XML Document Structure

IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Installation Guides > Installation Guide > Firewalls > Implementation with firewall gateway > Configuration
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2

XML Document Structure

This section illustrates the structure of firewall gateway XML configuration.
The relationships between XML configuration elements are illustrated in Figure 1. Attributes are described on affected elements; default values for most attributes can be supplied on outer elements with noted exceptions.
Figure 1. Structure of firewall gateway XML configuration document
<tepgwml:gateway xmlns:tepgwml="http://xml.schemas.ibm.com/tivoli/tep/kde/">
  <zone>
    <interface>           upstream interface
      <bind>
        <connection>
        </connection
      </bind
      <interface>        downstream interface
        <bind>
          <connection>
          </connection>
        </bind>
      </interface>
    </interface>
  </zone>
  <portpool>
  </portpool>
</tepgwml:gateway>
<gateway>

A <gateway> element in the assigned namespace http://xml.schemas.ibm.com/tivoli/tep/kde/ contains configuration elements described within this document. The gateway XML processor semantically ignores valid XML until the container is opened, allowing for configuration documents to be imbedded in other documents. This element cannot contain data.

name

The name attribute is required, cannot contain imbedded delimiters, and must begin with a nonnumeric. This attribute is used to identify a specific gateway instance. This attribute cannot be inherited from an outer element.

threads

The threads attribute specifies the number of worker threads in a general purpose thread pool. The specification must satisfy 1 <= value <= 256, and defaults to 32. Threads in this pool are shared by all defined zones, and are used only by interface startup logic, and to recover from outbound buffer exhaustion conditions. The default value is generally more than adequate.

<zone>

A zone is a container of interfaces sharing communication resources. This element cannot contain data.

name

The name attribute is required, cannot contain imbedded delimiters, and must begin with a nonnumeric. This attribute is used to identify a specific zone instance. This attribute cannot be inherited from an outer element.

maxconn

The maxconn attribute imposes an upper limit on the number of concurrent gateway connections within the zone. Each proxy physical connection and each logical connection crossing a relay interface consume this value. The specification must satisfy 8 <= value <= 4096, and defaults to 256.

bufsize

The bufsize attribute sets the data buffer size within the zone. The specification must satisfy 256 <= value <= 16384, and defaults to 2048.

minbufs

The minbufs attribute sets the minimum number of buffers in the zone buffer pool that are reserved for inbound traffic. The specification must satisfy 4 <= value <= 1024, and defaults to 64.

maxbufs

The maxbufs attribute sets the maximum number of buffers in the zone buffer pool that are reserved for inbound traffic. The specification must satisfy minbufs <= value <- 2048, and defaults to 128.

<interface>

An interface describes a set of network bindings that exhibit a fixed behavior according to a specified role, and based on whether it is defined as upstream, which means that the enclosing element is <zone>, or downstream, where the enclosing element is <interface>. In all roles, logical connections arrive through one or more downstream interfaces and are forwarded through the upstream interface. After a logical connection has been established end to end, data flow is full duplex. A valid configuration requires an upstream interface to contain at least one downstream interface. This element cannot contain data.

name

The name attribute is required, cannot contain imbedded delimiters, and must begin with a nonnumeric. This attribute is used to identify a specific interface instance. This attribute cannot be inherited from an outer element.

role

The role attribute is required, and describes the behavior of network bindings contained within. The role attribute must be specified as “proxy”, “listen”, or “connect”. Downstream proxy interfaces represent local listening endpoints, and function as a server proxy. Upstream proxy interfaces represent local connecting endpoints, and function as a client proxy. Relay interfaces are assigned either “listen” or “connect”. No configuration restriction is made on the relay connection role other than peer relay connections must specify the opposite role. Relay connections are considered persistent, are initiated at gateway startup, and automatically restarted in the event of a network disruption.

<bind>

A <bind> element represents connection resources on one or more local interfaces. When specified within interfaces that “listen” (downstream proxy, relay listen), bind elements represent listening ports on local interfaces. For “connect” interfaces (upstream proxy, relay connect), they represent the local binding to be used for the outbound connection. Specific local interface addresses can be supplied as data; the default interface is any.

localport

The localport attribute is required within “listen” interfaces, and is optional within “connect” interfaces. The value supplied can be either a number that satisfies 1 <= value <= 65535, or for “connect” based roles, can only contain the name of a portpool element defined within the gateway.

ipversion

Theipversion attribute declares the address family to be used for activity within the tag scope. Valid values are 4 or 6, with a default of 4.

ssl

The ssl attribute controls SSL negotiation for connections within the scope of this binding. When specified as yes, a successful negotiation is required before a connection is allowed on the gateway. The default value is no, meaning no SSL negotiation occurs on behalf of the gateway connection. Note that this does not restrict the conveyance of SSL streams across a gateway, only whether or not the gateway acts as one end of the SSL negotiation. When this operand is specified on a relay binding, it can be used to secure relay traffic, and must be specified on both ends of the relay connection.

service

The service attribute is a character string used to represent a logical connection between client and server proxy interfaces. Each connection accepted by a server proxy must find an upstream client proxy connection with a matching service string. No value restrictions are imposed.

<connection>

The <connection> tag is used to supply remote network interfaces as data. When applied to a “listen” mode binding, the connection tag represents the list of remote interface addresses that are allowed to make a connection, and is optional. This tag is required for “connect” mode bindings, and describes the remote end of the connection. Multiple addresses can be supplied for failover purposes.

remoteport

The remoteport attribute supplies the default port number of remote interfaces described within this tag. The value supplied must satisfy 1 <= value <= 65535.

<portpool>

The <portpool> tag is used to create a list of local port numbers to be used for outbound connections. Port numbers are supplied as data, and can be specified discretely or as a range expression separated by hyphen ("-"). Range expressions are limited to 1024 bytes to prevent syntax errors from resulting in larger ranges than expected. Multiple specifications of either form are allowed.

name

The name attribute is required, cannot contain imbedded delimiters, and must begin with a nonnumeric. This attribute is used to identify a specific portpool instance. This attribute cannot be inherited from an outer element, and is referenced by a localport attribute on a bind element.

Parent topic:
Configuration

+
Search Tips | Advanced Search