1.12.1 Access control using connection destination management
The feature for managing connection destinations consists of two sub-features: connection restriction and authentication information management. This section describes how access to connection destinations is controlled using the connection-restriction and authentication-information management features.
- Connection-restriction
-
In JP1/AO, you can restrict access to connection destination hosts. This is called connection restriction.
You can permit access to a host by registering the host in advance as a connection destination in the JP1/AO system. The definition of a connection destination consists of the host name or IP address of the host, the destination type, the resource group, and other information. You can register connection destinations in the Connection Destinations view.
Figure 1‒28: Accessing connection destinations (using connection restriction) ![[Figure]](GRAPHICS/UG020080.GIF)
In this example, first, an administrator assigned the Admin role registers connection destination information from the JP1/AO interface. Then, a user assigned the Submit role submits various services to resource group R for execution, specifying his or her user ID and password. Here, the submitting user is permitted to connect to host1 only, and connections to other hosts are declined.
- Authentication-information management
-
In addition to information about the connection destination, you can register authentication information such as the user ID and password needed to access the host. This is called authentication-information management. By registering this authentication information, you can use JP1/AO to manage passwords and other information that is used by a number of services. This lets you avoid repeatedly entering the same authentication information each time you submit a service for execution.
Figure 1‒29: Accessing connection destinations (using authentication information management) ![[Figure]](GRAPHICS/UG020010.GIF)
In this example, first, a user assigned the Admin role registers connection destination information and authentication information using the JP1/AO interface. Then, a user assigned the Submit role submits various services to resource group R for execution. Here, the submitting user is permitted to connect only to host1, on which connection destination information is registered, and connections to other hosts are declined. Also, because authentication information of host1 is registered in JP1/AO, it is not necessary to enter a user ID and a password to execute a service.
When you create a service template, you need to have registered the connection information and authentication information (if using authentication information management) used by the service template by the time the service is submitted for execution. The service will fail to connect to the connection destination if this information is missing. For this reason, information about connection destination hosts must be shared between the creator of the service template and the JP1/AO administrator.
- Tip
-
JP1/AO can keep a record of definitions for a particular connection destination that result in successful connections. By using a definition that is proven to be successful, you can avoid failed authentication requests and other issues in situations where several sets of authentication information are defined for a single connection destination host.
JP1/AO updates the successful definitions accordingly when you edit connection destinations.
You cannot use successful agentless destination definitions immediately after you install JP1/AO, or if the maximum number of successful agentless destination definitions has been reached. In these situations, JP1/AO uses the authentication information registered in the connection destinations in no particular order.
Related topics