IIDR - CDC Firewall 2014 Dec 10

IBM InfoSphere Data Replication
Change Data Capture

Configuration with a Firewall
© 2014 IBM Corporation

Configuring CDC in a firewalled network environment
Connections which are established by CDC to be considered:

– Management Console to Access Server
– Access Server to CDC engines (datastores)
– CDC source engine to CDC target engine (subscription)
Two types of firewall configurations are supported

– Dynamic source ports configuration
• Firewall will block or pass traffic coming from any port
• Source port is dynamic (can be anything)
• Target port must be fixed
– Static source ports configuration
• Firewall will only pass traffic coming from a certain port
• Source port must be within a range
• Target port must be fixed
• Firewalls with static source ports are very rarely seen in the field
2 © 2014 IBM Corporation

Notations used in diagrams
A B Connection(s) from A to B, initiated by A

(the connection may have bi-directional traffic)
(2)
A B 2 connections from A to B are established
Connection (socket) source port=any

*:10101 Connection (socket) target port=10101
First connection (socket) source port is 3101,

3101+:10101 subsequent connection source port is 3102, etc.
Connection (socket) target port=10101

CDC Network (Firewall configured with dynamic source ports)
This is an example of the most common firewall configuration with Oracle to DB2 replication.
When the CDC component sets up the connection to another component, the TCP/IP protocol will
dynamically assign a source port (*) for the socket. The target (destination) port will always be the
port configured for the target CDC engine
Firewall needs to be configured to allow traffic from any source port to the configured target port
Management Console
CDC Source
CHCCLP
*:1521
(2 + # of datastores)
or local connection
CDC Engine Oracle

Port 11001(customizable) Port 1521
(2 + 2 * # of subscriptions)
*:10101
*:10101
*:10901
CDC Target
Access Server
Port 10101 (customizable) *:50000
or local connection
CDC Engine DB2


Dynamic source ports Example 1 Component IP Address Inbound
Management Console 1 192.168.239.3
Management Console Access Server Access Server 192.168.239.4 10101

2 + # of datastores = 2 + 2 = 4 connections Source DataStore 192.168.239.5 11001
tcp 0 0 ::ffff:192.168.239.4:10101 ::ffff:192.168.239.3:49166 ESTABLISHED
tcp 0 0 ::ffff:192.168.239.4:10101 ::ffff:192.168.239.3:49165 Target DataStore
ESTABLISHED 192.168.239.6 10901
tcp 0 0 ::ffff:192.168.239.4:10101 ::ffff:192.168.239.3:49179 Number of subscriptions
ESTABLISHED :1
Access Server Source Datastore

2 + # of MCs = 2 + 1 = 3 connections
Access Server Target Datastore

Source Datastore Target Datastore

2 + 2 * # of subscriptions = 2 + 2 * 1 = 4 connections

Dynamic source ports Example 2 Component IP Address Inbound
Management Console Access Server Management Console 1 192.168.239.3

2 + # of datastores = 2 + 2 = 4 connections for each MC Management Console 2 192.168.239.1
Total 8 connections from MCs Access Server 192.168.239.4 10101
tcp 0 0 ::ffff:192.168.239.4:10101 ::ffff:192.168.239.1:63710 Source DataStore
ESTABLISHED 192.168.239.5 11001
tcp 0 0 ::ffff:192.168.239.4:10101 ::ffff:192.168.239.1:63713 Target DataStore
ESTABLISHED 192.168.239.6 10901
tcp 0 0 ::ffff:192.168.239.4:10101 ::ffff:192.168.239.3:49166 Number of subscriptions
ESTABLISHED :3


Source DataStore Target DataStore

2 + 2 * # of subscriptions = 2 + 2 * 3 = 8 connections

Default TCP Listner Port of each CDC component
Following is a list of DEFAULT values of TCP listener port (target port) for each CDC
components
Listener port is customizable for all CDC components

For LUW engines, the Listener Port is specified using dmconfigurets
CDC for zOS also require TCP listener port but does not provide default value
Component Default Listener Port

Access Server 10101
CDC for DB2 10901
CDC for Oracle 11001
CDC for Netezza 10301
CDC for FlexRep (JDBC) 11401
CDC for DataStage 10401
CDC for MS SQL Server 10501
CDC for Informix 10201
CDC for DB2 for i 11111
CDC for Sybase 10301
CDC for Teradata 10701
CDC Network (Firewall configured with static source ports)
When the CDC component sets up the connection to another component, it will use the next available
port in the range that was specified (starting port configurable per component)
The Firewall needs to be configured to allow traffic from a range of source ports to the configured
target port. The target (destination) port will always be the port configured for the target CDC engine
Management Console
CDC Source
CHCCLP
*:1521
or local connection
CDC Engine Oracle

(6 * # of subscriptions)
30001+:10101
30001+:10101
31001+:10901
CDC Target
*:50000
Access Server
or local connection
Port 10101 (customizable)
CDC Engine DB2

Static source port configuration for Management Console
From MC, go to Edit Preferences, specify the firewall starting port and number of connections
(ports).
The specified range of ports will be used as the source ports for any outbound connections to
Access Server.

Static source port configuration for Access Server
Change the dmaccessserver.vmargs in the <Access_Server_Home>/conf directory to hold the
following entry:
-jar lib/server.jar local_port:<first_port> local_port_count:<number_available_ports> < Access_Server_listener_port>
The specified local_port_count will be used as the source port ranges for any outbound connections
to all datastores. This range is shared across all datastores (Not reused to different datastore)
If you change this entry, you must restart the Access Server.
Examples
UNIX/LINUX : -jar lib/server.jar local_port:30501 local_port_count:50 10101
WINDOWS : -jar lib\server.jar local_port:30501 local_port_count:50 10101

Static source port configuration for CDC Instance(DataStore)
For each subscription, move to Properties Advanced Setting
Specify the starting source port that will be used to establish a connection
Port of each subscription must be unique and also have enough range(6) within source-
target datastore combination

Static source ports Example 1 Component IP Address Inbound Outbound
Management Console 1 192.168.239.3 30001+
Management Console Access Server Access Server 192.168.239.4 10101 30501+

2 + # of datastores = 2 + 2 = 4 connections Source Datastore 192.168.239.5 11001
tcp 0 0 ::ffff:192.168.239.4:10101 ::ffff:192.168.239.3:30002 Target Datastore
ESTABLISHED 192.168.239.6 10901
tcp 0 0 ::ffff:192.168.239.4:10101 ::ffff:192.168.239.3:30004 Subscription 1
ESTABLISHED 31001+


Source Datastore Target Datastore

6 * # of subscriptions = 6 * 1 = 6 connections

Static source ports Example 2 Component IP Address Inbound Outbound
Management Console Access Server Management Console 2 192.168.239.1 30001+

2 + # of datastores = 2 + 2 = 4 connections for each MC Access Server 192.168.239.4 10101 30501+
Total 8 connections from MCs Source Datastore 192.168.239.5 11001
ESTABLISHED 192.168.239.6 10901
ESTABLISHED 31001+
ESTABLISHED 32001+
ESTABLISHED 33001+



Static source ports Example 2 - Continue
Source Datastore Target Datastore Component IP Address Inbound Outbound
6 * # of subscriptions = 6 * 3 = 18 connections
tcp 0 0 ::ffff:192.168.239.6:10901 ::ffff:192.168.239.5:31002 Management Console
ESTABLISHED 2 192.168.239.1 30001+
tcp 0 0 ::ffff:192.168.239.6:10901 ::ffff:192.168.239.5:31004 Access Server
ESTABLISHED 192.168.239.4 10101 30501+
tcp 0 0 ::ffff:192.168.239.6:10901 ::ffff:192.168.239.5:31006 Source Datastore
ESTABLISHED 192.168.239.5 11001
ESTABLISHED 192.168.239.6 10901
ESTABLISHED 31001+
ESTABLISHED 32001+
ESTABLISHED 33001+

CDC in a firewall best practices and troubleshooting
Make sure you install a current CDC Management Console

To check if a firewall is blocking the connection from the source
server
– Start a command prompt on your source server
– Enter: telnet <Host_or_IP_of_target_CDC_server> <CDC_Port>
– Example: telnet 9.26.112.99 10501
– Result should be something similar to the following
• If no connection is established (refused or otherwise), there is either a routing issue or a
firewall still blocking the CDC port

CDC in a firewall best practices and troubleshooting
Range of ourbound ports : recommand to assign more than the exact

requirement
– Generally a TCP/IP connetion takes time to be fully released
– You can encounter a connection problem during an immediate reconnect after
disconnect
– To avoid such a problem, increase the range of outbound ports or wait
enough time before reconnecting which will depend on TCP time out
configuration of your system.
TCP 192.168.239.1:30001 192.168.239.4:10101 TIME_WAIT
TCP 192.168.239.1:30002 192.168.239.4:10101 TIME_WAIT
TCP 192.168.239.1:30003 192.168.239.4:10101 TIME_WAIT
TCP 192.168.239.1:30004 192.168.239.4:10101 TIME_WAIT

Legal Disclaimer
• © IBM Corporation 2014. All Rights Reserved.

• The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained
in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are
subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing
contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and
conditions of the applicable license agreement governing the use of IBM software.
• References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or
capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to
future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by
you will result in any specific sales, revenue growth or other results.
• If the text contains performance statistics or references to benchmarks, insert the following language; otherwise delete:
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will
experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
• If the text includes any customer examples, please confirm we have prior written approval from such customer and insert the following language; otherwise delete:
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs
and performance characteristics may vary by customer.
• Please review text for proper trademark attribution of IBM products. At first use, each product name must be the full name and include appropriate trademark symbols (e.g., IBM
Lotus® Sametime® Unyte™). Subsequent references can drop “IBM” but should include the proper branding (e.g., Lotus Sametime Gateway, or WebSphere Application Server).
Please refer to http://www.ibm.com/legal/copytrade.shtml for guidance on which trademarks require the ® or ™ symbol. Do not use abbreviations for IBM product names in your
presentation. All product names must be used as adjectives rather than nouns. Please list all of the trademarks that you use in your presentation as follows; delete any not included in
your presentation. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International
Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both.
• If you reference Adobe® in the text, please mark the first use and include the following; otherwise delete:
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
• If you reference Java™ in the text, please mark the first use and include the following; otherwise delete:
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
• If you reference Microsoft® and/or Windows® in the text, please mark the first use and include the following, as applicable; otherwise delete:
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.
• If you reference Intel® and/or any of the following Intel products in the text, please mark the first use and include those that you use as follows; otherwise delete:
Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States
and other countries.
• If you reference UNIX® in the text, please mark the first use and include the following; otherwise delete:
UNIX is a registered trademark of The Open Group in the United States and other countries.
• If you reference Linux® in your presentation, please mark the first use and include the following; otherwise delete:
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of
others.
• If the text/graphics include screenshots, no actual IBM employee names may be used (even your own), if your screenshots include fictitious company names (e.g., Renovations, Zeta
Bank, Acme) please update and insert the following; otherwise delete: All references to [insert fictitious company name] refer to a fictitious company and are used for illustration
purposes only.

IIDR - CDC Firewall 2014 Dec 10

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IIDR - CDC Firewall 2014 Dec 10

Uploaded by

Copyright:

Available Formats

IBM InfoSphere Data Replication

Change Data Capture

© 2014 IBM Corporation

Connections which are established by CDC to be considered:

Two types of firewall configurations are supported

2 © 2014 IBM Corporation

A B Connection(s) from A to B, initiated by A

Connection (socket) source port=any

First connection (socket) source port is 3101,

3 © 2014 IBM Corporation

CDC Engine Oracle

CDC Engine DB2

4 © 2014 IBM Corporation

Management Console 1 192.168.239.3

Management Console Access Server Access Server 192.168.239.4 10101

Access Server Source Datastore

Access Server Target Datastore

Source Datastore Target Datastore

5 © 2014 IBM Corporation

Management Console Access Server Management Console 1 192.168.239.3

Access Server Source Datastore

Access Server Target Datastore

Source DataStore Target DataStore

6 © 2014 IBM Corporation

Listener port is customizable for all CDC components

Component Default Listener Port

CDC Engine Oracle

8 © 2014 IBM Corporation

9 © 2014 IBM Corporation

10 © 2014 IBM Corporation

11 © 2014 IBM Corporation

Management Console 1 192.168.239.3 30001+

Management Console Access Server Access Server 192.168.239.4 10101 30501+

Access Server Source Datastore

Access Server Target Datastore

Source Datastore Target Datastore

12 © 2014 IBM Corporation

Management Console 1 192.168.239.3 30001+

Management Console Access Server Management Console 2 192.168.239.1 30001+

Access Server Source Datastore

Access Server Target Datastore

13 © 2014 IBM Corporation

14 © 2014 IBM Corporation

Make sure you install a current CDC Management Console

15 © 2014 IBM Corporation

Range of ourbound ports : recommand to assign more than the exact

16 © 2014 IBM Corporation

• © IBM Corporation 2014. All Rights Reserved.

18 © 2014 IBM Corporation

You might also like