Managing ITM Ports IBM Corporation 5 June 2012

Why Manage Ports? Avoid conflict with other applications –ITM is designed to avoid conflicts –Customer applications not so much –Other vendors sometimes conflict –When a conflict occurs – crisis level impact Customer Security Concerns –Every open port is a potential route for unauthorized processing or hacking –Security scanner products work to find open ports and eliminate unauthorized use

TCP Sockets If a process wants to receive communications it asks TCP to create a socket and listen on a port. A socket has two full-duplex FIFO queues. The socket can listen to all interfaces [IP addresses] or specific ones. A Caller will create a socket specifying the target ip address and port number.

TCP Ports Numbered from 0 to Some ports are registered with the Internet Assigned Number Authority - IANA 1918/1919/1920/3660/3661 are registered. IANA registered ports reduce potential for conflict between applications and so make applications easier to configure.

ITM Ports usage at Agent ITM processes listen on a port Base port defined in KDE_TRANSPORT [or KDC_FAMILES] –Default 1918 for ip.pipe, 3660 for ip.spipe Listening Ports –TEMS: Base Port –Agent: Base Port + N*4096, N=1..15

ITM Internal Web Server By default every ITM process has an internal web server. The web server can be disabled by adding HTTP_SERVER:N to communication string [Never for TEMS or TEPS] The web server listens on 1920 and 3661 and ports can be configured with HTTP: and HTTPS: in the communication string

ITM Internal Web Servers Every internal Web Server tries to connect as owner of 1920/3661 If connect fails, Web server creates socket to local 1920/3661 connection – thus creating a local ephemeral socket If connection fails, all web servers repeat the initial action and a new 1920/3661 owner is created.

Agent Socket Usage Listening socket at base+N*4096 N=1..15 One local socket which is connected to a TEMS listening socket. One local socket which is connected to a WPA listening socket. Two listening ports for the ITM web server Except for first ITM process, a local socket connected to the active ITM web server.

TCP Connection A connection consists of a socket pair. –IP address and port - local –IP address and port – remote listener One listener can host many callers because the socket pairs are distinct

ITM Listening port The listening port default is base address plus N*4096, Use SKIP:N to start at N*4096 –that can be used to avoid using lower port numbers –N ends at 15 and does not wrap Use COUNT:M to only test for M different ports ip.pipe port:1918 SKIP:15 COUNT:1 use:y –Will test and use only or will fail

ITM Process: Local Ports These are local ports associated with the connection to a remote socket. pool: ip.pipe base:1918 use:y As leading modifier it applies to all protcols A single pool can specify a maximum of 1024 ports, but you can have multiple pool modifiers.

ITM No Listening Port Option EPHEMERAL:Y means the socket connection to TEMS is used for all traffic ephemeral:y ip.pipe port:1918 use:y Historical Data side effects –Collect historical data on the TEMS or –Add a WPA to same server as TEMS

Localhost Ports ITM basic services makes use of localhost [ ] ports for in-server ITM communication. Some of those ports are created before ITM basic services begins These ports are invisible to other servers. These ports are not configurable

IP V6 Support IP V6 is fully supported Protocol names are different

Universal Agent Ports UA uses all the same ports and… By default UA will also use port 1919 to communicate with collectors [IANA registered] Each data collector process will use an ephemeral port to form the socket is created KUMP_LOCAL_DATA=Y configures non-socket communication on a single server In a very few cases that configuration causes collection issues Consider use of Agent Builder instead

tacmd createNode Used for first install of OS Agent Linux/Unix uses SSH/RSH/REXEC from the hub TEMS to the target agent For example, SSH usually uses port 22 During agent createNode the service port and port 1918 from agent to hub will be used. After - agent will usually connect to a remote TEMS.

ITM Outbound Communication ITM does not control outbound traffic. ITM writes to socket and TCP manages what interfaces get used TCP systems have commands [route] to control that flow when needed. KDEB_INTERFACELIST control with agent using ephemeral:y has the effect of controlling outbound data traffic.

Managing ITM Ports Update communications string EPHEMERAL:Y to eliminate listening port POOL: control ports used for local sockets SKIP: and COUNT: to control listening port HTTP: and HTTPS: or HTTP_SERVER:N to control internal web server ports UA use KUMP_LOCAL_DATA=Y

Simpler Communication String Start with a use:n which disables all protocols by default. Enable only the protocols needed. use:n ip.pipe use:y ip.tcp.http use:y Technote with all protocol modifiers uid=swg

Implementing Config Changes On ITM 623 –create xx.environment file to include in runtime environment On ITM 622 and earlier –Create the xx.environment file and place value within single quotes –Source include into the xx.ini file uid=swg

Further research Which TCP/IP ports will my Tivoli monitoring address space use?