1. Community Tip: Please Give Thanks to Those Sharing Their Knowledge.
    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.
  2. Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)
    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

How to configure firewall on RHEL7 backup-archive client

Discussion in 'TSM Client' started by jeinhorn, Apr 15, 2016.

  1. jeinhorn

    jeinhorn ADSM.ORG Member

    Joined:
    Apr 4, 2014
    Messages:
    22
    Likes Received:
    0
    Greetings, Gurus -

    Our TSM Server is version 6.4.1.0 running on RHEL 6.

    Recently I installed the backup-archive client version 7.1.2 on a virtual machine running RHEL 7. If I disable the firewall, I can initiate backups from the TSM server. But with the firewall enabled, I cannot do the same.

    dsm.opt on the client:
    Code:
    SErvername  tsmserv
     COMMMethod  TCPip
     TCPPort  1500
     TCPServeraddress  <omitted>
     TCPBuffsize  32
     TCPWindowsize  64
     TCPNodelay  Yes
     TCPCLIENTADDRESS  <omitted>
     nodename  <omitted>
     ERRORLOGR  30 D
     ERRORLOGname  /tmp/dsmerror.log
     HTTPPort  1581
     Inclexcl  /opt/tivoli/tsm/client/ba/bin/inclexcl.list
     LargeCommBuffers  Yes
     ManagedServices  Webclient Schedule
     PASSWORDAccess  generate
     ResourceUtilization  5
     SCHEDMode  Prompted
     SCHEDLOGR  30 D
     SCHEDLOGname  /tmp/dsmsched.log
     TXNBytelimit  25600
    
    I updated the firewall to allowed for TCP traffic through port 1500 as follows:
    Code:
    # firewall-cmd --zone=public --permanent --add-port=1500/tcp
    success
    
    # firewall-cmd --zone=public --add-port=1500/tcp
    success
    
    # firewall-cmd --zone=public --list-ports
    1500/tcp
    
    # iptables-save | grep 1500
    -A IN_public_allow -p tcp -m tcp --dport 1500 -m conntrack --ctstate NEW -j ACCEPT
    

    Then I configured a backup schedule on the TSM server and defined an association with the client. The schedule reaches "Pending" status but the backup never runs. Nothing gets logged to /var/log/secure on the client.

    Can anyone advise me on what I can do to enable server-initiated backups without disabling the firewall?

    Many Thanks,
    Janet
     
  2.  
  3. LED888

    LED888 ADSM.ORG Moderator

    Joined:
    Oct 15, 2002
    Messages:
    803
    Likes Received:
    62
    We know that the backup work when the firewall is not enable.
    I suspect that both the manual and the schedule backup does not work when the firewall is enable.
    Is the port 1501 open through the firewall?
    The TSM Server listen at 1500.
    The TSM Client listen at 1501.
    On the firewall open the port 1501, enable the firewall, and then perform a manual backup.
    If the manual backup does work, the schedule backup should also work.
    To confirm this, perform a test schedule backup.

    Notice that we are using the CAD Daemon to manage the schedule backup.
    The WEBPORTS parameter need to be set.

    WEBPORTS <cadport> <agentport>

    The first port is used for the Client Acceptor service, the second port is used for the Web Client Agent service.

    If the WEBPORTS option isn’t specified, the default value (0) is used for both ports. A randomly free port number is assigned for each port (in the range 1024 – 5000). An explicitly specified port can range from 1000 – 32767.

    Not sure if the following tech doc will help or muddy the waters even more.
    Tivoli Storage Manager client setup in a firewall environment

    Good Luck,
    Sias
     
  4. jeinhorn

    jeinhorn ADSM.ORG Member

    Joined:
    Apr 4, 2014
    Messages:
    22
    Likes Received:
    0
    Hello Sias / LED888 -

    I am very grateful for your reply. Based on the info that you shared, I took the following steps:
    • updated my dsm.sys to include "WEBPORT 1552 1553"
    • updated the firewall on the backup-archive client as follows (firewall is disabled on the TSM server) . This may have been overkill, since I am still inexperienced with firewall commands and I could not figure out how to enable ports only for inbound or outbound traffic.
    Code:
    # firewall-cmd --zone=public --add-port=1500/tcp
    success
    
    # firewall-cmd --zone=public --list-ports
    1500/tcp
    
    # firewall-cmd --zone=public --permanent --add-port=1501/tcp
    success
    
    # firewall-cmd --zone=public --add-port=1501/tcp
    success
    
    # firewall-cmd --zone=public --permanent --add-port=1552/tcp
    success
    
    # firewall-cmd --zone=public --add-port=1552/tcp
    success
    
    # firewall-cmd --zone=public --permanent --add-port=1553/tcp
    success
    
    # firewall-cmd --zone=public --add-port=1553/tcp
    success
    
    # firewall-cmd --zone=public --list-ports
    1500/tcp 1552/tcp 1501/tcp 1553/tcp
    
    # iptables-save | egrep "1500|1501|1552|1553"
    -A IN_public_allow -p tcp -m tcp --dport 1500 -m conntrack --ctstate NEW -j ACCEPT
    -A IN_public_allow -p tcp -m tcp --dport 1501 -m conntrack --ctstate NEW -j ACCEPT
    -A IN_public_allow -p tcp -m tcp --dport 1552 -m conntrack --ctstate NEW -j ACCEPT
    -A IN_public_allow -p tcp -m tcp --dport 1553 -m conntrack --ctstate NEW -j ACCEPT
    
    • Restarted the client acceptor daemon on the client ("systemctl restart dsmcad.service")
    • Configured a incremental backup schedule on the TSM server, associated this schedule with the client
    SUCCESS! The schedule executed to completion.

    From my perspective, this thread may be closed, and you should get credit for providing a useful response.

    Thanks Again,
    Janet
     

Share This Page