Difference between revisions of "Notes on intentionally Air-Gapping an IEM Installation"
From RiceFamily Wiki
(Created page with "== Premise == We need to install IEM in such a way that it cannot automatically update content from IBM. == Reasons == * Strict adherence to [http://wiki.en.it-processmaps.co...") |
(→IBM Documentation Links) |
||
| (5 intermediate revisions by the same user not shown) | |||
| Line 11: | Line 11: | ||
** [http://pic.dhe.ibm.com/infocenter/tivihelp/v26r1/topic/com.ibm.tem.doc_9.1/Platform/Config/c_airgap_tool_overview.html For IEM 9.1] | ** [http://pic.dhe.ibm.com/infocenter/tivihelp/v26r1/topic/com.ibm.tem.doc_9.1/Platform/Config/c_airgap_tool_overview.html For IEM 9.1] | ||
** [http://www-01.ibm.com/support/knowledgecenter/SS6MER_9.2.0/com.ibm.tivoli.tem.doc_9.2/Platform/Config/c_airgap_tool_overview.html?lang=en For IEM 9.2] | ** [http://www-01.ibm.com/support/knowledgecenter/SS6MER_9.2.0/com.ibm.tivoli.tem.doc_9.2/Platform/Config/c_airgap_tool_overview.html?lang=en For IEM 9.2] | ||
| + | * [https://forum.bigfix.com/t/how-to-force-an-iem-server-to-act-as-air-gapped-environment/12435/1 Forum.Bigfix.com Posting] about Intentional Air-Gap process | ||
| + | |||
| + | == Random Thoughts == | ||
| + | From reading the IBM Documentation, it looks like the assumption with an Air-Gapped environment is that the server is not able to access the Internet at all, thus it cannot access neither the IBM Fixlet content not the Vendor Patch content itself. | ||
| + | |||
| + | What I'm going to be trying to do is 'trick' the server into thinking that it cannot find the server that hosts the IBM Fixlet Content, but leave it able (hopefully) to access the actual Patch content from the Vendors sites. | ||
| + | |||
| + | I believe that all I need to do is create an entry in the 'hosts' file that redirects the sites below to 127.0.0.1 or some other address where the server cannot find the IBM Fixlet content. | ||
| + | * http://sync.bigfix.com - I believe this is the current Content source site. | ||
| + | ** http://www-01.ibm.com/support/docview.wss?uid=swg21468445 - References unfiltered access to http://sync.bigfix.com as being required for proper operation. | ||
| + | ** [https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/General%20Troubleshooting%20Methods IBM IEM General Troubleshooting Methods] refers to needing access to http://sync.bigfix.com for proper Gather processes to function. | ||
| + | * http://bigfix-2kserv.bigfix.com - I have found references to this server in several of the IBM Wiki pages, but it doesn't appear to be active any longer. | ||
| + | |||
| + | == Utilities == | ||
| + | * Air-Gap.exe tool | ||
| + | |||
| + | == Procedures == | ||
| + | * [[Avoid Downloading content in the Baremetal OS Deployment site when downloading Fixlets and Tasks using the Air-Gap.exe tool]] | ||
| + | ** Generate the XML file with the Air-Gap.exe tool | ||
| + | ** Remove reference to the Baremetal OS Deployment site | ||
| + | ** Gather content from IBM on a different machine that can access http://sync.bigfix.com | ||
| + | ** Import the content into the Air-Gapped server. | ||
| + | |||
| + | [[Category:IBM Endpoint Manager]] | ||
| + | [[Category:IEM]] | ||
| + | [[Category:Air-Gap]] | ||
Latest revision as of 17:28, 13 February 2015
Premise
We need to install IEM in such a way that it cannot automatically update content from IBM.
Reasons
- Strict adherence to ITIL Change Management Controls.
- Requirement that even though IBM is actively developing the OS Deployment abilities in IEM, our group that Manages Workstation/Laptop images is insisting on a stable environment.
IBM Documentation Links
- Installing in an Air-Gapped Network]
- Forum.Bigfix.com Posting about Intentional Air-Gap process
Random Thoughts
From reading the IBM Documentation, it looks like the assumption with an Air-Gapped environment is that the server is not able to access the Internet at all, thus it cannot access neither the IBM Fixlet content not the Vendor Patch content itself.
What I'm going to be trying to do is 'trick' the server into thinking that it cannot find the server that hosts the IBM Fixlet Content, but leave it able (hopefully) to access the actual Patch content from the Vendors sites.
I believe that all I need to do is create an entry in the 'hosts' file that redirects the sites below to 127.0.0.1 or some other address where the server cannot find the IBM Fixlet content.
- http://sync.bigfix.com - I believe this is the current Content source site.
- http://www-01.ibm.com/support/docview.wss?uid=swg21468445 - References unfiltered access to http://sync.bigfix.com as being required for proper operation.
- IBM IEM General Troubleshooting Methods refers to needing access to http://sync.bigfix.com for proper Gather processes to function.
- http://bigfix-2kserv.bigfix.com - I have found references to this server in several of the IBM Wiki pages, but it doesn't appear to be active any longer.
Utilities
- Air-Gap.exe tool
Procedures
- Avoid Downloading content in the Baremetal OS Deployment site when downloading Fixlets and Tasks using the Air-Gap.exe tool
- Generate the XML file with the Air-Gap.exe tool
- Remove reference to the Baremetal OS Deployment site
- Gather content from IBM on a different machine that can access http://sync.bigfix.com
- Import the content into the Air-Gapped server.
