How to create Tunnels between two hubs and Verify the communication using Queues
search cancel

How to create Tunnels between two hubs and Verify the communication using Queues

book

Article ID: 12105

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM) Unified Infrastructure Management for Mainframe CA Unified Infrastructure Management SaaS (Nimsoft / UIM)

Issue/Introduction

Tunnels enable secure communication from one hub to another. Tunnels are required for hubs separated by a firewall, and recommended for all secondary hubs.

Environment

  • OS: Windows and Linux/UNIX

Cause

  • Guidance

Resolution

Once you have decided on which hub will be acting as client and server, please follow the steps below to create the tunnel connection.

Server Side Configuration:

1. Open hub probe configuration and select General tab, and make sure to enable the checkbox "Enable tunneling" and click on Apply to restart the hub.

2. Once the Tunnels tab is enabled, Select "Server Configuration" tab.

3. Create a server and client certificate setup with the required information.

Note: Uncheck "Check Server Common Name" if Tunnel Server is NAT'ed, and you can also use a wildcard i.e. either one asterisk '*' or four asterisks '*.*.*.*' (without quotes) to set up only one certificate which can then be used for multiple tunnel clients.                                              

4. Click on OK and then reopen the certificate.

5. Once the "Certificate Information" GUI is opened, select the "Certificate" tab and click on "Copy" and then click OK.

    Copy the certificate to Notepad.

    Be very careful not to add any leading or trailing characters.             

6. Click on "Apply" to restart the probe.       

Client Side Configuration:

1. Open the hub probe configuration and select the General tab, and then make sure you enable the checkbox "Enable tunneling" and click on Apply to restart the hub.

2. Once the Tunnels tab is enabled, Select "Client Configuration" tab.

3. Click on "New", which will open "New Tunnel Connection" GUI.

                    

4. Provide the Tunnel Server IP address, password, and paste the Certificate copied while creating the Client certificate on the Tunnel Server side.

                  

5. Click on "Apply" and Click "yes" to restart the probe.

 

Tunnel Verification:

Tunnel verification can be done by creating Queues between Tunnel Server and Tunnel Client.

Queues allow messages from client hubs to reach the primary hub. Use combination of ATTACH and GET queues (most common).


Attach queue: is a permanent queue that collects the messages sent by the hub’s robots. A corresponding GET queue is paired with each ATTACH queue to retrieve (get) those messages.

Post queue: A post queue sends a directed stream of messages to a specified hub but there is no guarantee of delivery.

 

Queue Creation at Client/Remote Hub (for messages Sent):

1. Open hub probe configuration and select "Queues" tab

2. Click on "New" to create a Queue and give the required name.

                      

3. Select the Type, Address, and Subject fields.             

4. Click "OK" and then click on "Apply" to restart the probe.

 Queue Creation at Server/Primary Hub (for messages Received):

1. Open hub probe configuration and select "Queues" tab

2. Click on "New" to create a Queue and enter the required name.

                    

3. Select the Type, Address, and Subject fields. 

Select Queue type of get to 'GET' the messages from the remote hub tunnel client's local ATTACH queue.

Select Address field from which remote hub you want to receive the messages/alarms.                 

4. Click "OK" and then click on "Apply" to restart the probe.

5. Please wait for some time and then check the Status tab under via the hub probe GUI.

                      

Additional Information

Ports

Multiple-hub infrastructure that uses tunnels that are NOT SSL tunnels:

  • All ports that are used in a single-hub installation
  • Use Port 48003 for the tunnel server (can also be set to 443, but 48003 is the best practice/recommendation as sometimes https traffic is partially filtered)

Multiple-hub infrastructure that uses SSL tunnels:

  • 48000 (controller) and 48002 (hub)
  • 48003 to allow the tunnel client to access the tunnel server
  • Maybe ports 8443 and 8080 (service_host prior to UIM 9.x) to allow the tunnel client to access Admin Console and UIM web page

Configure queues and tunnels