• Please help support our sponsors by considering their products and services.
    Our sponsors enable us to serve you with this high-speed Internet connection and fast webservers you are currently using at ADSM.ORG.
    They support this free flow of information and knowledge exchange service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions
  • Community Tip: Please Give Thanks to Those Sharing Their Knowledge.

    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.

  • Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)

    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

How to configure firewall on RHEL7 backup-archive client

jeinhorn

ADSM.ORG Member
#1
Greetings, Gurus -

Our TSM Server is version 6.4.1.0 running on RHEL 6.

Recently I installed the backup-archive client version 7.1.2 on a virtual machine running RHEL 7. If I disable the firewall, I can initiate backups from the TSM server. But with the firewall enabled, I cannot do the same.

dsm.opt on the client:
Code:
SErvername  tsmserv
 COMMMethod  TCPip
 TCPPort  1500
 TCPServeraddress  <omitted>
 TCPBuffsize  32
 TCPWindowsize  64
 TCPNodelay  Yes
 TCPCLIENTADDRESS  <omitted>
 nodename  <omitted>
 ERRORLOGR  30 D
 ERRORLOGname  /tmp/dsmerror.log
 HTTPPort  1581
 Inclexcl  /opt/tivoli/tsm/client/ba/bin/inclexcl.list
 LargeCommBuffers  Yes
 ManagedServices  Webclient Schedule
 PASSWORDAccess  generate
 ResourceUtilization  5
 SCHEDMode  Prompted
 SCHEDLOGR  30 D
 SCHEDLOGname  /tmp/dsmsched.log
 TXNBytelimit  25600
I updated the firewall to allowed for TCP traffic through port 1500 as follows:
Code:
# firewall-cmd --zone=public --permanent --add-port=1500/tcp
success

# firewall-cmd --zone=public --add-port=1500/tcp
success

# firewall-cmd --zone=public --list-ports
1500/tcp

# iptables-save | grep 1500
-A IN_public_allow -p tcp -m tcp --dport 1500 -m conntrack --ctstate NEW -j ACCEPT
Then I configured a backup schedule on the TSM server and defined an association with the client. The schedule reaches "Pending" status but the backup never runs. Nothing gets logged to /var/log/secure on the client.

Can anyone advise me on what I can do to enable server-initiated backups without disabling the firewall?

Many Thanks,
Janet
 

LED888

ADSM.ORG Moderator
#2
We know that the backup work when the firewall is not enable.
I suspect that both the manual and the schedule backup does not work when the firewall is enable.
Is the port 1501 open through the firewall?
The TSM Server listen at 1500.
The TSM Client listen at 1501.
On the firewall open the port 1501, enable the firewall, and then perform a manual backup.
If the manual backup does work, the schedule backup should also work.
To confirm this, perform a test schedule backup.

ManagedServices Webclient Schedule
Notice that we are using the CAD Daemon to manage the schedule backup.
The WEBPORTS parameter need to be set.

WEBPORTS <cadport> <agentport>

The first port is used for the Client Acceptor service, the second port is used for the Web Client Agent service.

If the WEBPORTS option isn’t specified, the default value (0) is used for both ports. A randomly free port number is assigned for each port (in the range 1024 – 5000). An explicitly specified port can range from 1000 – 32767.

Not sure if the following tech doc will help or muddy the waters even more.
Tivoli Storage Manager client setup in a firewall environment

Good Luck,
Sias
 

jeinhorn

ADSM.ORG Member
#3
Hello Sias / LED888 -

I am very grateful for your reply. Based on the info that you shared, I took the following steps:
  • updated my dsm.sys to include "WEBPORT 1552 1553"
  • updated the firewall on the backup-archive client as follows (firewall is disabled on the TSM server) . This may have been overkill, since I am still inexperienced with firewall commands and I could not figure out how to enable ports only for inbound or outbound traffic.
Code:
# firewall-cmd --zone=public --add-port=1500/tcp
success

# firewall-cmd --zone=public --list-ports
1500/tcp

# firewall-cmd --zone=public --permanent --add-port=1501/tcp
success

# firewall-cmd --zone=public --add-port=1501/tcp
success

# firewall-cmd --zone=public --permanent --add-port=1552/tcp
success

# firewall-cmd --zone=public --add-port=1552/tcp
success

# firewall-cmd --zone=public --permanent --add-port=1553/tcp
success

# firewall-cmd --zone=public --add-port=1553/tcp
success

# firewall-cmd --zone=public --list-ports
1500/tcp 1552/tcp 1501/tcp 1553/tcp

# iptables-save | egrep "1500|1501|1552|1553"
-A IN_public_allow -p tcp -m tcp --dport 1500 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 1501 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 1552 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 1553 -m conntrack --ctstate NEW -j ACCEPT
  • Restarted the client acceptor daemon on the client ("systemctl restart dsmcad.service")
  • Configured a incremental backup schedule on the TSM server, associated this schedule with the client
SUCCESS! The schedule executed to completion.

From my perspective, this thread may be closed, and you should get credit for providing a useful response.

Thanks Again,
Janet
 

Advertise at ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

UpCloud high performance VPS at $5/month

Get started with $25 in credits on Cloud Servers. You must use link below to receive the credit. Use the promo to get upto 5 month of FREE Linux VPS.

The Spectrum Protect TLA (Three-Letter Acronym): ISP or something else?

  • Every product needs a TLA, Let's call it ISP (IBM Spectrum Protect).

    Votes: 7 23.3%
  • Keep using TSM for Spectrum Protect.

    Votes: 16 53.3%
  • Let's be formal and just say Spectrum Protect

    Votes: 4 13.3%
  • Other (please comement)

    Votes: 3 10.0%

Forum statistics

Threads
30,889
Messages
131,420
Members
21,194
Latest member
jamesmacd40