...
The following communication and ports are used in a remote collector deployment scenario (table 1). Perform the following commands to accomplish this task on each DPOD local firewall:
Run in Local Node -
Change the XXXX to the IP of the Remote CollectorCode Block iptables -I INPUT -p tcp -s XXXX/24 --dport 9300:9309 -j ACCEPT service iptables save service iptables restart
After running the commands, run the following command and search the output for two entries showing port 9300 (shown in red in the below screenshot)
Code Block iptables -L -n
table 1Anchor table1 table1 From
To
Ports (Defaults)
Protocol
Usage
Local Node DPOD Appliance
Each Monitored Device
5550 (TCP)
HTTP/S
Monitored Device administration management interface
Local Node DPOD Appliance
DNS Server TCP and UDP 53
DNS DNS services
Local Node DPOD Appliance
NTP Server
123 (UDP)
NTP
Time synchronization
Local Node DPOD Appliance
Organizational mail server
25 (TCP)
SMTP
Send reports by email
Local Node DPOD Appliance
LDAP
TCP 389 / 636 (SSL).
TCP 3268 / 3269 (SSL)
LDAP
Authentication & authorization. Can be over SSL
NTP Server
Local Node DPOD Appliance
123 (UDP)
NTP
Time synchronization
Each Monitored Device
Local Node DPOD Appliance
60000-60009 (TCP)
TCP
SYSLOG Data
Each Monitored Device
Local Node DPOD Appliance
60020-60029 (TCP)
HTTP/S
WS-M Payloads
FROM Users IPs
Local Node DPOD Appliance
443 (TCP)
HTTP/S
Access to with IBM DataPower Operations Dashboard Console
FROM Admins IPs
Local Node DPOD Appliance
22 (TCP)
TCP
SSH
Remote Collector DPOD Appliance Local Node DPOD Appliance 9300-9309 TCP DPOD's Store communicatoncommunication Remote Collector DPOD Appliance
Each Monitored Device
5550 (TCP)
HTTP/S
Monitored Device administration management interface
Remote Collector DPOD Appliance
DNS Server TCP and UDP 53
DNS DNS services
Remote Collector DPOD Appliance
NTP Server
123 (UDP)
NTP
Time synchronization
Remote Collector DPOD Appliance
Organizational mail server
25 (TCP)
SMTP
Send reports by email
Remote Collector DPOD Appliance
LDAP
TCP 389 / 636 (SSL).
TCP 3268 / 3269 (SSL)
LDAP
Authentication & authorization. Can be over SSL
NTP Server
Remote Collector DPOD Appliance
123 (UDP)
NTP
Time synchronization
Each Monitored Device
Remote Collector DPOD Appliance
60000-60009 (TCP)
TCP
SYSLOG Data
Each Monitored Device
Remote Collector DPOD Appliance
60020-60029 (TCP)
HTTP/S
WS-M Payloads
FROM Users IPs
Remote Collector DPOD Appliance
443 (TCP)
HTTP/S
Access to with IBM DataPower Operations Dashboard Console
FROM Admins IPs
Remote Collector DPOD Appliance
22 (TCP)
TCP
SSH
- From the Local Node's UI, go to the Manage menu, select "Nodes" under "System" and click "Edit"
Enter the IP address of the Remote Collector deviceand click "Update", you can leave the "Agents DNS Address" empty
- In the Local Node
Connect to the Local Node DPOD via ssh as root user (using putty or any other ssh client)
Using the Command Line Interface choose option 2 - "Stop All", and wait until all the services are stopped, this may take a few minutes to complete.
In the Local Node
Using putty or any other ssh client, issue the following command:Code Block sed -i -e "s/^SERVICES_SIXTH_GROUP=\".*MonTier-SyslogAgent-1 MonTier-HK-WdpServiceResources MonTier-HK-WdpDeviceResources/SERVICES_SIXTH_GROUP=\"MonTier-HK-WdpServiceResources MonTier-HK-WdpDeviceResources/g" /etc/sysconfig/MonTier
In the Local Node
Using putty or any other ssh client, issue the following command:Code Block mv /etc/init.d/MonTier-SyslogAgent-1 /etc/init.d/Disabled-MonTier-SyslogAgent-1 mv /etc/init.d/MonTier-SyslogAgent-2 /etc/init.d/Disabled-MonTier-SyslogAgent-2 mv /etc/init.d/MonTier-SyslogAgent-3 /etc/init.d/Disabled-MonTier-SyslogAgent-3 mv /etc/init.d/MonTier-SyslogAgent-4 /etc/init.d/Disabled-MonTier-SyslogAgent-4 mv /etc/init.d/MonTier-SyslogAgent-5 /etc/init.d/Disabled-MonTier-SyslogAgent-5 mv /etc/init.d/MonTier-SyslogAgent-6 /etc/init.d/Disabled-MonTier-SyslogAgent-6 mv /etc/init.d/MonTier-SyslogAgent-7 /etc/init.d/Disabled-MonTier-SyslogAgent-7 mv /etc/init.d/MonTier-SyslogAgent-8 /etc/init.d/Disabled-MonTier-SyslogAgent-8 mv /etc/init.d/MonTier-SyslogAgent-9 /etc/init.d/Disabled-MonTier-SyslogAgent-9 mv /etc/init.d/MonTier-SyslogAgent-10 /etc/init.d/Disabled-MonTier-SyslogAgent-10 mv /etc/init.d/MonTier-WsmAgent-1 /etc/init.d/Disabled-MonTier-WsmAgent-1 mv /etc/init.d/MonTier-WsmAgent-2 /etc/init.d/Disabled-MonTier-WsmAgent-2 mv /etc/init.d/MonTier-WsmAgent-3 /etc/init.d/Disabled-MonTier-WsmAgent-3 mv /etc/init.d/MonTier-WsmAgent-4 /etc/init.d/Disabled-MonTier-WsmAgent-4 mv /etc/init.d/MonTier-WsmAgent-5 /etc/init.d/Disabled-MonTier-WsmAgent-5
Note: some errors might appear for services that are not exists in your specific deployment architecture type - for example "mv: cannot stat ‘/etc/init.d/Disabled-MonTier-SyslogAgent-10’: No such file or directory"
- In the Local Node
Using any text editor (like vi), edit /etc/hosts files (e.g. vi /etc/hosts)
Change the following entries:
montier-es from 127.0.0.1 to the IP of the Local node device
montier-syslog and montier-wsm to the IP of the remote collector device
you should save the changes when exit (e.g wq) - In the Local Node
Using the Command Line Interface - Select option 1 "Start All", this may take a few minutes to complete
- Connect to the Remote Collector DPOD via ssh as root user (using putty or any other ssh client)
Using the Command Line Interface choose option 2 - "Stop All", and wait until all the services are stopped, this may take a few minutes to complete. In the Remote Collector
Using putty or any other ssh client, issue the following commands:Code Block mv /etc/init.d/MonTier-es-raw-trans-Node-1 /etc/init.d/Disabled-MonTier-es-raw-trans-Node-1 mv /etc/init.d/MonTier-es-raw-trans-Node-2 /etc/init.d/Disabled-MonTier-es-raw-trans-Node-2 mv /etc/init.d/MonTier-es-raw-trans-Node-3 /etc/init.d/Disabled-MonTier-es-raw-trans-Node-3 mv /etc/init.d/MonTier-es-raw-trans-Node-4 /etc/init.d/Disabled-MonTier-es-raw-trans-Node-4 mv /etc/init.d/MonTier-Derby /etc/init.d/Disabled-MonTier-Derby mv /etc/init.d/MonTier-HK-ESRetention /etc/init.d/Disabled-MonTier-HK-ESRetention mv /etc/init.d/MonTier-HK-SyslogKeepalive /etc/init.d/Disabled-MonTier-HK-SyslogKeepalive mv /etc/init.d/MonTier-HK-WsmKeepalive /etc/init.d/Disabled-MonTier-HK-WsmKeepalive mv /etc/init.d/MonTier-HK-WdpDeviceResources /etc/init.d/Disabled-MonTier-HK-WdpDeviceResources mv /etc/init.d/MonTier-HK-WdpServiceResources /etc/init.d/Disabled-MonTier-HK-WdpServiceResources mv /etc/init.d/MonTier-Reports /etc/init.d/Disabled-MonTier-Reports mv /etc/init.d/MonTier-UI /etc/init.d/Disabled-MonTier-UI sed -i -e "s/^SERVICES_FIRST_GROUP=\".*/SERVICES_FIRST_GROUP=\"\"/g" /etc/sysconfig/MonTier sed -i -e "s/^SERVICES_SECOND_GROUP=\".*/SERVICES_SECOND_GROUP=\"\"/g" /etc/sysconfig/MonTier sed -i -e "s/^SERVICES_THIRD_GROUP=\".*/SERVICES_THIRD_GROUP=\"\"/g" /etc/sysconfig/MonTier sed -i -e "s/\MonTier-HK-WdpServiceResources MonTier-HK-WdpDeviceResources//g" /etc/sysconfig/MonTier sed -i -e "s/^SERVICES_SEVENTH_GROUP=\".*/SERVICES_SEVENTH_GROUP=\"\"/g" /etc/sysconfig/MonTier
Note: some errors might appear for services that are not exists in your specific deployment architecture type - for example "mv: cannot stat ‘/etc/init.d/MonTier-es-raw-trans-Node-4’: No such file or directory"
- In the Remote Collector
Using any text editor (like vi), edit /etc/hosts files (e.g. vi /etc/hosts)
Change the following entries:
montier-es from 127.0.0.1 to the ip of the Local Node device
- In the Remote Collector
Using the Command Line Interface choose option 1 - "Start All", and wait until all the services are stopped, this may take a few minutes to complete. - Verify in the console in Management → Internal health → Agents that all agents are in green state.
- Run the following two scripts, you will need to obtain them from IBM support:
in the Local Node - configure_local_node.sh
in the Remote Collector - configure_remote_collector.sh - In the Local Node - !! Only if DPOD was already attached to DataPower Gateways !!
you will need to reconfigure again all the the attached device.
...