DSXchange: DataStage and IBM Websphere Data Integration Forum
View next topic
View previous topic
Add To Favorites
Author Message
qt_ky



Group memberships:
Premium Members

Joined: 03 Aug 2011
Posts: 2623
Location: USA
Points: 19433

Post Posted: Wed Aug 23, 2017 7:20 am Reply with quote    Back to top    

DataStage® Release: 11x
Job Type: Parallel
OS: Unix
Additional info: 11.5.0.x
An 11.5.0.1 client (Designer) is allowed to log into the 11.5.0.2 (with Service Pack 1) server with no warnings or errors provided. Is there a way to enforce that client versions must match the server version?

A couple reasons I am asking:

1. A client-tier security patch is required to avoid a vulnerability. If someone reinstalls a fresh client without the patch, we need to disallow connections from such unpatched clients. We actually ran into this back on version 8.7.

2. Even further back in the days of 7.5.1, 7.5.1A, and 7.5.1B, we ran into a client-tier situation involving the pre-compile step that somehow made differences as runtime with a job working successfully or not. It's been so long ago I forget if the version difference resulted in an aborted job or a job that produced incorrect results. In any case, the client version made a HUGE difference.

_________________
Choose a job you love, and you will never have to work a day in your life. - Confucius
PaulVL



Group memberships:
Premium Members

Joined: 17 Dec 2010
Posts: 1142

Points: 7550

Post Posted: Wed Aug 23, 2017 8:55 am Reply with quote    Back to top    

I suspect this is an IBM question and not one that can be answered by the unwashed masses.
Rate this response:  
Not yet rated
chulett

Premium Poster


since January 2006

Group memberships:
Premium Members, Inner Circle, Server to Parallel Transition Group

Joined: 12 Nov 2002
Posts: 42164
Location: Denver, CO
Points: 216472

Post Posted: Wed Aug 23, 2017 9:17 am Reply with quote    Back to top    

Agreed.

And dang, I remember dealing with #2 back in the day. Specifically, a client patch that corrected a sequence job compilation issue... compile without the patch, job no workie, with the patch the generated code (which I think had something to do with looping) actually worked. Had to put an annotation on the canvas to that effect. Confused

_________________
-craig

Dr. Frankenstein entered a bodybuilding competition and discovered he had seriously misunderstood the objective.
Rate this response:  
Not yet rated
qt_ky



Group memberships:
Premium Members

Joined: 03 Aug 2011
Posts: 2623
Location: USA
Points: 19433

Post Posted: Wed Aug 23, 2017 10:32 am Reply with quote    Back to top    

Right-o!

I was hoping someone on the bleeding edge had already crossed this path recently, or if there is already a known way in an older version then I would be happy to test it on 11.5.0.2+SP1.

_________________
Choose a job you love, and you will never have to work a day in your life. - Confucius
Rate this response:  
Not yet rated
qt_ky



Group memberships:
Premium Members

Joined: 03 Aug 2011
Posts: 2623
Location: USA
Points: 19433

Post Posted: Fri Sep 22, 2017 6:32 am Reply with quote    Back to top    

I have opened a PMR to inquire.

_________________
Choose a job you love, and you will never have to work a day in your life. - Confucius
Rate this response:  
Not yet rated
ray.wurlod

Premium Poster
Participant

Group memberships:
Premium Members, Inner Circle, Australia Usergroup, Server to Parallel Transition Group

Joined: 23 Oct 2002
Posts: 54007
Location: Sydney, Australia
Points: 293017

Post Posted: Fri Sep 22, 2017 6:15 pm Reply with quote    Back to top    

You can use the dsrpcservices file to specify which clients can connect. The default is * (all clients).

_________________
RXP Services Ltd
Melbourne | Canberra | Sydney | Hong Kong | Hobart | Brisbane
currently hiring: Canberra, Sydney and Melbourne
Rate this response:  
Not yet rated
qt_ky



Group memberships:
Premium Members

Joined: 03 Aug 2011
Posts: 2623
Location: USA
Points: 19433

Post Posted: Mon Sep 25, 2017 7:23 am Reply with quote    Back to top    

I will look into that. Thanks!

_________________
Choose a job you love, and you will never have to work a day in your life. - Confucius
Rate this response:  
Not yet rated
qt_ky



Group memberships:
Premium Members

Joined: 03 Aug 2011
Posts: 2623
Location: USA
Points: 19433

Post Posted: Tue Sep 26, 2017 11:45 am Reply with quote    Back to top    

Is the dsrpcservices file documented anywhere? It's a one-liner with no comments:

Code:
dscs /opt/IBM/InformationServer/Server/DSEngine/bin/dsapi_server * TCP/IP 0 0


How would one limit clients--based on computer name, IP address, or other?

_________________
Choose a job you love, and you will never have to work a day in your life. - Confucius
Rate this response:  
Not yet rated
ray.wurlod

Premium Poster
Participant

Group memberships:
Premium Members, Inner Circle, Australia Usergroup, Server to Parallel Transition Group

Joined: 23 Oct 2002
Posts: 54007
Location: Sydney, Australia
Points: 293017

Post Posted: Tue Sep 26, 2017 1:00 pm Reply with quote    Back to top    

Field 1 is dscs (DataStage common service) Field 2 is the pathname of the dsapi_server executable. Field 3 is a comma-delimited list of IP addresses from which connection requests can be accepted. ...

_________________
RXP Services Ltd
Melbourne | Canberra | Sydney | Hong Kong | Hobart | Brisbane
currently hiring: Canberra, Sydney and Melbourne
Rate this response:  
Not yet rated
qt_ky



Group memberships:
Premium Members

Joined: 03 Aug 2011
Posts: 2623
Location: USA
Points: 19433

Post Posted: Tue Sep 26, 2017 2:31 pm Reply with quote    Back to top    

Thank you for the tips! I had searched the Support Portal, Knowledge Center, and DSXchange and come up empty.

Field 5 - no idea.

Field 6 - I found it corresponds with the DS Administrator's Inactivity timeout value.

Would the idea behind using the dsrpcservices file be to block people out until ensuring their client has the correct version, fix pack, service pack, and patch level?

If so, I suppose that would be similar to revoking suite security roles through the web console, and restoring them one at a time to each user once their levels were verified.

Unless I am missing something, it sounds like the bottom-line is that we have to implement a process in order to enforce version-matching. It cannot be enforced by the software itself. IBM Support was suggesting entering an enhancement request.

_________________
Choose a job you love, and you will never have to work a day in your life. - Confucius
Rate this response:  
Not yet rated
Display posts from previous:       

Add To Favorites
View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2002 phpBB Group
Theme & Graphics by Daz :: Portal by Smartor
All times are GMT - 6 Hours