Create a Tunnel between two hubs in DX UIM
search cancel

Create a Tunnel between two hubs in DX UIM

book

Article ID: 12105

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM) Unified Infrastructure Management for Mainframe CA Unified Infrastructure Management SaaS (Nimsoft / UIM)

Issue/Introduction

  • Tunnels enable secure communication from one hub to another.

  • Tunnels are required for hubs separated by a firewall and recommended for all secondary hubs.

  • How do I create a tunnel between my primary hub to a secondary hub?

  • What are the steps to configure tunnels in DX UIM?

  • Guidance to set up a tunnel in UIM.

Environment

  • DX UIM 20.4.* / 23.4.*

  • OS: Windows and Linux/UNIX

Cause

  • Basic guide to create tunnels in DX UIM

Resolution

Once you have decided on which hub will be acting as tunnel client and tunnel server, please follow the steps below to create the tunnel connection.

As best practice, the Primary hub is preferred to be a client tunnel, while the downstream hub being the server tunnel. Tunnel Servers may struggle with more load so this would release load on the primary hub.

Server Side Configuration:

  1. Open hub probe configuration and select General tab, and enable the checkbox "Enable tunneling" and click on Apply to restart the hub.
  2. Once the Tunnels tab is enabled, Select "Server Configuration" tab.
  3. Create a server and client certificate setup with the required information.
  4. Note: Uncheck "Check Server Common Name" if Tunnel Server is NAT'ed, and you can also use a wildcard i.e. either one asterisk '*' or four asterisks '*.*.*.*' (without quotes) to set up only one certificate which can then be used for multiple tunnel clients IF that is allowed by your security team.                                         
  5. Click on OK and then reopen the certificate.
  6. Once the "Certificate Information" GUI is opened, select the "Certificate" tab and click on "Copy" and then click OK.
  7. Copy the certificate to Notepad.
  8. Be very careful not to add any leading or trailing characters, such as spaces or tabs.             
  9. Click on "Apply" to restart the probe.

Client Side Configuration:

1. Open the hub probe configuration and select the General tab, and then make sure you enable the checkbox "Enable tunneling" and click on Apply to restart the hub.

2. Once the Tunnels tab is enabled, Select "Client Configuration" tab.

3. Click on "New", which will open "New Tunnel Connection" GUI.

                    

4. Provide the Tunnel Server IP address, password, and paste the Certificate copied while creating the Client certificate on the Tunnel Server side.

                  

5. Click on "Apply" and Click "yes" to restart the probe.

Tunnel Verification:

Tunnel verification can be done by creating Queues between Tunnel Server and Tunnel Client.

Queues allow messages from client hubs to reach the primary hub. Use a combination of ATTACH and GET queues (most common).

Attach queue: is a permanent queue that collects the messages sent by the hub’s robots. A corresponding GET queue is paired with each ATTACH queue to retrieve (get) those messages.

Post queue: A post queue sends a directed stream of messages to a specified hub but there is no guarantee of delivery.

 

Queue Creation at Client/Remote Hub (for messages Sent):

1. Open hub probe configuration and select "Queues" tab

2. Click on "New" to create a Queue and give the required name.

                      

3. Select the Type, Address, and Subject fields.             

4. Click "OK" and then click on "Apply" to restart the probe.


Queue Creation at Server/Primary Hub (for messages Received):

1. Open hub probe configuration and select "Queues" tab

2. Click on "New" to create a Queue and enter the required name.

                    

3. Select the Type, Address, and Subject fields. 

Select Queue type of get to 'GET' the messages from the remote hub tunnel client's local ATTACH queue.

Select Address field from which remote hub you want to receive the messages/alarms.                 

4. Click "OK" and then click on "Apply" to restart the probe.

5. Please wait for some time and then check the Status tab under via the hub probe GUI.

                      

Additional Information

Ports

Multiple-hub infrastructure that uses tunnels that are NOT SSL tunnels:

  • All ports that are used in a single-hub installation
  • Use Port 48003 for the tunnel server (can also be set to 443, but 48003 is the best practice/recommendation as sometimes https traffic is partially filtered)

Multiple-hub infrastructure that uses SSL tunnels:

  • 48000 (controller) and 48002 (hub)
  • 48003 to allow the tunnel client to access the tunnel server
  • Maybe ports 8443 and 8080 (service_host prior to UIM 9.x) to allow the tunnel client to access Admin Console and UIM web page

Configure Queues and Tunnels (broadcom.com)

 

Powered by Wolken Software