2.3.9 Restricting hosts that can access JP1/AJS3
Connection source restriction refers to functionality that limits the hosts that are able to access JP1/AJS3. Restricting access to JP1/AJS3 - Manager or JP1/AJS3 - Agent can prevent unintended hosts from performing operations or executing jobs.
To use the connection source restriction function, specify a value for the environment setting parameter CONNECTIONRESTRICTION, and create a connection permission configuration file for each manager host or agent host (logical host in the case of a logical host). If you specify the IP addresses of hosts for which access is to be permitted, then only the hosts that have one of the specified IP addresses are given access. An access attempt by any other host will be rejected. For details about the environment setting parameter CONNECTIONRESTRICTION, see 20.11.2(5) CONNECTIONRESTRICTION in the JP1/Automatic Job Management System 3 Configuration Guide.
There are two connection permission configuration files: a manager connection permission configuration file (permitted_host_manager.conf) and an agent connection permission configuration file (permitted_host_agent.conf).
For details about how to restrict access to JP1/AJS3, see 21.2 Restricting connections to JP1/AJS3 in the JP1/Automatic Job Management System 3 Configuration Guide.
- Cautionary note
-
If there is no connection permission configuration file that corresponds to the value of the environment setting parameter CONNECTIONRESTRICTION in the environment setting file storage folder, the JP1/AJS3 service or the JP1/AJS3 Queueless Agent service terminates abnormally.
- Organization of this subsection
(1) Operations subject to access restrictions
The connection source restriction function can prohibit the following operations from accessing JP1/AJS3:
-
Log in to JP1/AJS3 - Manager from JP1/AJS3 - View
-
Executions of various types of units
-
Connections from Web Console server
-
Connections from related products
-
Remote executions of commands that start with ajs
-
Remote executions of commands that start with jpq
Each of these cases are described below.
(a) Logging in to JP1/AJS3 - Manager from JP1/AJS3 - View
You can limit the JP1/AJS3 - View hosts that are able to log in to JP1/AJS3 - Manager.
To do so, specify the IP addresses whose connection you want to permit in the manager connection permission configuration file.
If you change the settings to deny access by specifying the IP address of a JP1/AJS3 - View host after the host has already connected to JP1/AJS3 - Manager, operations such as execution registration and kill can be performed from the already connected JP1/AJS3 - View. Restrictions of the JP1/AJS3 - View connection take effect only at the next login.
(b) Restricting executions of various types of units
You can prohibit unintended hosts from executing various types of units.
When JP1/AJS3 - Manager requests that JP1/AJS3 - Agent execute, re-execute, kill, or check the status of jobs, JP1/AJS3 - Agent checks whether the IP address of the requester host is set in the agent connection permission configuration file.
For a unit such as a remote jobnet that connects to another manager host, the destination JP1/AJS3 - Manager checks whether the IP address of the requester host is set in the manager connection permission configuration file.
The request will be rejected if the IP address is not found in the connection permission configuration file.
The following table shows which connection permission configuration file is used to restrict access for each unit type.
|
No |
Unit type |
Files used for connection source restriction |
|
|---|---|---|---|
|
1 |
Remote jobnet |
M |
|
|
2 |
Manager job group |
M |
|
|
3 |
Manager jobnet |
M |
|
|
4 |
Planning group |
-- |
|
|
5 |
Start condition |
-- |
|
|
6 |
Standard job |
Unix job |
A |
|
7 |
PC job |
A |
|
|
8 |
QUEUE job |
M, A#1 |
|
|
9 |
Flexible job |
A#2 |
|
|
10 |
Jobnet connector |
-- |
|
|
11 |
OR job |
-- |
|
|
12 |
Judgment job |
-- |
|
|
13 |
Event job |
A |
|
|
14 |
Action job |
A |
|
|
15 |
Custom job |
A |
|
|
16 |
Passing information settings job |
-- |
|
|
17 |
HTTP connection job |
A |
|
- Legend:
-
M: Manager connection permission configuration file
A: Agent connection permission configuration file
--: Connection source restriction is not possible.
- #1
-
When a QUEUE job is registered in the queue, the manager connection permission configuration file on the manager host that owns the queue determines whether the connection (registration) is permitted.
When a QUEUE job is executed, the agent connection permission configuration file on the agent host that is connected to the queue determines whether the connection (job execution) is permitted.
- #2
-
A connection from a manager host to a relay agent is a target of the connection source restriction function, but a connection from a manager host or a relay agent to a destination agent is excluded.
For details about flexible jobs, see 2.9 Executing jobs in a cloud environment.
(c) Restricting connections from Web Console server
Connection from JP1/AJS3 - Web Console to JP1/AJS3 - Manager can be restricted.
Specify the IP address of the Web Console server whose connection you want to permit in the connection permission configuration file.
(d) Restricting connections from related products
You can prohibit related products from accessing JP1/AJS3 - Manager.
In the connection permission configuration file, specify the IP addresses of those hosts to which you want to permit connections and on which related products are installed.
You can restrict access to JP1/AJS3 - Manager from the following products:
-
JP1/AJS3 - Definition Assistant
-
JP1/NQSEXEC (for receiving job execution requests)
(e) Restricting remote executions of commands that start with ajs
You can restrict connections to JP1/AJS3 - Manager to be used for remote executions of commands that start with ajs.
If you remotely execute commands that start with ajs, specify the IP address of the manager host initiating command execution in the manager connection permission configuration file on the manager host where the commands are to be executed.
For details about commands that can be executed remotely, see 1.1.7 Remote execution of a command in the JP1/Automatic Job Management System 3 Command Reference.
(f) Restricting remote executions of commands that start with jpq
You can restrict connections to JP1/AJS3 - Manager to be used for remote executions of commands that start with jpq.
When you remotely execute commands that start with jpq, specify the IP address of the manager host initiating command execution in the manager connection permission configuration file on the manager host where the commands are to be executed.
(2) Setting the connection permission configuration file
In the connection permission configuration file, specify the IP addresses of the hosts whose connection to JP1/AJS3 - Manager or JP1/AJS3 - Agent you want to permit. Also make sure that the IP address of the local host is specified in the connection permission configuration file when you enable the connection source restriction function in JP1/AJS3 - Manager.
For details about the connection permission configuration file, see 21.2 Restricting connections to JP1/AJS3 in the JP1/Automatic Job Management System 3 Configuration Guide.
Note that caution is necessary if you set IP addresses for the following cases:
-
If remote jobnets are executed
-
If the ajschkdef command is used to check the jobnet connector
-
In a NAT environment
-
In an environment that uses the ANY binding communication method and uses multiple NICs or alias IP addresses
The following describes the IP addresses you need to specify for each case:
(a) If remote jobnets are executed
If remote jobnets are executed, the IP addresses of the transferring host and the destination host must be set in the connection permission configuration files on both hosts.
The following figure shows an example of executing a remote jobnet in an environment in which connection source restriction is enabled.
|
|
![[Figure]](GRAPHICS/ZH020410.GIF)
In this example, the transferring host, the destination host, and the execution host are as follows:
- Transfer source host
-
Local IP address (192.168.31.1)
IP address of the destination host (192.168.31.2)
- Transfer destination host
-
Local IP address (192.168.31.2)
IP address of the transferring host (192.168.31.1)
- Execution host
-
IP address of the destination host (192.168.31.2)
- Note
-
Do not change the connection-source restriction settings on a host while execution of a remote jobnet is being registered. If the connection source restriction function prohibits a connection after the remote jobnet is executed, operations such as status notification, kill, and deletion of the execution host cannot be performed.
(b) If the ajschkdef command is used to check the jobnet connector
If you use the ajschkdef command with the -M option specified to perform a definition pre-check and if a jobnet connector whose Connection range is set to Other service is included as an object to be checked, you need to specify the IP address of the host on which the jobnet connector is defined in the manager connection permission configuration file on the destination host.
The following figure shows an example jobnet connector.
|
|
![[Figure]](GRAPHICS/ZH020430.GIF)
In this example, the IP address of HostA, which is the host on which the jobnet connector is defined, is specified in the manager connection permission configuration file on the destination host HostB. If you execute the ajschkdef command without this specification, the "number of checked units" displayed for NUMBER OF CHECKUNITS in the check results is decreased by the number of units for which connection was denied, and the message KAVS3431-I is output to the integrated trace logs.
For details about ajschkdef command, see ajschkdef in 3. Commands Used for Normal Operations in the manual JP1/Automatic Job Management System 3 Command Reference.
(c) In a NAT environment
In a NAT environment, the IP address of the host and the IP address used as the communication source differ. Specify the IP address after network address translation (NAT).
The following figure shows an example of restricting access in a NAT environment.
|
|
![[Figure]](GRAPHICS/ZH020440.GIF)
In this example, 200.200.200.200 is specified in the agent connection permission configuration file.
(d) In an environment that uses the ANY binding communication method and uses multiple NICs or alias IP addresses
Specify all the addresses that can become actual communication sources.
The following figure shows an example of restricting access in a multiple-NIC environment.
|
|
![[Figure]](GRAPHICS/ZH020450.GIF)
In this example, 192.168.31.1, 192.168.31.2, and 192.168.31.3, which can be used by the manager host as the source IP addresses, are specified in the agent connection permission configuration file.