WebSphere Application Server & Liberty

 View Only
  • 1.  WebSphere Traditional Upgrade From Behind Firewall

    Posted Thu January 13, 2022 04:33 PM

    I am working to perform an overdue upgrade of a WebSphere environment to a more recent version ( for example.)

    Traditionally I've done these updates using the installation manager and had it search online for the appropriate updates and download them. This environment however is sitting behind a firewall that blocks all outbound traffic therefore it cannot find the necessary updates.

    We are able to create a support ticket and have these firewall rules opened up to allow this traffic however the firewall rules operate strictly though IP addresses. Is there any information or documentation that exists on the IP address (or range) that the Installation Manager tool tries to connect to in order to search and download updates? 

    Any help would be greatly appreciated. Thanks!

    Andrew Weaver

  • 2.  RE: WebSphere Traditional Upgrade From Behind Firewall

    Posted Fri January 14, 2022 03:58 AM
    In your case, I'd strongly recommend just downloading required archives from this page https://www.ibm.com/support/pages/85520-websphere-application-server-v85520 , transfer to your target machine and add directly as repos in your Installation Manager.
    In this way you can by pass all the troubles with opening firewall ports.


  • 3.  RE: WebSphere Traditional Upgrade From Behind Firewall

    Posted Fri January 14, 2022 09:22 AM
    As Gas noted you should download the fixpack and ifix binaries for installation to a server with internet access then transfer the files to your server you plan to perform maintenance on , that's standard operating procedure for firewalled/air-gapped environments.

    That said the connection from IIM to the IBM hosted repositories is https refer to the Knowledge Center https://www.ibm.com/docs/en/was-nd/8.5.5?topic=server-creating-custom-installation-repositories-packaging-utility which shows the URL format and there's a link in that page to the list of URLs  https://www.ibm.com/docs/en/was-nd/8.5.5?topic=installing-online-product-repositories-websphere-application-server-offerings

    Tom Alcott
    Senior Technical Staff Member

  • 4.  RE: WebSphere Traditional Upgrade From Behind Firewall

    Posted Fri January 14, 2022 01:53 PM

    Unfortunately, there is no short list of URL's for the IBM Installation Manager product and service repository; it's a service that fans out to repositories on a number of different IBM servers, so creating a list for firewall purposes can be difficult.

    I agree with everything that has been said so far: you can download fix pack repositories that allow you to upgrade your current WebSphere products(s), or do new local installs.

    Jeff Mierzejewski
    Software Engineer
    Austin TX

  • 5.  RE: WebSphere Traditional Upgrade From Behind Firewall

    Posted Fri January 14, 2022 03:13 PM

    Thank you all for the tips. 

    The client has another way in which they can flag an entire domain so they're going to try that, otherwise we'll perform the upgrades manually. 

    My major concern with the manual updates was making sure that they have all the right packages. I know IM always grabs like Java SDK's and other miscellaneous items that are installed (its a Maximo deployment.) We just wanted to make sure that they have everything they needed to successfully install the update. 

    Andrew Weaver

  • 6.  RE: WebSphere Traditional Upgrade From Behind Firewall

    Posted Mon January 17, 2022 07:15 AM
    Hi Andrew,

    What I do is to use the same OS(&version) but setup on a VM in my LAB to install the latest or specific version of WAS with SDK via IM.

    But I then use the 'swinging profile' concept to grab the files required zip them up (copy to a repo), and then on the target I make a backup of the 'dirs' to be replaced (copy to different repo) together with 3 other files and then unzip your chosen version, put back the 3 files and then you have a correctly versioned WAS profile without the pains of IM behind the firewall, we have it scripted atm in ansible for ease of use and less finger trouble.

    Just a thought or alternative, this approach might not be supported for your environment.

    Paul Bezuidenhout