ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

adminonclientport no

2006-07-20 06:58:38
Subject: adminonclientport no
From: Remco Post <r.post AT SARA DOT NL>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Thu, 20 Jul 2006 12:58:06 +0200 
Hi all,

I've posted on the list before on this subject with the question if anybody
ever had tried setting adminonclientport to no and how that would work with
both server to server communications, command routing and virtual volumes as
well as eg. webclient logins.

Since nobody answered I've setup a small test-environment on my test server
consisting of 4 servers all with a dsmserv.opt like this:

   COMMmethod TCPIP
     TCPPort 1500
     TCPADMINPort 1540
     adminonclientport no
     EXPInterval  0
     VOLUMEHISTORY /tsm/etc/bucket/volhist.bck
     DEVCONFIG /tsm/etc/bucket/devconf.bck
     EVENTSERVer        YES
     SELFTUNEBUF        YES
     QUERYAUTH        SYSTEM

Of course each has its own TCPPORT and TCPANDMINPORT.

I defined each server on the other servers using the tcpadminport, as per the
manual. After that I was able to route commands from bucket to all other
servers in the 'enterprise configuration', so far so good. Now I defined a
server2server devclass and did a database backup to that devclass, this also
worked as expected, meaning it is possible for servers to communicate fully
using only the TCPADMINPORT.

Of course I was also worried that webclient logins (of the new dsmj gui
logins) would not work, since these require an admin login. Fortunately, this
also still works.

Therefore I can only conclude that It is perfectly safe for us to set
adminonclientport no and a separate tcpadminport. This way we can actually
shield our admin interface from foes on the internet (or customers that do not
have admin rights) while still allowing our clients to connect from anywhere.

Of course, setting QUERYAUTH to anything other than NONE also helps against
users/customers querying the server....

I guess this was once a request from me to IBM, so thanks to IBM for
implementing this!

--
Met vriendelijke groeten,

Remco Post

SARA - Reken- en Netwerkdiensten                      http://www.sara.nl
High Performance Computing  Tel. +31 20 592 3000    Fax. +31 20 668 3167
PGP Key fingerprint: 6367 DFE9 5CBC 0737 7D16  B3F6 048A 02BF DC93 94EC

"I really didn't foresee the Internet. But then, neither did the
computer industry. Not that that tells us very much of course - the
computer industry didn't even foresee that the century was going to
end." -- Douglas Adams
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • adminonclientport no, Remco Post <=
Previous by Date:  Re: Drive state is "UNKNOWN", Bernaldo de Quiros, Iban 1
Next by Date:  Re: Paramter missing in tdpsqlc restore command, Schaub, Steve
Previous by Thread:  Paramter missing in tdpsqlc restore command, Paul Dudley
Next by Thread:  TSM catalog growth, Levi, Ralph
Indexes:  [Date] [Thread] [Top] [All Lists]