In our discussion of Security Compliance Manager’s logical component
architecture above, we have focused primarily on the logical relationships among software components, and not necessarily on the specific system configurations upon which they are installed. In this section, we introduce the physical aspects of Security Compliance Manager’s components and provide guidelines on how to deploy the software components on physical nodes.
2.2.1 Communication port usage
Our description of Security Compliance Manager’s logical components shows the server as the central component of a Security Compliance Manager infrastructure. The server communicates with all other components using different protocols. Figure 2-8 on page 30 depicts the default port usage for Security Compliance Manager server’s communication links. The direction of the arrows in the diagram indicate the initiator of the communication. The different types of communication links are:
From administration tools to server
Communications between the administration console or command line interface and the server is based on Remote Method Invocation (RMI). The following ports are used:
– Administration utility to server: 1955 (RMI-Naming)
Between server and
push
clientsThe communication can be initiated in two different ways:
– Client to server using port 1951: Communications between the push client and server is established, if the client wants to transfer collected data to the server. This connection is set up as required and released after the data transfer.
– Server to client using port 1950: This connection is optional. It is set up only if an administrator executes commands that require communication with the client, for example, if the administrator requests direct execution of a collector. If firewall rules forbid this communication, the functionality of the push client is not affected.
Between server and
pull
clientsCommunication with a pull client is initiated by the Security Compliance Manager server. The default port for this communication is 1950. This connection is permanent.
Between server and proxy relay
Communication with a proxy relay is initiated by the server using the default port 1960 on the proxy relay. This connection is permanent regardless of whether the proxy relay is configured as a push or pull client. If configured as a push client, the relay must be connected directly to the server.
Between proxy relay and pull clients
Communication with a pull client is initiated by the server. The default port for this communication is 1950. This connection is permanent. The proxy relay can only connect to pull clients.
Figure 2-8 Communication port usage
ITSCM Operational Report ITSCM Server ITSCM Database ITSCM Admin GUI ITSCM Admin CLI 1951 PUSH Clients 1955 RMI Naming 1952 JLOG port
ITSCM PULL Client 1950
Client port
ITSCM PUSH Client (Proxy) 1960 Proxy port 1950
Client port
ITSCM PUSH Client 1950
Client port
ITSCM PULL Client (Proxy) 1960 Proxy port 1950 Client port ITSCM Server 1953 JLOG port logcmd logcmd 1953
JLOG port logcmd JLOG port1953 logcmd JLOG port1953 logcmd
ITSCM PULL Client 1950
Client port 1953 JLOG port logcmd ITSCM PULL Client
1950 Client port 1953 JLOG port logcmd permanent connection temporary connection (required) temporary connection (optional)
ITSCM PULL Client (Proxy) 1960 Proxy port 1950
Client port 1953 JLOG port logcmd
ITSCM PULL Client (Proxy) 1960 Proxy port 1950
Client port 1953 JLOG port logcmd
2.2.2 Deployment on physical nodes
Security Compliance Manager supports different operating systems and configuration options for its server and proxy relay deployment. The following section describes the deployment options and provides some hints for the selection of nodes.
Deployment of Security Compliance Manager server
IBM recommends that you install the Security Compliance Manager server on a system with a high processor speed and ample disk space. The system that contains the server should be solely dedicated to that task. This configuration allows the system to be tuned and optimized for running Security Compliance Manager. This configuration also keeps the server from having to compete with other applications for system resources.
The database server serves as the repository for all Security Compliance Manager data. The database server can be deployed on the same system as the Security Compliance Manager server; however, for better performance, the database server should be installed on a separate system. For even better performance, the database server can be installed on a multi-processor machine. The IBM Tivoli Security Compliance Manager Version 5.1 Deployment and Tuning Guide1 provides a formula and examples that describe the throughput calculation for the Security Compliance Manager server hardware:
Throughput requirement = Number of clients * Number of collectors * Collector message size / Frequency of data collection
The components of the formula are defined as follows:
Number of clients
The total number of clients connected to the Security Compliance Manager server.
Number of collectors
The average number of collectors deployed on a single client.
Collector message size
The average size of the message sent from the data collector to the server. This size should be determined in a test environment or during a pilot phase.
Frequency of data collection
Represents the data collection schedule configured for the collectors in the Security Compliance Manager server.
Deployment of Security Compliance Manager proxy relay
The Security Compliance Manager proxy relay is a special collector that routes traffic between the Security Compliance Manager server and clients in different networks. You are not required to set up dedicated systems for the Security Compliance Manager proxy relay functionality. Ideally, existing nodes having enough throughput capacity can be used to route the Security Compliance Manager traffic. The same formula for throughput calculation shown in
“Deployment of Security Compliance Manager server” on page 31 can be used for the Security Compliance Manager proxy relay system. The number of clients used in the formula is the number of clients connected via the proxy relay systems.