DSXchange

An 11.5.0.1 client (Designer) is allowed to log into the 11.5.0.2 (with Service Pack 1) server with no warnings or errors provided. Is there a way to enforce that client versions must match the server version?

A couple reasons I am asking:

1. A client-tier security patch is required to avoid a vulnerability. If someone reinstalls a fresh client without the patch, we need to disallow connections from such unpatched clients. We actually ran into this back on version 8.7.

2. Even further back in the days of 7.5.1, 7.5.1A, and 7.5.1B, we ran into a client-tier situation involving the pre-compile step that somehow made differences as runtime with a job working successfully or not. It's been so long ago I forget if the version difference resulted in an aborted job or a job that produced incorrect results. In any case, the client version made a HUGE difference.

I suspect this is an IBM question and not one that can be answered by the unwashed masses.

Agreed.

And dang, I remember dealing with #2 back in the day. Specifically, a client patch that corrected a sequence job compilation issue... compile without the patch, job no workie, with the patch the generated code (which I think had something to do with looping) actually worked. Had to put an annotation on the canvas to that effect.

Right-o!

I was hoping someone on the bleeding edge had already crossed this path recently, or if there is already a known way in an older version then I would be happy to test it on 11.5.0.2+SP1.

I have opened a PMR to inquire.

You can use the dsrpcservices file to specify which clients can connect. The default is * (all clients).

I will look into that. Thanks!

Is the dsrpcservices file documented anywhere? It's a one-liner with no comments:
How would one limit clients--based on computer name, IP address, or other?

Field 1 is dscs (DataStage common service)
Field 2 is the pathname of the dsapi_server executable.
Field 3 is a comma-delimited list of IP addresses from which connection requests can be accepted.
Field 4 is the network protocol to be used (always TCP/IP)

I can't recall what fields 5 and 6 do, and am not presently in a position to research these. The file used to be documented in the DataStage Administrator course; I'm not sure if it still is.

Thank you for the tips! I had searched the Support Portal, Knowledge Center, and DSXchange and come up empty.

Field 5 - no idea.

Field 6 - I found it corresponds with the DS Administrator's Inactivity timeout value.

Would the idea behind using the dsrpcservices file be to block people out until ensuring their client has the correct version, fix pack, service pack, and patch level?

If so, I suppose that would be similar to revoking suite security roles through the web console, and restoring them one at a time to each user once their levels were verified.

Unless I am missing something, it sounds like the bottom-line is that we have to implement a process in order to enforce version-matching. It cannot be enforced by the software itself. IBM Support was suggesting entering an enhancement request.