1. Administrator's Guide
  2. Firewall Security Option
  3. Turning on Firewall Secure Features and Setting Variables

Turning on Firewall Secure Features and Setting Variables

To run the ACSLS server behind a firewall, and, optionally, the ACSLS Client behind a firewall, set variables on both of the ACSLS server and the Client system when they are behind a firewall. These variables enable you to restrict incoming communication to a single port, and optionally, disable the portmapper.

ACSLS Variables

CSI_TCP_RPCSERVICE - Enable CSI support for RPC using the TCP protocol.

  • Function: Enables the CSI to operate as a TCP RPC Server. If any clients want to communicate with ACSLS over TCP, set this option to TRUE.

  • Valid Options: TRUE or FALSE (TRUE is the default.)

    • TRUE enables TCP access for clients to the CSI.

    • FALSE disables TCP access for clients to the CSI.

  • Other Details: The ACSLS product must be restarted for this option to take effect.

CSI_UDP_RPCSERVICE - Enable CSI support for RPC using the UDP protocol.

  • Function: Selecting this option enables the CSI to operate as a UDP RPC Server. If any clients want to communicate with ACSLS over UDP, set this option to TRUE.

  • Valid Options: TRUE or FALSE (FALSE is recommended.)

    • TRUE enables UDP access for clients to the CSI.

    • FALSE disables UDP access for clients to the CSI.

  • Other Details: The ACSLS product must be restarted for this option to take effect. The firewall-secure CSI is only supported for TCP communications. Set CSI_UDP_RPCSERVICE to FALSE, unless you have legacy client applications inside the firewall with the ACSLS server.

CSI_USE_PORTMAPPER – Enable the portmapper.

  • Function: Selecting this option causes the CSI to interrogate the portmapper when it cannot send a response to a client. If you do not want to allow access to the portmapper on the client, set this option to ALWAYS.

  • Valid Options: ALWAYS, NEVER, or IF_DUAL_LAN_NOT_ENABLED

    • ALWAYS means that the portmapper should always be interrogated when the CSI cannot send a response to a client.

    • NEVER means that the portmapper should never be interrogated when the CSI cannot send a response to a client. This option should be selected if clients do not support a port mapper.

    • IF_DUAL_LAN_NOT_ENABLED specifies that the portmapper should be interrogated only if dual LAN support has not been enabled. If dual LAN support has been enabled, then it is assumed that clients do not support a port mapper. IF_DUAL_LAN_NOT_ENABLED is the default for backward compatibility.

  • Other Details: The ACSLS product must be restarted for this option to take effect.

CSI_FIREWALL_SECURE - Enable the CSI to be used behind a firewall (with a user-defined inbound port).

  • Function: This option enables the ACSLS server to operate behind a secured firewall. Specify the inbound port used by the ACSLS and limit access to a single port. Configure the firewall to reject incoming ACSLS traffic on all but that port. This ensures that only that port is exposed for use by those outside clients wanting to initiate communications with ACSLS.

    To restrict port access, complete the following steps to set up the secure firewall for a specified port:

    • Set this option to TRUE.

    • Specify the port to be used by the CSI on which incoming ACSLS requests are allowed. (Specified by CSI_INET_PORT.)

    • For some legacy client applications that do not support fixed port RPC, opening UDP/TCP port 111 in the firewall may be required to support portmapper query requests from the client.

    • The firewall-secure CSI is only supported for TCP communications.

      Set CSI_UDP_RPCSERVICE to FALSE unless you have legacy client applications inside the firewall with the ACSLS server.

    • Configure the firewall behind which the ACSLS server resides to allow external clients to initiate and receive communications on the previously specified port. Do not forget to set up fixed port on the client application with the same port to minimize open firewall ports.

    • Restart ACSLS.

  • Valid Options: TRUE or FALSE (Default is TRUE)

    • TRUE – Restrict access to the ACSLS server to only use a single port for incoming requests from clients.

    • FALSE – Do not restrict ports used for client requests to the ACSLS server.

  • Other Details: The ACSLS product must be restarted for this option to take effect.

CSI_INET_PORT - Port number used by the CSI to receive incoming ACSLS requests.

  • Function: This option specifies the port used by the CSI for incoming TCP requests from clients.

  • Valid Options: A number between 1024 and 65535, but not 50003. (Default is 30031)

  • Other Details: The ACSLS product must be restarted for this option to take effect. This variable is only used when firewall-secure CSI is enabled with CSI_FIREWALL_SECURE and is set to TRUE.

Displaying and Setting ACSLS Variables

Use the ACSLS acsss_config utility or the dv_config utility to display, and set the ACSLS static and dynamic variables:

  • dv_config –d

    Displays all of the ACSLS static and dynamic variables and their settings.

  • dv_config -p <variable_name>  -u

    Prompts you to change a variable, and, if it is a dynamic variable, update ACSLS global shared memory. Enter ? at the prompt to see a full description of the variable. After the full description is displayed, you will be prompted again.

ACSAPI Client System Variables

The ACSLS client system must be built with the ACSLS CSC Toolkit 2.3 (or later) or a later release for Firewall-Secure Operation to be enabled for the client system.

There are four environment variables to enable for firewall secure operation on the ACSLS Client. You must set these variables to specific values. Each of these variables must be set and exported to the SSI's environment before the SSI process is started. They are then interpreted and used by the SSI, as indicated below.

If your CSC uses a script to start up the SSI, it is recommended that you set and export these variables from within that script. Additionally, Client developers may have provided a method for the end-customer to configure them appropriately, based on the CSC and the environment in which it runs.

CSI_UDP_RPCSERVICE –Determines whether UDP is used for network communications.

  • Function: Enables/disables use of UDP as the underlying network transport layer for SSI network communications.

  • Valid Options: TRUE or FALSE

  • Other Details: This environmental variable must be set to FALSE for the firewall-secure CSC. The firewall-secure ACSLS applications packets are all sent using the TCP network transport.

CSI_TCP_RPCSERVICE – Determines whether TCP is used for network communications.

  • Function: Enables/disables use of TCP as the underlying network transport layer for SSI network communications.

  • Valid Options: TRUE or FALSE

  • Other Details: This environmental variable must be set to TRUE for the firewall-secure CSC. The firewall-secure ACSLS applications packets are all sent using the TCP network transport.

New Variables in CSC Toolkit 2.3

SSI_INET_PORT – Fixed port number for incoming responses.

  • Function: Specifies the port the SSI will use for incoming ACSLS responses.

  • Valid Options: 0 or 1024–65535, except 50001 and 50004.

    • 0 indicates that the previous behavior of allowing the port to be dynamically allocated should remain in effect.

    • 1024 –65535 indicates that number should be used as the TCP port on which the SSI will accept ACSLS responses.

    • DO NOT specify 50001 or 50004, as they are used by the mini_el and SSI.

  • Other Details: Setting this environmental variable to a nonzero value makes the SSI use this port for incoming ACSLS responses. This means that the firewall needs to allow incoming requests on that port in order for the ACSLS responses to be received by the SSI. This is the only port on which the ACSLS will initiate connections with the CSCs' SSI.

    Note:

    This value must match the value configured in the firewall which protects the CSC platform, allowing incoming requests for connections on this port.

CSI_HOSTPORT –Eliminates queries to the portmapper on the ACSLS server. Instead, send requests to this port on the ACSLS server.

  • Function: Specifies the port to which the SSI will send its ACSLS requests on the ACSLS server. The ACSLS CSI must be using this port (that is, with firewall-secure fixed port set to this same value) for accepting inbound ACSLS requests from CSCs.

  • Valid Options: 1024 –65535, except 50003, and 0 (this value must match the value set on the ACSLS server for the port used by the CSI for inbound packets)

    • 0 indicates that the previous behavior of querying the portmapper on the ACSLS server will continue to be used.

    • 1024 –65535 indicates the value used by the CSI for incoming requests.

    • DO NOT specify 50003, as it is used by acslm.

  • Other Details: Setting this environmental variable eliminates queries from the SSI to the ACSLS servers' portmapper. The value of this variable specifies the port number on the ACSLS server to which the SSI should send its outgoing ACSLS requests. This permits a firewall-protected ACSLS server to disallow access to the portmapper at its firewall. The portmapper query previously provided the port number to which the SSI should direct its ACSLS requests.

    Note:

    This value must match the value of the port used by the CSI for accepting and servicing incoming requests. The firewall-secure feature must be applied to ACSLS for this port to remain reliably fixed at a specifiable value. If there is a mismatch, there will be no communication between the CSC and ACSLS.

Displaying and Setting Environmental Variables on the Client

On the client, the commands used to set environment variables depend on your shell and OS.

  • On UNIX and Linux, display an environment variable by using the following command:

    echo $<variable-name>

  • With the ksh and bash shells, you can set an environment variable by using the following command:

    <environment_variable> = <value>

    export <environment_variable>