10 Replies Latest reply on Feb 11, 2019 11:02 AM by Barry Meehan

    Bidirectional communications between manager and agent is an issue for a potential customer.

    Mark Pilz
      Share This:

      Due to the network structure and security policies at our customer they have asked if there is a way to initiate communications from the Manager only or from the Agent only - but not both?

       

      Thanks

       

      Mark

        • 1. Re: Bidirectional communications between manager and agent is an issue for a potential customer.
          Barry Meehan

          Hi Mark,

           

          I assume you are referring to the line (shown below), on page 52 in the attached 8.9.03 Patch 2 BDA User Guide where it makes reference to the communication between the manager and agents being "bidirectional". I believe you are asking if this can be modified in any way. Is that correct? If so, I don't believe that this would be possible as this is how the product was designed. However, if you'd like, I can run your request by the engineering team to confirm if you'd like. In addition, it would be helpful for engineering to have additional information regarding the customer's environment as to why the customer's network structure and security policies do not allow bidirectional communication between the manager and agent. We have many banks and government sites including the military, that use the BDA product without this requirement.

           

          Network access

          Network connectivity is critical to the correct operation of BMC Database Automation, because the Agents and Manager

          need reliable access to each other in order to launch jobs and properly collect status. While it is possible to have

          geographically disparate Agents connecting to a central Manager, BMC recommends that architects review the Sizing

          and scalability (see page 100) guides for minimum performance requirements for the network connectivity.

           

          The type of connections between the Agents and Manager are bidirectional. The Agents connect to the Manager on

          startup and maintain an open connection, and the Manager connects out to the Agents to launch jobs. There is also a

          network heartbeat once a second that reports up/down status from the Agent to the Manager. Connections are made on

          the following ports by default:

          7003 TCP Agent->Manager

          7004 TCP Manager->Agent

          7001 UDP Manager <-> Agent

           

          Any firewalls between the Manager and the Agents need to have rules added to permit the traffic between these port

          combinations. If these ports need to be changed to accommodate the planned implementation, contact BMC Database

          Automation Customer Support.

           

          Regards,

           

          Barry Meehan

          1 of 1 people found this helpful
          • 2. Re: Bidirectional communications between manager and agent is an issue for a potential customer.
            Mark Pilz

            Hi Barry

             

            Thanks for your response. Yes, it is that section of the manual I was referring to. I have asked the customer for more information with regard to their policies about not allowing bidirectional comms. I would appreciate it if you would be able to ask the engineering team to confirm this or perhaps suggest another way round. Should I log a support cal l for this once the customer has let me know?

             

            Thanks

             

            Mark

            • 3. Re: Bidirectional communications between manager and agent is an issue for a potential customer.
              Barry Meehan

              Hi Mark,

               

              Let's hold off opening a support case until we hear back from the customer. I expect that once we know the exact reason why the customer does not want bi-directional communication between the manager and the agent, engineering will have a better understanding of the customer's concerns and should be able to provide an answer to address their concerns.

               

              For example, on page 122 of the 8.9.03 Patch 2 BDA User Guide that I sent to you previously, notice the statement below concerning the manager to agent communication which is encrypted using SSL. In addition, it's possible to use CA (Certificate Authority), certificates as well other than the self-signed certificates that are provided by default. Perhaps the customer's concern with bi-directional communication between the manager and agents is what security methods are in place.

               

              Page 122 of the 8.9.0 Patch 2 User Guide:

              "At a transport level, all of the communications between the management server and the agents are encrypted using SSL, with both server and client certificates being presented. This means that a malicious party cannot masquerade as an agent nor a manager, and that all of the communications are secured against third-party discovery or injections."

               

              Note: Starting with version 8.9.01, the SSL communication protocol is upgraded to TLSv1.2.

               

              Regards,

               

              Barry Meehan

              BMC Support

              1 of 1 people found this helpful
              • 4. Re: Bidirectional communications between manager and agent is an issue for a potential customer.
                Mark Pilz

                Hi Barry

                 

                The customer feedback regarding this is as follows:

                 

                We have a layered network design with differing levels of security.

                In a nutshell, something on an outer layer cannot initiate a connection inwards.

                Some of our DB services are at a “lower” level than others, therefore a management station in the outer layer cannot connect to them.

                If we were to put the management station at the lower level, then DB servers in the outer layers would not be able to connect to them.

                 

                We have similar restrictions with Control M, where we’re able to restrict the agent from attempting to contact the server, and forcing a persistant connection from the server to the agent.

                 

                I will make sure the customer is also made aware of the encryption - however I think that there are other security principals which prevent the opening of ports on the firewall, it may not just be about the encryption.

                 

                Thanks

                 

                Mark

                • 5. Re: Bidirectional communications between manager and agent is an issue for a potential customer.
                  Barry Meehan

                  Hi Mark,

                   

                  Thanks for the additional details from the customer's environment. I'll run this by our engineering team and let you know what they have to say.

                   

                  Regards,

                   

                  Barry Meehan

                  BMC BDA Technical Support

                  • 6. Re: Bidirectional communications between manager and agent is an issue for a potential customer.
                    Barry Meehan

                    Hi Mark,

                     

                    Here is the initial response from engineering. It appears that engineering will need some time to investigate the request further. Do you mind opening a support ticket in order to track the progress with engineering? When you open the ticket, please select the "Geo/Region" as "Americas" and request that the case be assigned to "Barry Meehan". Once the support ticket is open, I can keep you update via the case.

                     

                    From Engineering:

                    To understand the user stories and restrictions we currently have (explained below), let’s keep in mind the agent’s workflow, which is around two connections to the manager:

                     

                    1) UDP connection, used, for example, to notify manager on agent’s state

                    2) SOAP TCP connection, used to push ZIP data, run program on the agent’s side, etc. mostly via SSL.

                     

                    When the agent is started, it parses etc/dagent.conf file and gets the value of ‘manager_vip’ field. Manager’s hostname should be used for SSL connection. So, agent gets manager’s hostname and starts sending UDP request to manager saying “hi, I’m alive” (It helps to know agent health Status)  and then sets up SOAP TCP connection.

                     

                    Note: It is early for engineering to comment on whether BDA supports communication on Directional socket instead of Bi-directional without looking into the core logic of the product. It might need some engineering research.

                     

                    Regards,

                     

                    Barry Meehan

                    BDA Technical Support

                    • 7. Re: Bidirectional communications between manager and agent is an issue for a potential customer.
                      Mark Pilz

                      Hi Barry.

                       

                      Many thanks for your time and assistance. I will open a call as requested.

                       

                       

                      Kind Regards

                       

                      Mark Pilz

                      Email: markp@blueturtle.co.za<mailto:markp@blueturtle.co.za> | Mobile: +27 (0)82 880 8770

                      Tel: (011) 206 5600 | www.blueturtle.co.za<http://www.blueturtle.co.za/> |LinkedIn<https://www.linkedin.com/company/blue-turtle-technologies?trk=company_logo>

                       

                       

                      • 8. Re: Bidirectional communications between manager and agent is an issue for a potential customer.
                        Barry Meehan

                        Hi Mark,

                         

                        Engineering has reviewed the requirement and there is no solution or way to fully restrict bidirectional communication between the manager and agent. However, you may want to consider using satellite managers deployed on each network layer (one satellite manager in outer layer and one in the inner/lower layer) per the attached network diagram. In this way the agent on each of those respective network layers can communicate with the satellite manager in the same network layer. Please note that the satellite manager still needs a way to have unidirectional communication which engineering believes would be easy to configure and monitor.

                         

                        More details on satellite manager deployment model is explained in the link below:

                        https://docs.bmc.com/docs/bda89/multi-manager-configuration-842991322.html

                         

                        Regards,


                        Barry Meehan

                        BDA Technical Support

                        1 of 1 people found this helpful
                        • 9. Re: Bidirectional communications between manager and agent is an issue for a potential customer.
                          Mark Pilz

                          Hi Barry

                           

                          Thank you for the feedback. We are currently only running a trial and have decided to review the architecture should the customer buy. The trial is currently using servers and databases that are reachable using the product design. So I think that request can be shelved.

                           

                          Thanks you for your help.

                          • 10. Re: Bidirectional communications between manager and agent is an issue for a potential customer.
                            Barry Meehan

                            Hi Mark,

                             

                            Thanks for the update. If you need anything further in regards to this request, please let me know.

                             

                            Regards,

                             

                            Barry Meehan

                            BDA Technical Support