Set up RXA for Liberty collective operations

Liberty collective controllers can use the Tivoli Remote Execution and Access (RXA) toolkit to perform selected operations on collective members. Use RXA to remotely start and stop servers, including starting and stopping servers on your local computer.

Set up Linux and UNIX machines

If SSH is already installed and enabled on the Linux and UNIX machine, ensure the configuration is set according to the following instructions.

If SSH is not enabled, configure OpenSSH 3.6.1, OpenSSH 4.7 (on AIX ), or Oracle SSH 1.1 so that it supports RXA connections. OpenSSH 3.7.1 or later contains security enhancements not available in earlier releases and is recommended.

Avoid trouble: OpenSSH Version 4.7.0.5302 for IBM AIX Version 5.3 is not compatible with RXA Version 2.3. If machines are running AIX Version 5.3 with OpenSSH Version 4.7.0.5302 installed, file transfers might not complete. To avoid this problem, revert from OpenSSH Version 4.7.0.5302 to Version 4.7.0.5301.

Use Secure Shell (SSH) protocol

RXA does not supply SSH code for UNIX operating systems. We must ensure that SSH is installed and enabled on all machines that include collective members.

In all UNIX environments except Solaris, the Bourne shell (sh) is used. On Solaris machines, the Korn shell (ksh) is used instead due to problems encountered with the Bourne shell (sh).

To use password-based authentication for SSH communications, edit the /etc/ssh/sshd_config file on each machine that includes one or more collective members. Set the PasswordAuthentication property to yes. For example:

PasswordAuthentication yes

The default value for the PasswordAuthentication property is no.

After changing this setting, stop and restart the SSH daemon using the following commands:

/etc/init.d/sshd stop
/etc/init.d/sshd start 

Set up IBM i machines

Using SSH public/private key authentication to IBM i machines is not supported.

Set up Windows machines

1. Ensure the collective controller is running with an IBM JDK.

   RXA requires some security classes that are in the IBM JDK, and which are not available in the Oracle or OpenJDK JVMs.

2. Ensure the system environment variables JAVA_HOME and PATH are set to the Java path on the computer.

3. Ensure that server.xml of each server to be managed specifies the account user name and password.

   User name and password in a hostAuthInfo statement in server.xml:

   <hostAuthInfo rpcUser="Windows_user_ID" rpcUserPassword="Windows_user_password" />

4. Enable connections to member servers on Windows computers

   To enable connections to Windows members, we can use a third-party SSH service such as Cygwin on the Windows member computer or change Windows operating system settings on a member computer that does not have an SSH service installed.

   • Use a third-party SSH service such as Cygwin on the Windows member computer.

     If the member computer uses an SSH service, the controller connects the member server with SSH. Specify a hostAuthInfo rpcUserHome parameter as well as the RPC user name and password in the member server.xml file because the third-party SSH service might have a different home directory than the one Windows uses:

     <hostAuthInfo rpcUser="Windows_user_ID" rpcUserPassword="Windows_user_password" rpcUserHome="user_home_directory"/>

     For user_home_directory, specify the user home for the SSH service; for example: rpcUserHome="C:\cygwin\home\user1". The SSH public and private key pair is generated in the .ssh directory under this user home directory.

   • If the Windows member computer does not use a third-party SSH service such as Cygwin, change the Windows operating system settings of the member computer to enable connections.

     • Ensure the user account belongs to the Administrators group.

       Many RXA operations require access to resources that standard user accounts cannot access. Thus, the configuration of a collective member must include the name and password of a Windows user who belongs to the Administrators group.

     • Ensure File and Printer Sharing for Microsoft Networks is enabled for the network stack.

       1. Click Start > Control Panel > Network and Sharing Center > Change advanced sharing settings.

       2. Select Turn on file and printer sharing.

       3. Save the changes.

       Ensure that file sharing operations (on port 445) are not blocked on machines that include collective controllers or collective members.

       See the documentation for the operating system or the firewall software.

     • Start the Remote Registry service.

       The Remote Registry service must be running on computers that include collective members for the collective controllers to remotely run required commands and scripts.

       1. Click Start > Administrative Tools > Services.

       2. Within the list of services, locate the Remote Registry entry and verify that the status is Started. If we intend to use RXA regularly, consider setting the Remote Registry Startup type property to Automatic.

     • Disable User Account Control.

       1. Click Start > Control Panel > User Accounts > Change User Account Control settings.

       2. Set the User Account Control level to Never notify.

       3. Click OK.

       4. Reboot the computer for the changes to take effect.

See Liberty Collectives Remote Operation Configuration.

What to do next

If we have modified the server.xml of a managed server, manually start the server so that it publishes the new data to the controller.

After enabling RXA, test the host configuration and verify RXA connectivity:

Reference:
IBM Tivoli Monitoring Remote Execution and Access (RXA)