IBM Support

Configuring MultiSite Shipping Server to work within a static port range

Question & Answer


Question

What options are available when using ClearCase MultiSite shipping server across a firewall through a restricted set of ports?

Answer

By default shipping server will attempt to use any available port above 1024 when shipping packets to a remote server. This document explains two available options for configuring ClearCase MultiSite to work through a specific range of ports for use with a firewall.

In the past Shipping Server used the CLEARCASE_MIN_PORT and CLEARCASE_MAX_PORT variables to limit the ports used. However, ClearCase versions 7.0.1.3, 7.0.0.2, and 7.1 introduced a new method for limiting ports using the MSSHP_MIN_PORT, MSSHP_MAX_PORT variables.

The CLEARCASE_MIN_PORT and CLEARCASE_MAX_PORT variables are still supported and are discussed further down in this document. However, there are some benefits to using MSSHP_MIN_PORT and MSSHP_MAX_PORT as noted below.

Benefits

  • Only affects the Shipping Server process so they can be set on any ClearCase server that needs to send update packets to a remote host.

    Important Note: Opening the firewall allows access to all servers created by the albd_server on the exposed host. This can allow other programs from outside the network to connect to those servers. Therefore, the firewall machine that runs the shipping_server should not run other ClearCase servers.
  • Fully supported on both UNIX and Windows.
  • Uses a single consistent configuration file on all supported operating systems.
  • More options to minimize port usage.



Configuring the MSSHP_MIN_PORT, MSSHP_MAX_PORT variables

These variables are set in a file called albd_rt_params.conf on both UNIX and Windows.

    This file needs to be created in one of the following locations:

    UNIX and Linux (7.0, 7.0.1 and 7.1 )
         /var/adm/rational/clearcase/config/
        
    Windows
        ...\ClearCase\config\services
        
    Windows (7.0 and 7.0.1 default location)
       \Program Files\Rational\ClearCase\config\services\
       
    Windows (7.1.x default location)
       \Program Files\IBM\RationalSDLC\ClearCase\config\services

      Note:

        For ClearCase 7.1.x on UNIX and Linux the following symbolic link needs to be made:

        from
         /opt/rational/clearcase/config/services/albd_rt_params.conf
        to
         /var/adm/rational/clearcase/config/albd_rt_params.conf        

        Perform these steps (on the servers and any clients that need to use this functionality):
        1. If it exists, remove or rename
          /opt/rational/clearcase/config/services/albd_rt_params.conf
        2. Edit /var/adm/rational/clearcase/config/albd_rt_params.conf  to put in the values for MSADM_SVR_PORT, MSSHP_MIN_PORT and MSSHP_MAX_PORT
        3. Run:
          ln -s /var/adm/rational/clearcase/config/albd_rt_params.conf
           /opt/rational/clearcase/config/services/albd_rt_params.conf  

        4. Now verify the symlink:  
          ls -la /opt/rational/clearcase/config/services/albd_rt_params.conf   
          lrwxrwxrwx 1 root root  54 Jul  2 23:35                              
          /opt/rational/clearcase/config/services/albd_rt_params.conf ->       /var/adm/rational/clearcase/config/albd_rt_params.conf   


    The values should be set in the form of:

      MSSHP_MIN_PORT 49153

      MSSHP_MAX_PORT 65535


    • The range of ports set MUST be the same on each server that will communicate with another server. In other words, this must be set in servers on both sides of the firewall.
    • These settings will override any settings made in the atria_start script or the shipping.conf on UNIX and Linux.
    • The recommended range value is 20 and should not be less than 16 to guarantee that the shipping server works efficiently.
    • The value for MSSHP_MAX_PORT must be greater than MSSHP_MIN_PORT.
    • The suggested MSSHP_MIN_PORT value is 49153 or greater.
      (Port 49151 is the beginning of the Dynamic and Private Port Range)
    • The suggested MSSHP_MAX_PORT value is 65535 or less.
      (Port 65535 is the end of the Dynamic and Private Port Range)
    • ClearCase needs to be restarted for these configuration changes to take effect.


    Important: By default the outgoing port restriction was loosened to allow packet transfers to exit through any available port allowing less ports to be open through the firewall. At some high security sites outgoing traffic was also restricted to a certain range of ports so the following option was made available in ClearCase versions 7.1.0.2, 7.0.1.5, 7.0.0.6, or later (with fix for APAR PK70970):

    MSSHP_STRICT - When set to 1, enforces the specified range on both outgoing AND incoming ports.
      

    For other ClearCase options available in the albd_rt_params.conf file see technote 1233313.


    Configuring the CLEARCASE_MIN_PORT and CLEARCASE_MAX_PORT variables


    The CLEARCASE_MIN_PORT and CLEARCASE_MAX_PORT variables are set differently on Unix and Windows.

    In both cases the range of ports set should be the same on each server that will communicate through a firewall.

    UNIX and Linux

    The ClearCase MultiSite Administrator's Guide states that the variable options are to be set in the shipping.conf file.

    In order to use ClearCase MultiSite through a firewall, the CLEARCASE_MIN_PORT and CLEARCASE_MAX_PORT variables not only have to be set in the MultiSite shipping.conf configuration file, these variables must also be set in the ClearCase start-up script on the exposed host (/usr/atria/etc/atria_start or ccase-home-dir/etc/clearcase).

    UNIX and Linux have a defined section in the shipping.conf file to configure the CLEARCASE_MIN_PORT and CLEARCASE_MAX_PORT settings.


    Example:



    # CLEARCASE_MIN_PORT  <port-number>
    # CLEARCASE_MAX_PORT  <port-number>
    #
    #         These options are used to specify a range of ports the shipping
    #         server should use on a firewall system.
    #
    #         The names of these options differ in format from the other options
    #         in this file because they correspond to the environment variables
    #         that will be set in the shipping server environment.
    #
    #         The CLEARCASE_MIN_PORT must be set to 49151 or greater.
    #         Port 49151 is the beginning of the Dynamic and Private Port Range.
    #
    #         The CLEARCASE_MAX_PORT must be set to 65535 or less.
    #         Port 65535 is the end of the Dynamic and Private Port Range.
    #
    #         The CLEARCASE_MAX_PORT must be > CLEARCASE_MIN_PORT.
    #
    #         Enable only on firewall systems.
    #
    #               CLEARCASE_MIN_PORT      49151
    #               CLEARCASE_MAX_PORT      65535


    Review the IBM Rational ClearCase MultiSite Administrators Guide on the topic of shipping.conf (cleartool man shipping.conf) for more information.


    Windows

    On Windows hosts, the CLEARCASE_MIN_PORT and CLEARCASE_MAX_PORT must be set as System Environment Variables.

    In Windows Operating systems all ClearCase processes, not just the shipping server, use the range of ports specified in the CLEARCASE_MIN_PORT and CLEARCASE_MAX_PORT system environment variables. This will severely curtail the scalability of the server by limiting its ability to open and use whatever ports are required to communicate with ClearCase client machines that are accessing data on this server. So it is important that this system only be used as a Shipping Server even though other ClearCase services are installed.

    ADVISORY: Open ports in the firewall allow access to all server processes created by the Atria Location Broker Daemon (ALBD) service on the exposed host. This can allow other programs from outside the network to connect to those servers. Therefore it is recommended that, the firewall machine running the shipping_server not run other ClearCase servers.

    Example:

    Assuming that the hosts in question are all Windows hosts, the following information will provide a basic example of configuring ClearCase MultiSite shipping through firewalls.

    The configuration for this example will identify the hosts as follows:

    • VobServ1 (VOB server at site1)
    • ShipServ1 (Shipping server at site1)
    • FW1 (firewall at site1)
    • FW2 (firewall at site2)
    • ShipServ2 (Shipping Server at site2)
    • VobServ2 (VOB server at site2)

    The replicas for this example will be created at site1 and shipped and imported to site2.

    In this scenario ClearCase MultiSite is installed on ALL hosts. However, since ShipServ1 and ShipServ2 are going to be used to transport the packets through the firewall (thus, having "CLEARCASE_MAX_PORT" and "CLEARCASE_MIN_PORT" specified), this means that both of these hosts while having full ClearCase installed CANNOT be used for any other ClearCase operations and can only be used for shipping the replica creation and synchronization packets.

    Refer to the following documents for further details before proceeding as they will help to provide clarification about the details provided in the steps that follow:

    • Refer to the Routing Information section of the IBM Rational ClearCase MultiSite Administrators Guide under the topic of MultiSite Control Panel for further information about routing MultiSite packets.

    SERVER ENVIRONMENT

    VobServ1:

    • Configured to route it's packets to ShipServ1
    • This will be the host where you need to run "multitool mkreplica" and "multitool syncreplica" commands

    ShipServ1:

    • Configured to send packets to ShipServ2
    • "CLEARCASE_MAX_PORT" and "CLEARCASE_MIN_PORT" ports are setup to match the ports open in the firewall

    ShipServ2:

    • Configured to send packets to VobServ2
    • "CLEARCASE_MAX_PORT" and "CLEARCASE_MIN_PORT" ports are setup to match the ports open in the firewall

    VobServ2:

    • Receives the packets and imports them

    Note: This procedure would be reversed when site2 is sending update packets to site1.

    The instructions for this setup are as follows:

    1. Install ClearCase with ClearCase MultiSite on the ShipServ1 and ShipServ2 hosts.
    2. Configure the firewall to open ports between ShipServ1 and ShipServ2.
      Refer to your vendor firewall documentation for details.

      The following is a minimum:
      • ALBD port 371
      • At least 10 other TCP ports above port 49151 and below port 65535
    3. Configure the ClearCase MultiSite Shipping Server on the ShipServ1 and ShipServ2 to use the open ports to transfer MultiSite packets. Refer to the sections above for details.
    4. Configure the ClearCase MultiSite Shipping Server on VobServ1 to route packets to VobServ2 through the shipping server on ShipServ1. Refer to the documentation references above for details.

    [{"Product":{"code":"SSSH27","label":"Rational ClearCase"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Environment Variables","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF015","label":"IRIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.0;7.0.1;7.1;7.1.1;7.1.2;8.0;8.0.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

    Document Information

    Modified date:
    16 June 2018

    UID

    swg21207525