see http://www.ibm.com/developerworks/aix/library/au-aixfiltering/index.html.