Setting up RXA for Liberty collective operations

Liberty collective controllers use the Tivoli® Remote Execution and Access (RXA) toolkit to perform selected operations on collective members. You can use RXA to remotely start and stop servers, including servers on your local computer.

Before you begin

Stabilized feature: For Windows platformsThe Server Message Block (SMB) protocol allows for remote method execution on Windows and is used by collectives. Version 1 of the SMB protocol (SMBv1) is insecure and should be disabled. As an alternative, install Cygwin as a SSH service on collective members and use SSH to connect to them. RXA is not compatible with Windows OpenSSH. Disable Windows OpenSSH before installing and running Cygwin.

Procedure

  • For LINUX platformsFor Solaris platformsFor HP UNIX platformsFor AIX platforms Set up Linux, UNIX or z/OS machines

    Install and enable SSH on your machine. For Linux® and UNIX machines, ensure that the configuration is set according to the following instructions. For z/OS® machines, consult the following instructions for guidance.

    To enable SSH, configure OpenSSH 3.6.1, OpenSSH 4.7 (on AIX), or Oracle SSH 1.1 so that it supports RXA connections. OpenSSH 3.7.1 or later contains security enhancements not available in earlier releases and is recommended.

    Avoid trouble: OpenSSH Version 4.7.0.5302 for IBM® AIX® Version 5.3 is not compatible with RXA Version 2.3. If machines are running AIX Version 5.3 with OpenSSH Version 4.7.0.5302 installed, file transfers might not complete. To avoid this problem, revert from OpenSSH Version 4.7.0.5302 to Version 4.7.0.5301.
    Using Secure Shell (SSH) protocol

    RXA does not supply SSH code for UNIX operating systems. You must ensure that SSH is installed and enabled on all machines that include collective members.

    In all UNIX environments except Solaris, the Bourne shell (sh) is used. On Solaris machines, the Korn shell (ksh) is used instead due to problems encountered with the Bourne shell (sh).

    If you need to use password-based authentication for SSH communications, edit the /etc/ssh/sshd_config file on each machine that includes one or more collective members. Set the PasswordAuthentication property to yes. For example:
    PasswordAuthentication yes
    
    The default value for the PasswordAuthentication property is no.
    After you change this setting, stop and restart the SSH daemon by using the following commands:
    /etc/init.d/sshd stop
    /etc/init.d/sshd start 

    For LINUX platformsSome collective controller commands require that the path to the Java installation jre/bin directory be available in the .bashrc file, so set a path to jre/bin in the .bashrc file.

    If remote access to a member machine fails, ensure that you can ssh from the controller machine to the member machine that uses the same authentication method that is used when you set up the collective. If ssh is successful and you still have problems with remote access, also ensure that you can scp or sftp from the controller machine to the member. It's possible that scp or sftp can fail even when ssh keys are set up correctly. For example, sftp might fail with the message Received message too long if a .bashrc script on the remote machine prints a message. For remote access to be successful, you must either remove the message or change the sftp subsystem in the sshd_config file to use the internal_sftp subsystem.

  • For IBM i platforms Set up IBM i machines

    Using SSH public/private key authentication to IBM i machines is not supported.

  • For Windows platforms Set up Windows machines
    1. Ensure that your collective controller is running with an IBM JDK.

      RXA requires some security classes that are in the IBM JDK, and that are not available in the Oracle or OpenJDK JVMs.

    2. Ensure the system environment variables JAVA_HOME and PATH are set to the Java path (jre directory) on the computer. Some collective controller commands require that the path to the Java installation jre\bin directory is available in the System path, so also add a path to the jre\bin directory.

      In Windows, system environment variables are visible only inside the shell that RXA connects to. Setting PATH in the command window is not sufficient. You must set PATH in the system variable section of the environment variables, or use -hostJavaHome <PATH TO IBM JAVA> with the updateHost option.

    3. Ensure that the server.xml file of each server to be managed specifies the account user name and password.

      Specify the user name and password in a hostAuthInfo statement in the server.xml file:

      <hostAuthInfo rpcUser="Windows_user_ID" rpcUserPassword="Windows_user_password" />
    4. Enable connections to member servers on Windows computers.

      To enable connections to Windows members, you can use a third-party SSH service such as Cygwin on your Windows member computer or change Windows operating system settings on a member computer that does not have an SSH service installed.

      • Use a third-party SSH service such as Cygwin on the Windows member computer.

        If the member computer uses an SSH service, the controller connects the member server with SSH. Specify a hostAuthInfo rpcUserHome parameter and the RPC user name and password in the member server.xml file because the third-party SSH service might have a different home directory than the one Windows uses:

        <hostAuthInfo rpcUser="Windows_user_ID" rpcUserPassword="Windows_user_password" rpcUserHome="user_home_directory"/>

        For user_home_directory, specify the user home for the SSH service, for example: rpcUserHome="C:\cygwin\home\user1". The SSH public and private key pair is generated in the .ssh directory under this user home directory.

      • If the Windows member computer does not use a third-party SSH service such as Cygwin, change the Windows operating system settings of the member computer to enable connections.
        • Ensure that your user account belongs to the Administrators group.

          Many RXA operations require access to resources that standard user accounts cannot access. Thus, the configuration of a collective member must include the name and password of a Windows user who belongs to the Administrators group.

        • Ensure File and Printer Sharing for Microsoft Networks is enabled for your network stack.
          1. Click Start > Control Panel > Network and Sharing Center > Change advanced sharing settings.
          2. Select Turn on file and printer sharing.
          3. Save the changes.

          Ensure that file sharing operations (on port 445) are not blocked on machines that include collective controllers or collective members. For more information, see the documentation for your operating system or your firewall software.

        • Start the Remote Registry service.
          The Remote Registry service must be running on computers that include collective members for the collective controllers to remotely run commands and scripts.
          1. Click Start > Administrative Tools > Services.
          2. Within the list of services, locate the Remote Registry entry and verify that the status is Started. If you intend to use RXA regularly, consider setting the Remote Registry Startup type property to Automatic.
        • Disable User Account Control.
          1. Click Start > Control Panel > User Accounts > Change User Account Control settings.
          2. Set the User Account Control level to Never notify.
          3. Click OK.
          4. Restart the computer for the changes to take effect.
      • Use an SSH daemon (sshd) instead of Windows SMB1 protocol.

        RXA uses SMB1 protocol to connect Windows targets. If SMB1 protocol is disabled on the target, the connection fails. If SMB1 is disabled on a Windows target, RXA can still connect to that target if an SSH daemon is installed, such as sshd from Cygwin. To learn how to enable and disable the SMB1 protocol, see https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows-server.

What to do next

If you modify the server.xml of a managed server, manually start the server so that it publishes the new data to the controller.

After you enable RXA, test the host configuration and verify RXA connectivity.

You can use the testConnection command to verify connectivity. The command validates RXA connectivity between the controller and the host where the member resides.

wlp/bin/collective testConnection hostName --host=controllerHost
--port=controllerHTTPSPort --user=controllerAdmin 
--password=controllerAdminPassword--autoAcceptCertificates
Alternatively, use the simplified --controller option to provide the controller specific information
wlp/bin/collective testConnection hostName 
--controller=user[:password]@host:HttpsPort
--autoAcceptCertificates