Re: Operations Center 8.1.4 - Client Package Download using Proxy

[Uwe Schreiber]

Yes, I have already thought about a transparent proxy such as to use
redsocks.But, I would like to avoid installing any additional software
to circumvent the shortcomings of the Spectrum Protect software.
Uwe
On Tue, 2018-03-06 at 11:35 +0100, Martin Janosik wrote:
> Hello,
> have you considered some kind of transparent TCP-to-proxy
> redirection, i.e.
> redsocks?
> I have not tested is personally but I bookmarked it in the past - I
> thought
> it could be helpful one day (today?)
> 
> Martin J.
> 
> "ADSM: Dist Stor Manager"  wrote on 2018-03-06
> 10:34:13:
> 
> > From: Uwe Schreiber 
> > To: ADSM-L@VM.MARIST.EDU
> > Date: 2018-03-06 10:36
> > Subject: Re: [ADSM-L] Operations Center 8.1.4 - Client Package
> > Download using Proxy
> > Sent by: "ADSM: Dist Stor Manager" 
> > 
> > I did a test by setting the Java options for the instance user, and
> > restarted the instance.
> > 
> > As well i set the Java options for usage by the OPC.
> > 
> > -> unchanged situation -> download of packages is failing.
> > 
> > Not the OC which is downloading the software packages.
> > The "Deploy Package Manager" (integrated in the dsmserv binary?)
> > triggers the download / refresh / etc. of the software packages.
> > 
> > I did not see any other java processes than the OPC GUI when the
> > message "ANR3753I The client update packages manager is started. /
> > ANR3756I A refresh of client update packeges was started."
> > 
> > So I assume dsmserv does not start any Java based sub-processes for
> > downloading the software packages.
> > 
> > Uwe
> > 
> > On Tue, 2018-03-06 at 11:07 +0300, Efim wrote:
> > > Why not to configure a transparent proxy for this traffic?
> > > 
> > > Assuming that the hub participates in the download of packages,
> > > by
> > > default Java does not use a system proxy.
> > > You can try to use option Djava.net.useSystemProxies = true in
> > > the
> > > environment settings for the user, on behalf of which the hub
> > > starts
> > > .
> > > it will looks like export IBM_JAVA_OPTIONS="-Dmysysprop1=tcpip
> > > -Dmysysprop2=wait -Xdisablejavadump"
> > > I found example in https://www.ibm.com/support/knowledgecenter/en
> > > /SSM
> > > KFH/com.ibm.apmaas.doc/install/config_forwardproxy_dc.htm
> > > but it uses jvm.options file.
> > > 
> > > Efim
> > > 
> > > 
> > > > 6 марта 2018 г., в 10:39, Uwe Schreiber  > > > NE.D
> > > > E> написал(а):
> > > > 
> > > > Hello Efim,
> > > > 
> > > > thank you for your response.
> > > > 
> > > > I already had a try using the local catalog.
> > > > This did not bypass the direct download from IBM.
> > > > 
> > > > From my point of view, the local catalog gives you the
> > > > possibility
> > > > to
> > > > create your own package repository.
> > > > Therefor you have to build a http server where you store the
> > > > package
> > > > for a download by the OC hub instance.
> > > > In addition you have to modify the local catalog.json file to
> > > > point
> > > > to
> > > > the right package locations on your own http server.
> > > > 
> > > > Of course i could setup my own http server and build a local
> > > > repository.
> > > > But this would increase the complexity, etc.
> > > > 
> > > > Uwe
> > > > 
> > > > 
> > > > On Tue, 2018-03-06 at 09:25 +0300, Efim wrote:
> > > > > Hi
> > > > > you can try to configure local catalog. it will bypass using
> > > > > proxy:
> > > > > 
> > > > > setopt clientdeployuselocalcatalog yes
> > > > > create dir: //deployconfig/
> > > > > run (you can add it to the cron): curl -o / > > > > dir>/deployconfig/catalog.json https://public.dhe.ibm.com/sto
> > > > > rage
> > > > > /tiv
> > > > > oli-storage-management/catalog/client/catalog.json
> > > > > 
> > > > > Efim
> > > > > 
> > > > > 
> > > > > 
> > > > > > 6 марта 2018 г., в 0:32, Uwe Schreiber  > > > > > NLIN
> > > > > > E.DE
> > > > > > > написал(а):
> > > > > > 
> > > > > > I'am searching a solution for deploying client updates
> > > > > > using
> > > > > > Operations
> > > > > > Center 8.1.4.
> > > > > > 
> > > > > > My OC hub (is spoke as well) is not able to connect direct
> > > > > > to
> > > > > > https://urldefense.proofpoint.com/v2/url?
> > 
> > u=https-3A__p=DwIFaQ=jf_iaSHvJObTbx-
> > siA1ZOg=H5e_B7Ka5iXApV9NLO3a6LPjgmGzpTrVrSapqmyEY0E=TCER6L5E-
> > 
> 
> e0Od-
> 1y1NcsjYk6dr2uwz7GBhdESLV4VP0=KfrP7fY71S9D98_YhAxk99uk4IhkHCZZ6h7jn
> d9iQgM=
> 
> > > > > > ublic.dhe.ibm.com/...
> > > > > > I have to use a proxy configuration to enable that
> > > > > > communication.
> > > > > > 
> > > > > > So I configured the variables http_proxy / https_proxy with
> > > > > > the
> > > > > > according proxy informations for the instance user within
> > > > > > the
> > > > > > RHEL
> > > > > > 7.4
> > > > > > operating System.
> > > > > > 
> > > > > > Testing using "curl" and "wget" works as expected when
> > > > > > trying
> > > > > > to
> > > > > > download an 

Re: v7.1.8/8.1.2 SSL Upgrade: Rethinking servers first or clients first

[Loon, Eric van (ITOPT3) - KLM]

Hi Steve,
Both your and Arnauds solution will work, until you stop/start your server. 
Then the schedule time will be missed and it will never be started again until 
you run it once manually...
Kind regards,
Eric van Loon
Air France/KLM Storage Engineering

-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of 
Harris, Steven
Sent: woensdag 7 maart 2018 2:57
To: ADSM-L@VM.MARIST.EDU
Subject: Re: v7.1.8/8.1.2 SSL Upgrade: Rethinking servers first or clients first

Eric

Really old-school...

Schedule a one time admin schedule to run a script that as the last step 
schedules itself again some time in the future

e.g

def scr reset_fred
upd scr reset_fred 'upd admin fred  sessionsecurity=transitional'   line=5  
 check the syntax
upd scr reset_fred 'upd sched reset_fred  t=a start=+0:05'  line=10


def sched reset_fred t=a cmd='run reset_fred'  active=yes  


Regards

Steve

Steven Harris
TSM Admin/Consultant
Canberra Australia



-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Loon, 
Eric van (ITOPT3) - KLM
Sent: Wednesday, 7 March 2018 2:00 AM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] v7.1.8/8.1.2 SSL Upgrade: Rethinking servers first or 
clients first

Hi Krzysztof,
Agreed, it will work but it sure aint pretty. And again, we are trying to find 
a fix for something IBM has broken...
Kind regards,
Eric van Loon
Air France/KLM Storage Engineering


-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of 
Krzysztof Przygoda
Sent: dinsdag 6 maart 2018 15:40
To: ADSM-L@VM.MARIST.EDU
Subject: Re: v7.1.8/8.1.2 SSL Upgrade: Rethinking servers first or clients first

Hi Eric
Solution for admin schedule to run more often without crontabs is to have 
several of them starting at different moment of each hour (startt value).
Eg:
def sched ADMIN_TRANSITIONAL_1 type=admin active=yes  STARTT=15:01 CMD="RUN 
ADMIN_TRANSITIONAL" duru=min peru=hour def sched ADMIN_TRANSITIONAL_2 
type=admin active=yes  STARTT=15:11 CMD="RUN ADMIN_TRANSITIONAL" duru=min 
peru=hour etc.
I know, this make the "fix" even more ridiculous ...but again, it works:-)

Kind regards
Krzysztof

2018-03-06 15:17 GMT+01:00 Loon, Eric van (ITOPT3) - KLM <
eric-van.l...@klm.com>:

> Hi Roger,
> I'm struggling with the exact same issues as you are. I'm running a
> 7.1.8 server and all procedures we are using for years to deploy new 
> clients fail because of the admins STRICT issue. And migrating 
> existing (< 7.1.8) versions from another server to this 7.1.8 server 
> is only possible after a manual update of the admin to TRANSITIONAL, 
> each and every time. You can't bypass this by installing the 
> certificate first because the dsmcert utility does not exist in pre-7.1.8 
> clients!
> I really think IBM has screwed up here big time. They clearly 
> underestimated the impact of this "small" security "enhancements" they 
> implemented. :-( I too thought about the fix of having the admin 
> account updated to TRANSITIONAL every minute or so, but I haven't been 
> able to find a way through the administrative scheduler to schedule a 
> command more often that once per hour (PERunits=H)... So you have to 
> build your own scripts and schedule it through cron, which isn't 
> allowed in our shop.
> I too have a hard time finding a simple solution. I think the best 
> thing IBM could do is admit that they have underestimated this issue 
> and create a
> 7.1.8.100 patch level with the option to set an admin account to 
> TRANSITIONAL permanently.
> Kind regards,
> Eric van Loon
> Air France/KLM Storage Engineering
>
> -Original Message-
> From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf 
> Of Deschner, Roger Douglas
> Sent: vrijdag 2 maart 2018 2:00
> To: ADSM-L@VM.MARIST.EDU
> Subject: v7.1.8/8.1.2 SSL Upgrade: Rethinking servers first or clients 
> first
>
> I've been using our test setup for further testing, and I'm thinking 
> of reversing my strategy. I may want to upgrade clients first, and 
> then servers.
>
> The basic issue is still how to overcome the roadblock of having an 
> Administrator ID automatically switched from TRANSITIONAL to STRICT 
> upon first login from a 7.1.8/8.1.2+ dsmadmc client. IBM seems to 
> think we can upgrade all servers and all clients to 7.1.8/8.1.2+ 
> simultaneously. That is not practical.
>
> In the worst case, this automatic switching could cause the System 
> Administrator's worst nightmare - to lose control over a running system.
>
> I am still considering the (very ugly) bypass of an administrative 
> schedule that sets it back to TRANSITIONAL for all Admin IDs every 5 
> minutes. There will still be some failures.
>
> But I am also considering reversing the strategy I had considered 
> earlier, to a different strategy of upgrading all of the clients 
> involved (about 7 of them, I think, but I'm not sure) to 7.1.8 or
> 8.1.4 first, while 

Re: v7.1.8/8.1.2 SSL Upgrade: Rethinking servers first or clients first

[PAC Brion Arnaud]

Another alternative  : define a script named "OP_ADMIN_CONTROL"

Having following content :

del schedule OP_ADMIN_LOOP_CTL type=administrative   
[your update admin command]
def schedule OP_ADMIN_LOOP_CTL type=a cmd="run OP_ADMIN_CONTROL" active=yes 
startt=now+0:10 peru=o


Cheers.

Arnaud

**
Backup and Recovery Systems Administrator
Panalpina Management Ltd., Basle, Switzerland,
CIT Department Viadukstrasse 42, P.O. Box 4002 Basel/CH
Phone: +41 (61) 226 11 11, FAX: +41 (61) 226 17 01
Direct: +41 (61) 226 19 78
e-mail: arnaud.br...@panalpina.com
This electronic message transmission contains information from Panalpina and is 
confidential or privileged. This information is intended only for the person 
(s) named above. If you are not the intended recipient, any disclosure, 
copying, distribution or use or any other action based on the contents of this 
information is strictly prohibited. 

If you receive this electronic transmission in error, please notify the sender 
by e-mail, telephone or fax at the numbers listed above. Thank you.
**


-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of 
Harris, Steven
Sent: Wednesday, March 07, 2018 2:57 AM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: v7.1.8/8.1.2 SSL Upgrade: Rethinking servers first or clients first

Eric

Really old-school...

Schedule a one time admin schedule to run a script that as the last step 
schedules itself again some time in the future

e.g

def scr reset_fred
upd scr reset_fred 'upd admin fred  sessionsecurity=transitional'   line=5  
 check the syntax
upd scr reset_fred 'upd sched reset_fred  t=a start=+0:05'  line=10


def sched reset_fred t=a cmd='run reset_fred'  active=yes  


Regards

Steve

Steven Harris
TSM Admin/Consultant
Canberra Australia



-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Loon, 
Eric van (ITOPT3) - KLM
Sent: Wednesday, 7 March 2018 2:00 AM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] v7.1.8/8.1.2 SSL Upgrade: Rethinking servers first or 
clients first

Hi Krzysztof,
Agreed, it will work but it sure aint pretty. And again, we are trying to find 
a fix for something IBM has broken...
Kind regards,
Eric van Loon
Air France/KLM Storage Engineering


-Original Message-
From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of 
Krzysztof Przygoda
Sent: dinsdag 6 maart 2018 15:40
To: ADSM-L@VM.MARIST.EDU
Subject: Re: v7.1.8/8.1.2 SSL Upgrade: Rethinking servers first or clients first

Hi Eric
Solution for admin schedule to run more often without crontabs is to have 
several of them starting at different moment of each hour (startt value).
Eg:
def sched ADMIN_TRANSITIONAL_1 type=admin active=yes  STARTT=15:01 CMD="RUN 
ADMIN_TRANSITIONAL" duru=min peru=hour def sched ADMIN_TRANSITIONAL_2 
type=admin active=yes  STARTT=15:11 CMD="RUN ADMIN_TRANSITIONAL" duru=min 
peru=hour etc.
I know, this make the "fix" even more ridiculous ...but again, it works:-)

Kind regards
Krzysztof

2018-03-06 15:17 GMT+01:00 Loon, Eric van (ITOPT3) - KLM <
eric-van.l...@klm.com>:

> Hi Roger,
> I'm struggling with the exact same issues as you are. I'm running a
> 7.1.8 server and all procedures we are using for years to deploy new 
> clients fail because of the admins STRICT issue. And migrating 
> existing (< 7.1.8) versions from another server to this 7.1.8 server 
> is only possible after a manual update of the admin to TRANSITIONAL, 
> each and every time. You can't bypass this by installing the 
> certificate first because the dsmcert utility does not exist in pre-7.1.8 
> clients!
> I really think IBM has screwed up here big time. They clearly 
> underestimated the impact of this "small" security "enhancements" they 
> implemented. :-( I too thought about the fix of having the admin 
> account updated to TRANSITIONAL every minute or so, but I haven't been 
> able to find a way through the administrative scheduler to schedule a 
> command more often that once per hour (PERunits=H)... So you have to 
> build your own scripts and schedule it through cron, which isn't 
> allowed in our shop.
> I too have a hard time finding a simple solution. I think the best 
> thing IBM could do is admit that they have underestimated this issue 
> and create a
> 7.1.8.100 patch level with the option to set an admin account to 
> TRANSITIONAL permanently.
> Kind regards,
> Eric van Loon
> Air France/KLM Storage Engineering
>
> -Original Message-
> From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf 
> Of Deschner, Roger Douglas
> Sent: vrijdag 2 maart 2018 2:00
> To: ADSM-L@VM.MARIST.EDU
> Subject: v7.1.8/8.1.2 SSL Upgrade: Rethinking servers first or