1.12.1 Controlling access using Connection Destination management features
JP1/AO provides two Connection Destination management features: connection-restriction and authentication-information management. This section describes how access to hosts can be controlled using these features.
- Connection-restriction feature
In JP1/AO, you can restrict access to connection destination hosts. This is called connection restriction.
You can permit access to a host during service execution by registering the host in advance as a Connection Destination in the JP1/AO system. The definition of a Connection Destination consists of the host name or IP address of the host, the destination type, the service group, and other information. You can register Connection Destinations in the Connection Destination(s) area.
Figure 1‒19: Accessing Connection Destinations (when using connection restriction) ![[Figure]](GRAPHICS/F0000024.GIF)
In this example, first, an administrator assigned the Admin role uses the JP1/AO interface to register Connection Destination information. Then, a user assigned the Submit role submits various services to service group R for execution, specifying a user ID and password. Here, the submitting user is only permitted to connect to host1, and connections to other hosts are rejected.
- Authentication-information management feature
In addition to information about Connection Destinations, you can register authentication information such as the user ID and password needed to access a host. This is called authentication-information management. By registering authentication information, you can use JP1/AO to manage passwords and other information that is common to a number of services. This means you do not have to enter authentication information each time you submit a service for execution.
Figure 1‒20: Accessing Connection Destinations (when using authentication-information management) ![[Figure]](GRAPHICS/F0000022.GIF)
In this example, first, a user assigned the Admin role uses the JP1/AO interface to register Connection Destination information and authentication information. Then, a user assigned the Submit role submits various services to service group R for execution. Here, the submitting user is only permitted to connect to host1 for which Connection Destination information is registered. Connections to other hosts are rejected. Also, because authentication information of host1 is registered in JP1/AO, the user does not have to enter a user ID and a password when submitting services.
When creating a service template, you must have registered the Connection Destination information and authentication information (if using the authentication-information management feature) used by the service template before a service generated from the service template is submitted for execution. You can register this information in the JP1/AO user interface, or by using commands. The service will fail to connect to the Connection Destination if this information is missing. For this reason, information about connection-destination hosts must be shared between the creator of the service template and the JP1/AO administrator.
- Tip
JP1/AO can keep a record of which definitions for a particular Connection Destination resulted in successful connections. By using a definition that is proven to be successful, you can avoid failed authentication requests and other issues in situations where several sets of authentication information are defined for a single host.
When you edit the definition of a Connection Destination, JP1/AO updates the successful definitions accordingly.
You cannot use this feature to connect to Connection Destinations immediately after installing JP1/AO, or if the maximum number of successful Connection Destination definitions has been reached. In these situations, JP1/AO uses the authentication information registered in the Connection Destination in no particular order.