Control-M Communication Behind a Firewall

The following procedures describe how to connect to Control-M components that are behind a firewall, which enables you to safely bypass the security software that restricts access to these components from outside network devices:

Connections are created when a port on a host (source) initiates a connection to a destination endpoint, which listens for and accepts the connection. In these procedures you must configure the unidirectional ports (destination endpoints) behind your firewall. This enables your Control-M components to communicate bidirectionally, between the source and destination.

Connecting to Control-M/Server Behind a Firewall

This procedure describes how to connect to a Control-M/Server behind a firewall by configuring ports in the ctm_menu utility and the config.dat file.

Begin

  1. From a command line on a Control-M/Server, run the following command:

    ctm_menu

  2. Select 4 Parameter Customization.

  3. Select 1 Basic Communication and Operational Parameters.

  4. Verify that the following ports are configured in the firewall rules to allow bidirectional communication:

    2 - Control-M/EM TCP/IP Port Number [1025-65535] : 2370

    4 - Configuration Agent Port Number [1025-32767] : 2369

    5 - Agent-to-Server Port Number [1025-65535] : 7005

    6 - High Availability Port Number [1025-32767] : 2368

    The Configuration Agent Port Number range refers to a Distributed Control-M/Server. The range of ports available to an MVS Control-M/Server is 1024–65534.

  5. From the ctm_menu, select 8 - Services Configuration, and then select 2 - API-Gateway Service Configuration.

  6. Verify that the following port is set in the firewall rules on all instances of Control-M/EM to allow bidirectional communication:

    API-Gateway Port Number : 8393

Connecting to an Agent Behind a Firewall

This procedure describes how to connect to an Agent behind a firewall by configuring ports in the ctmagcfg utility.

Begin

  1. From a command line on an Agent, run the following command:

    ctmagcfg

  2. Verify that the following ports are open in the firewall rules for bidirectional communication:

    • Agent-to-Server Port Number . . . : [7005]

    • Server-to-Agent Port Number . . . : [7006]

Configuring Control-M/EM Server with High-Availability or Control-M/EM Distributed Behind a Firewall

This procedure describes how to configure Control-M/EM Server components with High Availability or with a Control-M/EM Distributed behind a firewall.

Begin

  1. In the CCM, open Control-M/EM System Parameters, and from the Advanced tab, navigate to the HostPort parameter.

  2. If there are additional HostPort parameters defined for each component, delete the additional HostPort parameters.

  3. In the original HostPort parameter, click Restore Default.

  4. Do the following:

    • To set the available control port range for Control-M/EM, except for the Gateway, do the following:

      1. Select the HostPort parameter.

        The Control-M/EM - Update System Parameter dialog box appears.

      2. In the Value field, define the port range as follows, and then click Save:

        :<Port1>-<Port2>

      • You cannot use 0 as a port number.

      • The minimum range is 20.

    • To set the available port range for the Gateway, select the HostPort parameter and click Add.

      1. In the Value field, define the port range as follows:

        :<Port3>-<Port4>.

      2. From the Type drop-down list, select Gateway and click Save.

      • You cannot use 0 as a port number.

      • The minimum range is 10.

      • If you have more than five Control-M/Servers, the minimum port range must be at least double the amount of Control-M/Servers.

    • To change the Thrift ports range, do the following:

      1. Open the <HOME>/ctm_em/etc/domains/communication.xml file.

      2. Navigate to the following line:

        <!--variable name="ListenPort" value="9090-9150" /-->

      3. Replace the line with the following text:

        <variable name="ListenPort" value="9090-9150"/>

      4. Change the ports if needed.

      5. Save and close the .xml file.

    • To configure the Kafka server component behind a firewall, you must configure the Kafka server ports, as described in Connecting to an Apache Kafka Server Behind a Firewall.

  5. Recycle all Control-M/Server components on all Control-M/EM environments including the Control-M/EM Configuration Agent.

  • If Control-M Workload Archiving is installed on the Distributed Control-M/EM, see Connecting to Control-M/EM Behind a Firewall from Workload Archiving Server.

  • The defined port ranges must not overlap and must not contain the Web Server port.

  • The Web Server port must be open in the Firewall settings.

  • The port range should be open between the primary, secondary, and all Distributed machines.

Connecting to Control-M/EM Behind a Firewall from Control-M Clients

This procedure describes how to connect to Control-M/EM behind a firewall from Control-M clients.

Begin

  1. From a command line on a Control-M/EM Server, run the following command:

    emweb_status

    The following appears:

    web server is running [ host:port/ ]

  2. In your firewall definition, verify that this specific port is open.

    To use the Control-M Client Distribution feature and access the Help, Control-M Desktop 9.0.18 or higher must be installed to communicate with Control-M Web Server. The port is configured in the ./etc/emweb/tomcat/conf/server.xml file.

Connecting to an Apache Kafka Server Behind a Firewall

This procedure describes how to configure ports to enable you to connect to an Apache Kafka server behind a firewall. Firewall configuration is required to enable the Services Configuration Agent (SCA) in each Control-M/EM Distributed instance to grant access to all Distributed instances of Kafka.

You must perform this procedure after you configure the other Control-M/EM Server components that are behind a firewall, as described in Configuring Control-M/EM Server with High-Availability or Control-M/EM Distributed Behind a Firewall.

Begin

  • From a command line, run the following command to define the Apache Kafka port:

    • UNIX: em -no_wrap cha -set_field_val KAFKA_PORT <port>

    • Windows: emcha -set_field_val KAFKA_PORT <port>

Connecting to Control-M/EM Behind a Firewall from Workload Archiving Server

This procedure describes how to configure a port or range of ports to enable you to connect the Workload Archiving Server to a Control-M/EM that is behind a firewall.

Begin

  1. Back up the communication.xml file to a Control-M/EM Distributed host in one of the following locations:

    • Windows: %EM_HOME%\etc\domains\communication.xml

    • UNIX/Linux: $EM_HOME/etc/domains/communication.xml

  2. In the original communication.xml file, add the "ARC" scope name to define the listen port for the Workload Archiving Server, and save the file, as shown in the following example:

    Copy 
    <scope name="ARC"> 
        <variable name="ListenPort" value="port_number"/> 
    </scope>

    where "port_number" is the port number or port range, such as 10250 for a specific port or 10250–10255 for a range of ports.

  3. From the CCM, recycle the Workload Archiving component.

  4. Verify that the configured port on the Primary and Distributed Control-M/EM environments is open.

  5. From the Control-M/EM Distributed host, run the following utility to verify that the Workload Archiving Server is listening on the configured port:

    > arc_test_configuration

  6. Run an archive search to verify that the search function is working.