12.11.7 Communication encryption function setting (enable/disable) and connectivity among product versions
This subsection explains the communication encryption function setting (enable/disable), connectivity among product versions (10-50 or earlier and 11-00 and later), and connectivity with linked products.
- Organization of this subsection
-
-
(2) Connectivity between JP1/IM - View and JP1/Base (manager host)
-
(3) Connectivity between JP1/Base (authentication server) and JP1/IM - Manager
-
(4) Connectivity between JP1/Base (manager host) and JP1/Base (agent host)
-
(5) Connectivity between JP1/IM - Manager and JP1/Base (agent host)
-
(7) Connectivity between JP1/IM - Manager and linked products
(1) Connectivity between JP1/IM - View and JP1/IM - Manager and when the jcochstat command with the -h option specified is executed
JP1/IM - View version 11-00 or later checks the non-encryption communication host configuration file to determine whether unencrypted communication is to be established with the connection-target JP1/IM - Manager.
For details about the non-encryption communication host configuration file, see Non-encryption communication host configuration file (nosslhost.conf) (in Chapter 2. Definition Files) in the manual JP1/Integrated Management - Manager Command and Definition File Reference.
JP1/IM - Manager |
JP1/IM - View |
|||
---|---|---|---|---|
Version |
Communication encryption function |
Version 10-50 or earlier |
Version 11-00 or later |
|
Unencrypted#1 |
Encrypted#2 |
|||
10-50 or earlier |
Always disabled |
U |
U |
N |
11-00 or later |
Disabled |
U |
U |
N |
Enabled (jp1imcmda)#3 |
N |
N |
Y |
- Legend:
-
Y: Encrypted communication is used.
U: Unencrypted communication is used.
N: Communication is blocked.
- #1
-
The manager host name in the non-encryption communication host configuration file must be the connection-target JP1/IM - Manager or the asterisk (*).
- #2
-
In the non-encryption communication host configuration file, the manager host names must not include the connection-target JP1/IM - Manager and must not be an asterisk (*).
- #3
-
This applies when jp1imcmda is specified in the BASESSL parameter in the SSL communication definition file in JP1/Base.
The following example shows connectivity when the jcochstat command is executed from JP1/IM - Manager (hostA) to JP1/IM - Manager (hostB) on another manager host.
JP1/IM - Manager (hostA) |
JP1/IM - Manager (hostB) |
|||
---|---|---|---|---|
Version |
Communication encryption function |
Version 10-50 or earlier |
Version 11-00 or later |
|
Communication encryption function |
||||
Always disabled |
Disabled |
Enabled (jp1imcmda)#1 |
||
10-50 or earlier |
Always disabled |
U |
U |
N |
11-00 or later |
Disabled |
U |
U |
N |
Enabled (jp1imcmda)#1 |
N |
N |
Y#2 |
- Legend:
-
Y: Encrypted communication is used and the jcochstat command executes successfully.
U: Unencrypted communication is used and the jcochstat command executes successfully.
N: Communication is blocked and execution of the jcochstat command fails.
- #1
-
This applies when jp1imcmda is specified in the BASESSL parameter in the SSL communication definition file in JP1/Base.
- #2
-
The following prerequisites must be satisfied:
• The root certificate from the root certification authority corresponding to the server certificate of the JP1/IM - Manager that is specified in the -h option must be placed on the manager host on which the jcochstat command is executed. If this root certificate is not available, the jcochstat command fails because encrypted communication cannot be established.
• The manager host name specified in the -h option must be the host name specified for the CN or SAN in the server certificate of that manager host. If the correct manager host name is not specified, the jcochstat command fails because encrypted communication cannot be established. For details about verification of host names (CN and SAN) in server certificates, see 12.11.4(2) Verifying host names (CN and SAN) in server certificates.
If you enable the communication encryption function on the manager host on which the jcochstat command is executed and on the manager host that is specified in the -h option of the jcochstat command, you can use the jcochstat command to change the response status of JP1/IM - Manager (other hosts). Note that this functionality for using the jcochstat command to change the response status of JP1/IM - Manager (other hosts) is for compatibility with version 6.
(2) Connectivity between JP1/IM - View and JP1/Base (manager host)
JP1/Base (manager host) |
JP1/IM - View |
|||
---|---|---|---|---|
Version |
Communication encryption function |
Version 10-50 or earlier |
Version 11-00 or later |
|
Unencrypted#1 |
Encrypted#2 |
|||
10-50 or earlier |
Always disabled |
U |
U |
N |
11-00 or later |
Disabled |
U |
U |
N |
Enabled (jp1imcmda)#3 |
N |
N |
Y |
|
Enabled (jp1bsuser)#4 |
U |
U |
N |
|
Enabled (jp1imcmda, jp1bsuser)#5 |
N |
N |
Y |
- Legend:
-
Y: Encrypted communication is used.
U: Unencrypted communication is used.
N: Communication is blocked.
- #1
-
The manager host name in the non-encryption communication host configuration file must be the connection-target JP1/IM - Manager or an asterisk (*).
- #2
-
In the non-encryption communication host configuration file, the manager host names must not include the connection-target JP1/IM - Manager and must not be an asterisk (*).
- #3
-
This applies when only jp1imcmda is defined in the BASESSL parameter in the SSL communication definition file in JP1/Base.
- #4
-
This applies when only jp1bsuser is defined in the BASESSL parameter in the SSL communication definition file in JP1/Base.
- #5
-
This applies when jp1imcmda and jp1bsuser are defined in the BASESSL parameter in the SSL communication definition file in JP1/Base.
(3) Connectivity between JP1/Base (authentication server) and JP1/IM - Manager
The following explains encrypted communication between JP1/Base (authentication server) and JP1/IM - Manager that is supported.
-
Event console service (authentication API of JP1/Base) and JP1/Base authentication server
For details, see 12.11.1 Range of communication that can be encrypted by the communication encryption function.
JP1/Base (authentication server) |
JP1/IM - Manager |
||||
---|---|---|---|---|---|
Version |
Communication encryption function |
Version 10-50 or earlier |
Version 11-00 or later |
||
Communication encryption function |
|||||
Always disabled |
Disabled |
Enabled (jp1bsuser)#2 |
Enabled (jp1imcmda and jp1bsuser)#3 |
||
10-50 or earlier |
Always disabled |
U |
Not supported#1 |
||
11-00 or later |
Disabled |
U |
U |
N |
N |
Enabled (jp1bsuser)#2 |
N |
N |
Y |
Y |
|
Enabled (jp1imcmda, jp1bsuser)#3 |
N |
N |
Y |
Y |
- Legend:
-
Y: Encrypted communication is used.
U: Unencrypted communication is used.
N: Communication is blocked.
- #1
-
JP1/Base is not supported if a prerequisite product in the same device is version 10-50 or earlier.
- #2
-
This applies when only jp1bsuser is defined in the BASESSL parameter in the SSL communication definition file in JP1/Base.
- #3
-
This applies when jp1imcmda and jp1bsuser are defined in the BASESSL parameter in the SSL communication definition file in JP1/Base.
(4) Connectivity between JP1/Base (manager host) and JP1/Base (agent host)
The communication encryption function settings have no effect on the connectivity between JP1/Base (manager host) and JP1/Base (agent host).
(5) Connectivity between JP1/IM - Manager and JP1/Base (agent host)
The communication encryption function settings have no effect on the connectivity between JP1/IM - Manager and JP1/Base (agent host).
This means that communication between JP1/IM - Manager and JP1/Base (agent host) is always unencrypted.
(6) Connectivity of IM Configuration Management
The table below explains connectivity of the synchronization function for JP1/IM - Manager's IM Configuration Management information. The synchronization function acquires IM configuration (remote configurations) by establishing connection from the integrated manager to base managers. Depending on the versions of the connection-source JP1/IM - Manager and the connection-target JP1/IM - Manager and whether the communication encryption function is enabled, communication is encrypted, unencrypted, or blocked.
JP1/IM - Manager (connection source integrated manager) |
JP1/IM - Manager (connection-target base manager) |
|||
---|---|---|---|---|
Version |
Communication encryption function |
Version 10-50 or earlier |
Version 11-00 or later |
|
Communication encryption function |
||||
Always disabled |
Disabled |
Enabled (jp1imcmda)# |
||
10-50 or earlier |
Always disabled |
U |
U |
N |
11-00 or later |
Disabled |
U |
U |
Y |
Enabled (jp1imcmda)# |
U |
U |
Y |
- Legend:
-
Y: Connection can be established for encrypted communication.
U: Connection can be established for unencrypted communication.
N: Connection cannot be established.
- #
-
This applies when jp1imcmda is specified in the BASESSL parameter in the SSL communication definition file in JP1/Base.
(7) Connectivity between JP1/IM - Manager and linked products
When the communication encryption function is enabled, linkage with JP1/Service Support is not supported.
When the communication encryption function is enabled, linkage with JP1/IM - Rule Operation is not supported.