RSCT enables custom firewall services on Linux LPARs

Contributors: Nagendra P Dontamsetty and Veera Srinivas Anantoju

1.0 Overview:

Starting with Reliable Scalable Cluster Technology (RSCT) 3.3.1.0, custom firewall services are enabled by RSCT on Linux LPARs running on RHEL (8.x), SLES (15.x), and Ubuntu (18.04+). A firewall service file is used to define rules for the firewall for the ports associated with a specific service/application.

In RHEL and SLES, predefined firewall service definitions are in /usr/lib/firewalld/services/ for firewalld, and the runtime service file is located at /etc/firewalld/services/

For RSCT (Reliable Scalable Cluster Technology), the following custom firewall service files can be defined to open the required ports:

1. rsct-ctrmc.xml – Defines ports required by RMC (port 657).
2. rsct-ctrmc-tls.xml – Defines the TLS port for RMC (12601).
3. rsct-cthats.xml – Defines ports used by CTHATS (12347).
4. rsct-cthags.xml – Defines ports used by CTHAGS (12348).

File Locations and Package Details

-        These service files are typically located in:

·       /usr/lib/firewalld/services/ – for system-provided (shipped) definitions.

·       /etc/firewalld/services/ – for user-defined or overridden service files.

-        rsct-ctrmc.xml/rsct-ctrmc-tls.xml is shipped as part of the rsct.core package and includes:

·       Rule for ports 657/tcp and 657/udp for RMC daemon (Legacy mode)

·       Rule for 12601/tcp for RMC daemon starting from 3.3.1.0

-        rsct-cthats.xml and rsct-cthags.xml are also shipped with rsct.core, but are primarily used by rsct.basic, and include:

·       Rule for 12347/udp for RSCT HATS daemon

·       Rule for 12348/udp for rsct-cthags RSCT Group Services daemon

On Ubuntu, firewall management is handled using ufw (Uncomplicated Firewall). Similar to firewalld services, application profiles can be defined under:

       - /etc/ufw/applications.d/rsct-ctrmc

To allow access using UFW:

sudo ufw allow rsct-ctrmc

sudo ufw allow rsct-ctrmc-tls

2.0 RSCT Firewall Port Control Script for Linux (RHEL/SuSe/Ubuntu)

         (a)   A control script will be provided as /opt/rsct/bin/ctfwportctl

[root@node-1 ~]# /opt/rsct/bin/ctfwportctl -help

ctfwportctl [-I | -U | -a <service> | -d <service> ] [-f]

options:

  -I          install firewall control

  -U         uninstall firewall control

  -a <fwsvc> allow ports for a fw service <fwsvc>

  -d <fwsvc> disable ports for a fw service <fwsvc>

  -f force

         <service>: ctrmc, ctrmc-tls, cthats, cthags  ===> This will be translated as either “rsct <fwservice>” firewall service     

  (b)   RHEL/SLES:

      - rsct.core rpm installation will create the fw service definition

         /usr/lib/firewalld/services/rsct-ctrmc.xml

      - rmcd_start script will add this fw service to the 'default' & 'active' zones like

        firewall-cmd --add-service=rsct-ctrmc  --zone=libvirt

        firewall-cmd --add-service=rsct-ctrmc  --zone=libvirt --permanent

        firewall-cmd --add-service=rsct-ctrmc  --zone=public

        firewall-cmd --add-service=rsct-ctrmc  --zone=public –permanent

               (c)   Ubuntu:

   - rsct.core deb installation will create fw app

     /etc/ufw/applications.d/rsct-ctrmc

  - rmcd_start script will enable app

     ufw allow rsct-ctrmc

3.0 Commands

           To enable/disable the ports

              -  /opt/rsct/bin/ctfwportctl -a ctrmc

              -  /opt/rsct/bin/ctfwportctl -d ctrmc

       To change mode from tls_preferred to tls_exclusive

               - chpsm -o s -a rmc_comm_mode=tls_exclusive -r

       To change mode from tls_exclusive to tls_preferred

             -  chpsm -o s -a rmc_comm_mode=tls_preferred -r

       To verify the modes tls_preferred or tls_exclusive

             -  [root@node-1 ~]# /opt/rsct/bin/lsscamode

--------------------------------------------------

LOCAL :

Effective_Communication_Mode : tls-exclusive

Effective_RMC_TLS_Port : 12601

Effective_MCP_TLS_Connection_Priority : n/a

Configured_Communication_Mode : tls-exclusive

Configured_RMC_TLS_Port : 0

Configured_MCP_TLS_Connection_Priority : default

--------------------------------------------------

MCP : HMC : <hmc ip:x.x.x.x>

Configured_Communication_Mode : tls-exclusive

Configured_RMC_TLS_Port : 0

Configured_MCP_TLS_Connection_Priority : default

4.0 Scenarios:

       We will examine different scenarios regarding enabled and disabled ports and assess the communication between nodes using tls_preferred and tls_exclusive                    modes.

Scenario 1

-      To list the RSCT services

[root@node-1 ~]# firewall-cmd --list-services

cockpit dhcpv6-client rsct-cthags rsct-cthats rsct-ctrmc rsct-ctrmc-tls ssh

            Scenario 2

-     To verify, communication between the nodes is working using ports

[root@node-1 ~]# CT_CONTACT=<node2> lsrsrc IBM.HostPublic

Resource Persistent Attributes for IBM.HostPublic

resource 1:

PublicKey        = ["rsa512","120200cbcae4ac67dcfd732f79dd6752d375fc8ffa8f93610c55cd1b75df2e096fc8c1548dc884119f40ca3e60c079de343f8fce8ae2d476b26c030e9363e417f9bd210103"]

PublicKeyBinary  = "0xc5ec0001 0x00002001 0x120200cb 0xcae4ac67 0xdcfd732f 0x79dd6752 0xd375fc8f 0xfa8f9361 0x0c55cd1b 0x75df2e09 0x6fc8c154 0x8dc88411 0x9f40ca3e 0x60c079de 0x343f8fce 0x8ae2d476 0xb26c030e 0x9363e417 0xf9bd2101 0x03"

Hostname         = "node-2"

ActivePeerDomain = ""

NodeNameList     = {"node-2"}

Scenario 3: The communication between node-1 & node-2 fails when nodes are in TLS-Preferred mode because for both services, (i) rsct-ctrmc (port 657) and (ii) rsct-ctrmc-tls (12601), are disabled on node-1.

i.   Disable both services rsct ports 657 and 12601 on node-1

[root@node-1~]# /opt/rsct/bin/ctfwportctl -d rsct-ctrmc-tls

Fri Aug 1 02:52:06 PM IST 2025 ctfwportctl (55761) : firewall-cmd --remove-service=rsct-ctrmc-tls --zone=public

success

Fri Aug 1 02:52:07 PM IST 2025 ctfwportctl (55761) : firewall-cmd --remove-service=rsct-ctrmc-tls --zone=public --permanent

success

[root@node-1 ~]# /opt/rsct/bin/ctfwportctl -d rsct-ctrmc

Fri Aug 1 02:52:27 PM IST 2025 ctfwportctl (55820) : firewall-cmd --remove-service=rsct-ctrmc --zone=public

success

Fri Aug 1 02:52:28 PM IST 2025 ctfwportctl (55820) : firewall-cmd --remove-service=rsct-ctrmc --zone=public --permanent

Success         

ii.   The communication should fail between the nodes, as both ports 657 and 12601 are disabled

[root@node-2 ~]# CT_CONTACT=<node-1> lsrsrc IBM.HostPublic

/opt/rsct/bin/lsrsrc-api: 2612-022 A session could not be established with the RMC daemon on rsct-zz01-lp17.aix-test.tadn.ibm.com.

Scenario 4: Enable both the service’s  rsct-ctrmc (port 657) and rsct-ctrmc-tls (12601) on node-1, verify the communication exists between the node’s node-1 & node-2.

i.   Enable both services rsct ports 657 and 12601 on node-1

[root@node-2 ~]# /opt/rsct/bin/ctfwportctl -a rsct-ctrmc

Fri Aug 1 03:12:18 PM IST 2025 ctfwportctl (56004) : firewall-cmd --add-service=rsct-ctrmc --zone=public

success

Fri Aug 1 03:12:19 PM IST 2025 ctfwportctl (56004) : firewall-cmd --add-service=rsct-ctrmc --zone=public --permanent

Success

[root@ node-2~]# /opt/rsct/bin/ctfwportctl -a rsct-ctrmc-tls

Fri Aug 1 03:13:25 PM IST 2025 ctfwportctl (56034) : firewall-cmd --add-service=rsct-ctrmc-tls --zone=public

success

Fri Aug 1 03:13:26 PM IST 2025 ctfwportctl (56034) : firewall-cmd --add-service=rsct-ctrmc-tls --zone=public --permanent

success

ii.   The communication should succeed between the nodes, as both ports 657 and 12601 are enabled

[root@node-2 ~]# CT_CONTACT=<node1> lsrsrc IBM.HostPublic

Resource Persistent Attributes for IBM.HostPublic

resource 1:

          PublicKey        = ["rsa512","120200f572c59c7bf356c000db3d16eec5bc84e69f9fbc113af6cbddfa5672265d1d677e6f48acd8f008af63d751fd59520f6aa683082feb9ea1cf73731a3455c298350103"]

          PublicKeyBinary  = "0xc5ec0001 0x00002001 0x120200f5 0x72c59c7b 0xf356c000 0xdb3d16ee 0xc5bc84e6 0x9f9fbc11 0x3af6cbdd 0xfa567226 0x5d1d677e 0x6f48acd8 0xf008af63 0xd751fd59 0x520f6aa6 0x83082feb 0x9ea1cf73 0x731a3455 0xc2983501 0x03"

          Hostname         = "Node-1"

          ActivePeerDomain = ""

          NodeNameList     = {"Node-1"}

Scenario 5: Disable any one of the services on Node-1, but still, the communication should be from the other service.

i.  Disable one service rsct ports 12601

[root@ node-2~]# /opt/rsct/bin/ctfwportctl -d rsct-ctrmc-tls

Fri Aug 1 03:17:56 PM IST 2025 ctfwportctl (56088) : firewall-cmd --remove-service=rsct-ctrmc-tls --zone=public

Success

Fri Aug 1 03:17:57 PM IST 2025 ctfwportctl (56088) : firewall-cmd --remove-service=rsct-ctrmc-tls --zone=public --permanent

Success

ii.    Communication will be successful between the nodes using port 657, even though port 12601 is disabled.

[root@node-2 ~]# CT_CONTACT=<node-1> lsrsrc IBM.HostPublic

Resource Persistent Attributes for IBM.HostPublic

resource 1:

          PublicKey        = ["rsa512","120200f572c59c7bf356c000db3d16eec5bc84e69f9fbc113af6cbddfa5672265d1d677e6f48acd8f008af63d751fd59520f6aa683082feb9ea1cf73731a3455c298350103"]

          PublicKeyBinary  = "0xc5ec0001 0x00002001 0x120200f5 0x72c59c7b 0xf356c000 0xdb3d16ee 0xc5bc84e6 0x9f9fbc11 0x3af6cbdd 0xfa567226 0x5d1d677e 0x6f48acd8 0xf008af63 0xd751fd59 0x520f6aa6 0x83082feb 0x9ea1cf73 0x731a3455 0xc2983501 0x03"

          Hostname         = "node1"

          ActivePeerDomain = ""

          NodeNameList     = {"node-1"}

Scenario 6: The communication between node-1 & node-2 fails when nodes are in TLS-exclusive mode because for both services, (i) rsct-ctrmc (port 657) and (ii) rsct-ctrmc-tls (12601), are disabled on node-1.

i.   Disable both services rsct ports 657 and 12601 on node-1

Disable both services rsct ports 657 and 12601 on node-1

[root@ node-1~]# /opt/rsct/bin/ctfwportctl -d rsct-ctrmc-tls

Tue Aug 5 02:32:44 PM IST 2025 ctfwportctl (76869) : firewall-cmd --remove-service=rsct-ctrmc-tls --zone=public

success

Tue Aug 5 02:32:45 PM IST 2025 ctfwportctl (76869) : firewall-cmd --remove-service=rsct-ctrmc-tls --zone=public --permanent

Success

[root@ node-1~]# /opt/rsct/bin/ctfwportctl -d rsct-ctrmc

Tue Aug 5 02:32:59 PM IST 2025 ctfwportctl (76928) : firewall-cmd --remove-service=rsct-ctrmc --zone=public

success

Tue Aug 5 02:33:00 PM IST 2025 ctfwportctl (76928) : firewall-cmd --remove-service=rsct-ctrmc --zone=public –permanent

success

ii.    The communication should fail between the nodes, as both ports 657 and 12601 are disabled

[root@ node-2~]# CT_CONTACT=<node-1> lsrsrc IBM.HostPublic

/opt/rsct/bin/lsrsrc-api: 2612-022 A session could not be established with the RMC daemon on rsct-zz01-lp17.aix-test.tadn.ibm.com.

Scenario 7: Enable port 657 on Node-1; communication still fails between the nodes as the tls_exclusive mode works only on port 12601.

i.   Disable services rsct ports 657 on node-1

[root@ node-2~]# /opt/rsct/bin/ctfwportctl -a rsct-ctrmc

Tue Aug 5 02:44:05 PM IST 2025 ctfwportctl (76999) : firewall-cmd --add-service=rsct-ctrmc --zone=public

Success

Tue Aug 5 02:44:06 PM IST 2025 ctfwportctl (76999) : firewall-cmd --add-service=rsct-ctrmc --zone=public --permanent

success

ii.   The communication should fail between the nodes, the tls_exclusive mode works only on port 12601

[root@ node-2~]# CT_CONTACT=< node-2> lsrsrc IBM.HostPublic

/opt/rsct/bin/lsrsrc-api: 2612-022 A session could not be established with the RMC daemon on rsct-zz01-lp17.aix-test.tadn.ibm.com.

Scenario 8: Enable port 12601 on Node-1 and disable port 657, the communication pass between the nodes as the tls_exclusive mode works only on port 12601.

i.     Disable services rsct ports 657 on node-1

[root@ node-1~]# /opt/rsct/bin/ctfwportctl -d rsct-ctrmc

Tue Aug 5 02:48:11 PM IST 2025 ctfwportctl (77029) : firewall-cmd --remove-service=rsct-ctrmc --zone=public

success

Tue Aug 5 02:48:12 PM IST 2025 ctfwportctl (77029) : firewall-cmd --remove-service=rsct-ctrmc --zone=public --permanent

Success

ii.   Enable services rsct ports 12601 on node-1

[root@ node-1~]# /opt/rsct/bin/ctfwportctl -a rsct-ctrmc-tls

Tue Aug 5 02:48:24 PM IST 2025 ctfwportctl (77088) : firewall-cmd --add-service=rsct-ctrmc-tls --zone=public

success

Tue Aug 5 02:48:25 PM IST 2025 ctfwportctl (77088) : firewall-cmd --add-service=rsct-ctrmc-tls --zone=public --permanent

success

iii.    The communication must occur between the nodes using port 12601, even though port 657 is disabled

[root@ node-2~]# CT_CONTACT=rsct-zz01-lp17.aix-test.tadn.ibm.com lsrsrc IBM.HostPublic

Resource Persistent Attributes for IBM.HostPublic

resource 1:

          PublicKey        = ["rsa512","120200f572c59c7bf356c000db3d16eec5bc84e69f9fbc113af6cbddfa5672265d1d677e6f48acd8f008af63d751fd59520f6aa683082feb9ea1cf73731a3455c298350103"]

          PublicKeyBinary  = "0xc5ec0001 0x00002001 0x120200f5 0x72c59c7b 0xf356c000 0xdb3d16ee 0xc5bc84e6 0x9f9fbc11 0x3af6cbdd 0xfa567226 0x5d1d677e 0x6f48acd8 0xf008af63 0xd751fd59 0x520f6aa6 0x83082feb 0x9ea1cf73 0x731a3455 0xc2983501 0x03"

          Hostname         = " node-1"

          ActivePeerDomain = ""

          NodeNameList     = {" node-1"}