13.11.7 Communication encryption function setting (enable/disable) and connectivity among product versions

This subsection explains the communication encryption function setting (enable/disable), connectivity among product versions (10-50 or earlier and 11-00 and later), and connectivity with linked products.

Organization of this subsection

(1) Connectivity between JP1/IM - View and JP1/IM - Manager and when the jcochstat command with the -h option specified is executed
(2) Connectivity between JP1/IM - View and JP1/Base (manager host)
(3) Connectivity between JP1/Base (authentication server) and JP1/IM - Manager
(4) Connectivity between JP1/Base (manager host) and JP1/Base (agent host)
(5) Connectivity between JP1/IM - Manager and JP1/Base(agent host)
(6) Connectivity of IM Configuration Management
(7) Connectivity between JP1/IM - Manager and linked products

(1) Connectivity between JP1/IM - View and JP1/IM - Manager and when the jcochstat command with the -h option specified is executed

JP1/IM - View version 11-00 or later checks the non-encryption communication host configuration file to determine whether unencrypted communication is to be established with the connection-target JP1/IM - Manager.

For details about the non-encryption communication host configuration file, see Non-encryption communication host configuration file (nosslhost.conf) (in Chapter 2. Definition Files) in the manual JP1/Integrated Management 2 - Manager Command, Definition File and API Reference.

Table 13‒23: Connectivity between JP1/IM - View and JP1/IM - Manager
JP1/IM - Manager		JP1/IM - View
Version	Communication encryption function	Version 10-50 or earlier	Version 11-00 or later
Version	Communication encryption function	Version 10-50 or earlier	Unencrypted^#1	Encrypted^#2
10-50 or earlier	Always disabled	U	U	N
11-00 or later	Disabled	U	U	N
11-00 or later	Enabled (`jp1imcmda`)^#3	N	N	Y

Legend:

Y: Encrypted communication is used.

U: Unencrypted communication is used.

N: Communication is blocked.

#1

The manager host name in the non-encryption communication host configuration file must be the connection-target JP1/IM - Manager or the asterisk (*).

#2

In the non-encryption communication host configuration file, the manager host names must not include the connection-target JP1/IM - Manager and must not be an asterisk (*).

#3

This applies when jp1imcmda is specified in the BASESSL parameter in the SSL communication definition file in JP1/Base.

The following example shows connectivity when the jcochstat command is executed from JP1/IM - Manager (hostA) to JP1/IM - Manager (hostB) on another manager host.

Table 13‒24: Connectivity when the jcochstat command with the -h option specified is executed
JP1/IM - Manager (hostA)		JP1/IM - Manager (hostB)
Version	Communication encryption function	Version 10-50 or earlier	Version 11-00 or later
		Communication encryption function
		Always disabled	Disabled	Enabled (jp1imcmda)^#1
10-50 or earlier	Always disabled	U	U	N
11-00 or later	Disabled	U	U	N
11-00 or later	Enabled (`jp1imcmda`)^#1	N	N	Y^#2

Legend:

Y: Encrypted communication is used and the jcochstat command executes successfully.

U: Unencrypted communication is used and the jcochstat command executes successfully.

N: Communication is blocked and execution of the jcochstat command fails.

#1

This applies when jp1imcmda is specified in the BASESSL parameter in the SSL communication definition file in JP1/Base.

#2

The following prerequisites must be satisfied:

• The root certificate from the root certification authority corresponding to the server certificate of the JP1/IM - Manager that is specified in the -h option must be placed on the manager host on which the jcochstat command is executed. If this root certificate is not available, the jcochstat command fails because encrypted communication cannot be established.

• The manager host name specified in the -h option must be the host name specified for the CN or SAN in the server certificate of that manager host. If the correct manager host name is not specified, the jcochstat command fails because encrypted communication cannot be established. For details about verification of host names (CN and SAN) in server certificates, see 13.11.4(2) Verifying host names (CN and SAN) in server certificates.

If you enable the communication encryption function on the manager host on which the jcochstat command is executed and on the manager host that is specified in the -h option of the jcochstat command, you can use the jcochstat command to change the response status of JP1/IM - Manager (other hosts). Note that this functionality for using the jcochstat command to change the response status of JP1/IM - Manager (other hosts) is for compatibility with version 6.

To Page Top

(2) Connectivity between JP1/IM - View and JP1/Base (manager host)

Table 13‒25: Connectivity between JP1/IM - View and JP1/Base (manager host)
JP1/Base (manager host)		JP1/IM - View
Version	Communication encryption function	Version 10-50 or earlier	Version 11-00 or later
Version	Communication encryption function	Version 10-50 or earlier	Unencrypted^#1	Encrypted^#2
10-50 or earlier	Always disabled	U	U	N
11-00 or later	Disabled	U	U	N
	Enabled (`jp1imcmda`)^#3	N	N	Y
	Enabled (`jp1bsuser`)^#4	U	U	N
	Enabled (`jp1imcmda`, `jp1bsuser`)^#5	N	N	Y

Legend:

Y: Encrypted communication is used.

U: Unencrypted communication is used.

N: Communication is blocked.

#1

The manager host name in the non-encryption communication host configuration file must be the connection-target JP1/IM - Manager or an asterisk (*).

#2

In the non-encryption communication host configuration file, the manager host names must not include the connection-target JP1/IM - Manager and must not be an asterisk (*).

#3

This applies when only jp1imcmda is defined in the BASESSL parameter in the SSL communication definition file in JP1/Base.

#4

This applies when only jp1bsuser is defined in the BASESSL parameter in the SSL communication definition file in JP1/Base.

#5

This applies when jp1imcmda and jp1bsuser are defined in the BASESSL parameter in the SSL communication definition file in JP1/Base.

To Page Top

(3) Connectivity between JP1/Base (authentication server) and JP1/IM - Manager

The following explains encrypted communication between JP1/Base (authentication server) and JP1/IM - Manager that is supported.

Table 13‒26: Connectivity between JP1/IM - Manager and JP1/Base (authentication server)
JP1/Base (authentication server)		JP1/IM - Manager
Version	Communication encryption function	Version 10-50 or earlier	Version 11-00 or later
		Communication encryption function
		Always disabled	Disabled	Enabled (jp1bsuser)^#
10-50 or earlier	Always disabled	U	U	N
11-00 or later	Disabled	U	U	N
11-00 or later	Enabled (jp1bsuser)^#	N	N	Y

Legend:

Y: Encrypted communication is used.

U: Unencrypted communication is used.

N: Communication is blocked.

#

This applies when only jp1bsuser is defined in the BASESSL parameter in the SSL communication definition file in JP1/Base.

To Page Top

(4) Connectivity between JP1/Base (manager host) and JP1/Base (agent host)

For details about the connectivity between JP1/Base (manager host) and JP1/Base (agent host), see the JP1/Base User's Guide.

To Page Top

(5) Connectivity between JP1/IM - Manager and JP1/Base(agent host)

Table 13‒27: Connectivity between JP1/IM - Manager and JP1/Base(agent host)
JP1/IM - Manager (manager host)		JP1/Base (agent host)
Version	Communication encryption function	Version 12-00 or earlier		Version 12-00 or later
		Version 12-00 or earlier		Disabled	Enabled^#2 (White list available)	Enabled^#2 (White list not available)
		Disabled	Enabled	Disabled	Enabled^#2 (White list available)	Enabled^#2 (White list not available)
12-00 or earlier	Disabled	U	U	U	U	N
12-00 or earlier	Enabled^#1	U	U	U	U	N
12-10 or later	Disabled	U	U	U	U	N
	Enabled (White list available)^#2	U	U	U	U	N
	Enabled (White list not available)^#2	N	N	N	N	Y

Legend:

Y: Encrypted communication is used.

U: Unencrypted communication is used.

N: Communication is blocked.

#1

This is the case when either jp1imcmda or jp1bsuser is set for the BASESSL parameter in the SSL communication definition file of JP1/Base.

#2

This is the case when jp1bsagent is set for the BASESSL parameter in the SSL communication definition file of JP1/Base.

To Page Top

(6) Connectivity of IM Configuration Management

The table below explains connectivity of the synchronization function for JP1/IM - Manager's IM Configuration Management information. The synchronization function acquires IM configuration (remote configurations) by establishing connection from the integrated manager to base managers. Depending on the versions of the connection-source JP1/IM - Manager and the connection-target JP1/IM - Manager and whether the communication encryption function is enabled, communication is encrypted, unencrypted, or blocked.

Table 13‒28: Connectivity of IM Configuration Management
JP1/IM - Manager (connection source integrated manager)		JP1/IM - Manager (connection-target base manager)
Version	Communication encryption function	Version 10-50 or earlier	Version 11-00 or later
		Communication encryption function
		Always disabled	Disabled	Enabled (jp1imcmda)^#
10-50 or earlier	Always disabled	U	U	N
11-00 or later	Disabled	U	U	Y
11-00 or later	Enabled (`jp1imcmda`)^#	U	U	Y

Legend:

Y: Connection can be established for encrypted communication.

U: Connection can be established for unencrypted communication.

N: Connection cannot be established.

#

This applies when jp1imcmda is specified in the BASESSL parameter in the SSL communication definition file in JP1/Base.

To Page Top

(7) Connectivity between JP1/IM - Manager and linked products

When the communication encryption function is enabled, linkage with JP1/Service Support is not supported.

When the communication encryption function is enabled, linkage with JP1/IM - Rule Operation is not supported.

To Page Top