ADSM-L

Re: [ADSM-L] Operations Center 8.1.4 - Client Package Download using Proxy

2018-03-07 04:07:30
Subject: Re: [ADSM-L] Operations Center 8.1.4 - Client Package Download using Proxy
From: Uwe Schreiber <uwe.h.schreiber AT T-ONLINE DOT DE>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Wed, 7 Mar 2018 10:01:22 +0100
Yes, I have already thought about a transparent proxy such as to use
redsocks.But, I would like to avoid installing any additional software
to circumvent the shortcomings of the Spectrum Protect software.
Uwe
On Tue, 2018-03-06 at 11:35 +0100, Martin Janosik wrote:
> Hello,
> have you considered some kind of transparent TCP-to-proxy
> redirection, i.e.
> redsocks?
> I have not tested is personally but I bookmarked it in the past - I
> thought
> it could be helpful one day (today?)
> 
> Martin J.
> 
> "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU> wrote on 2018-03-06
> 10:34:13:
> 
> > From: Uwe Schreiber <uwe.h.schreiber AT T-ONLINE DOT DE>
> > To: ADSM-L AT VM.MARIST DOT EDU
> > Date: 2018-03-06 10:36
> > Subject: Re: [ADSM-L] Operations Center 8.1.4 - Client Package
> > Download using Proxy
> > Sent by: "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU>
> > 
> > I did a test by setting the Java options for the instance user, and
> > restarted the instance.
> > 
> > As well i set the Java options for usage by the OPC.
> > 
> > -> unchanged situation -> download of packages is failing.
> > 
> > Not the OC which is downloading the software packages.
> > The "Deploy Package Manager" (integrated in the dsmserv binary?)
> > triggers the download / refresh / etc. of the software packages.
> > 
> > I did not see any other java processes than the OPC GUI when the
> > message "ANR3753I The client update packages manager is started. /
> > ANR3756I A refresh of client update packeges was started."
> > 
> > So I assume dsmserv does not start any Java based sub-processes for
> > downloading the software packages.
> > 
> > Uwe
> > 
> > On Tue, 2018-03-06 at 11:07 +0300, Efim wrote:
> > > Why not to configure a transparent proxy for this traffic?
> > > 
> > > Assuming that the hub participates in the download of packages,
> > > by
> > > default Java does not use a system proxy.
> > > You can try to use option Djava.net.useSystemProxies = true in
> > > the
> > > environment settings for the user, on behalf of which the hub
> > > starts
> > > .....
> > > it will looks like export IBM_JAVA_OPTIONS="-Dmysysprop1=tcpip
> > > -Dmysysprop2=wait -Xdisablejavadump"
> > > I found example in https://www.ibm.com/support/knowledgecenter/en
> > > /SSM
> > > KFH/com.ibm.apmaas.doc/install/config_forwardproxy_dc.htm
> > > but it uses jvm.options file.
> > > 
> > > Efim
> > > 
> > > 
> > > > 6 марта 2018 г., в 10:39, Uwe Schreiber <uwe.h.schreiber@T-ONLI
> > > > NE.D
> > > > E> написал(а):
> > > > 
> > > > Hello Efim,
> > > > 
> > > > thank you for your response.
> > > > 
> > > > I already had a try using the local catalog.
> > > > This did not bypass the direct download from IBM.
> > > > 
> > > > From my point of view, the local catalog gives you the
> > > > possibility
> > > > to
> > > > create your own package repository.
> > > > Therefor you have to build a http server where you store the
> > > > package
> > > > for a download by the OC hub instance.
> > > > In addition you have to modify the local catalog.json file to
> > > > point
> > > > to
> > > > the right package locations on your own http server.
> > > > 
> > > > Of course i could setup my own http server and build a local
> > > > repository.
> > > > But this would increase the complexity, etc.
> > > > 
> > > > Uwe
> > > > 
> > > > 
> > > > On Tue, 2018-03-06 at 09:25 +0300, Efim wrote:
> > > > > Hi
> > > > > you can try to configure local catalog. it will bypass using
> > > > > proxy:
> > > > > 
> > > > > setopt clientdeployuselocalcatalog yes
> > > > > create dir: /<instance dir>/deployconfig/
> > > > > run (you can add it to the cron): curl -o /<instance
> > > > > dir>/deployconfig/catalog.json https://public.dhe.ibm.com/sto
> > > > > rage
> > > > > /tiv
> > > > > oli-storage-management/catalog/client/catalog.json
> > > > > 
> > > > > Efim
> > > > > 
> > > > > 
> > > > > 
> > > > > > 6 марта 2018 г., в 0:32, Uwe Schreiber <uwe.h.schreiber@T-O
> > > > > > NLIN
> > > > > > E.DE
> > > > > > > написал(а):
> > > > > > 
> > > > > > I'am searching a solution for deploying client updates
> > > > > > using
> > > > > > Operations
> > > > > > Center 8.1.4.
> > > > > > 
> > > > > > My OC hub (is spoke as well) is not able to connect direct
> > > > > > to
> > > > > > https://urldefense.proofpoint.com/v2/url?
> > 
> > u=https-3A__p&d=DwIFaQ&c=jf_iaSHvJObTbx-
> > siA1ZOg&r=H5e_B7Ka5iXApV9NLO3a6LPjgmGzpTrVrSapqmyEY0E&m=TCER6L5E-
> > 
> 
> e0Od-
> 1y1NcsjYk6dr2uwz7GBhdESLV4VP0&s=KfrP7fY71S9D98_YhAxk99uk4IhkHCZZ6h7jn
> d9iQgM&e=
> 
> > > > > > ublic.dhe.ibm.com/...
> > > > > > I have to use a proxy configuration to enable that
> > > > > > communication.
> > > > > > 
> > > > > > So I configured the variables http_proxy / https_proxy with
> > > > > > the
> > > > > > according proxy informations for the instance user within
> > > > > > the
> > > > > > RHEL
> > > > > > 7.4
> > > > > > operating System.
> > > > > > 
> > > > > > Testing using "curl" and "wget" works as expected when
> > > > > > trying
> > > > > > to
> > > > > > download an deployment package.
> > > > > > 
> > > > > > For forcing the instance to do a software package refresh I
> > > > > > restarted
> > > > > > the instance, but I still got the error
> > > > > > 
> > > > > > ANR3763E An error occurred while the catalog file used for
> > > > > > client
> > > > > > updates was downloading from
> > > > > > https://public.dhe.ibm.com/storage/tivoli-storage-managemen
> > > > > > t/ca
> > > > > > talo
> > > > > > g/cl
> > > > > > ient/catalog.json.
> > > > > > 
> > > > > > After restarting the instance a "tcpdump" was showing
> > > > > > packets
> > > > > > to
> > > > > > "public.dhe.ibm.com" using https.
> > > > > > The tcpdump tool stops to show such packets as soon as I
> > > > > > get
> > > > > > the
> > > > > > above
> > > > > > message within the activity-log of the instance.
> > > > > > 
> > > > > > So I assume that dsmserv is ignoring the environment
> > > > > > variables
> > > > > > for
> > > > > > the
> > > > > > proxy configuration.
> > > > > > 
> > > > > > As well I tried to tell the hub instance to load the client
> > > > > > update
> > > > > > packages from a local filesystem instead by downloading
> > > > > > them
> > > > > > from
> > > > > > IBM,
> > > > > > by modifying the local installed catalog.json file to use
> > > > > > "file://..."
> > > > > > instead of "https://...."; .... without success.
> > > > > > It seems that the usage of https is "hard coded".
> > > > > > 
> > > > > > I already tried a manual import of the client
> > > > > > autodeployment
> > > > > > packages,
> > > > > > as well as the package for the update manager.
> > > > > > 
> > > > > > But querying the manifest table by using "select
> > > > > > pkg_name,pkg_type,state from client_pkg" is showing the
> > > > > > packages
> > > > > > with
> > > > > > state=2.
> > > > > > 
> > > > > > I assume as long as the client update package manager is
> > > > > > not
> > > > > > able
> > > > > > to do
> > > > > > the software download the state will not change and there
> > > > > > is no possibility to deploy any software to the attached
> > > > > > clients.
> > > 
> > > 


ADSM.ORG Privacy and Data Security by KimLaw, PLLC