14.10.7 Communication encryption function setting (enable/disable) and connectivity among product versions

This subsection explains the communication encryption function setting (enable/disable), connectivity among product versions (10-50 or earlier and 11-00 and later), and connectivity with linked products.

Organization of this subsection

(1) Connectivity between JP1/IM - View and JP1/IM - Manager and when the jcochstat command with the -h option specified is executed
(2) Connectivity between JP1/IM - View and JP1/Base (manager host)
(3) Connectivity between JP1/Base (authentication server) and JP1/IM - Manager
(4) Connectivity between JP1/Base (manager host) and JP1/Base (agent host)
(5) Connectivity between JP1/IM - Manager and JP1/Base(agent host)
(6) Connectivity between JP1/IM - Manager and JP1/IM - Agent
(7) Connectivity of IM Configuration Management
(8) Connectivity between JP1/IM - Manager and linked products
(9) TLS 1.3 Support
(10) Connectivity for each format of the server certificate

(1) Connectivity between JP1/IM - View and JP1/IM - Manager and when the jcochstat command with the -h option specified is executed

JP1/IM - View version 11-00 or later checks the non-encryption communication host configuration file to determine whether unencrypted communication is to be established with the connection-target JP1/IM - Manager.

For details about the non-encryption communication host configuration file, see Non-encryption communication host configuration file (nosslhost.conf) in Chapter 2. Definition Files in the JP1/Integrated Management 3 - Manager Command, Definition File and API Reference.

Table 14‒23: Connectivity between JP1/IM - View and JP1/IM - Manager
JP1/IM - Manager		JP1/IM - View
Version	Communication encryption function	Version 10-50 or earlier	Version 11-00 or later
Version	Communication encryption function	Version 10-50 or earlier	Unencrypted^#1	Encrypted^#2
10-50 or earlier	Always disabled	U	U	N
11-00 or later	Disabled	U	U	N
11-00 or later	Enabled (`jp1imcmda`)^#3	N	N	Y

Legend:

Y: Encrypted communication is used.

U: Unencrypted communication is used.

N: Communication is blocked.

#1

The manager host name in the non-encryption communication host configuration file must be the connection-target JP1/IM - Manager or the asterisk (*).

#2

In the non-encryption communication host configuration file, the manager host names must not include the connection-target JP1/IM - Manager and must not be an asterisk (*).

#3

This applies when jp1imcmda is specified in the BASESSL parameter in the SSL communication definition file in JP1/Base.

The following example shows connectivity when the jcochstat command is executed from JP1/IM - Manager (hostA) to JP1/IM - Manager (hostB) on another manager host.

Table 14‒24: Connectivity when the jcochstat command with the -h option specified is executed
JP1/IM - Manager (hostA)		JP1/IM - Manager (hostB)
Version	Communication encryption function	Version 10-50 or earlier	Version 11-00 or later
		Communication encryption function
		Always disabled	Disabled	Enabled (jp1imcmda)^#1
10-50 or earlier	Always disabled	U	U	N
11-00 or later	Disabled	U	U	N
11-00 or later	Enabled (`jp1imcmda`)^#1	N	N	Y^#2

Legend:

Y: Encrypted communication is used and the jcochstat command executes successfully.

U: Unencrypted communication is used and the jcochstat command executes successfully.

N: Communication is blocked and execution of the jcochstat command fails.

#1

This applies when jp1imcmda is specified in the BASESSL parameter in the SSL communication definition file in JP1/Base.

#2

The following prerequisites must be satisfied:

• The root certificate from the root certification authority corresponding to the server certificate of the JP1/IM - Manager that is specified in the -h option must be placed on the manager host on which the jcochstat command is executed. If this root certificate is not available, the jcochstat command fails because encrypted communication cannot be established.

• The manager host name specified in the -h option must be the host name specified for the CN or SAN in the server certificate of that manager host. If the correct manager host name is not specified, the jcochstat command fails because encrypted communication cannot be established. For details about verification of host names (CN and SAN) in server certificates, see 14.10.4(2) Verifying host names (CN and SAN) in server certificates.

If you enable the communication encryption function on the manager host on which the jcochstat command is executed and on the manager host that is specified in the -h option of the jcochstat command, you can use the jcochstat command to change the response status of JP1/IM - Manager (other hosts). Note that this functionality for using the jcochstat command to change the response status of JP1/IM - Manager (other hosts) is for compatibility with version 6.

To Page Top

(2) Connectivity between JP1/IM - View and JP1/Base (manager host)

Table 14‒25: Connectivity between JP1/IM - View and JP1/Base (manager host)
JP1/Base (manager host)		JP1/IM - View
Version	Communication encryption function	Version 10-50 or earlier	Version 11-00 or later
Version	Communication encryption function	Version 10-50 or earlier	Unencrypted^#1	Encrypted^#2
10-50 or earlier	Always disabled	U	U	N
11-00 or later	Disabled	U	U	N
	Enabled (`jp1imcmda`)^#3	N	N	Y
	Enabled (`jp1bsuser`)^#4	U	U	N
	Enabled (`jp1imcmda`, `jp1bsuser`)^#5	N	N	Y

Legend:

Y: Encrypted communication is used.

U: Unencrypted communication is used.

N: Communication is blocked.

#1

The manager host name in the non-encryption communication host configuration file must be the connection-target JP1/IM - Manager or an asterisk (*).

#2

In the non-encryption communication host configuration file, the manager host names must not include the connection-target JP1/IM - Manager and must not be an asterisk (*).

#3

This applies when only jp1imcmda is defined in the BASESSL parameter in the SSL communication definition file in JP1/Base.

#4

This applies when only jp1bsuser is defined in the BASESSL parameter in the SSL communication definition file in JP1/Base.

#5

This applies when jp1imcmda and jp1bsuser are defined in the BASESSL parameter in the SSL communication definition file in JP1/Base.

To Page Top

(3) Connectivity between JP1/Base (authentication server) and JP1/IM - Manager

The following explains encrypted communication between JP1/Base (authentication server) and JP1/IM - Manager that is supported.

Table 14‒26: Connectivity between JP1/IM - Manager and JP1/Base (authentication server)
JP1/Base (authentication server)		JP1/IM - Manager
Version	Communication encryption function	Version 10-50 or earlier	Version 11-00 or later
		Communication encryption function
		Always disabled	Disabled	Enabled (jp1bsuser)^#
10-50 or earlier	Always disabled	U	U	N
11-00 or later	Disabled	U	U	N
11-00 or later	Enabled (jp1bsuser)^#	N	N	Y

Legend:

Y: Encrypted communication is used.

U: Unencrypted communication is used.

N: Communication is blocked.

#

This applies when only jp1bsuser is defined in the BASESSL parameter in the SSL communication definition file in JP1/Base.

To Page Top

(4) Connectivity between JP1/Base (manager host) and JP1/Base (agent host)

For details about the connectivity between JP1/Base (manager host) and JP1/Base (agent host), see the JP1/Base User's Guide.

To Page Top

(5) Connectivity between JP1/IM - Manager and JP1/Base(agent host)

Table 14‒27: Connectivity between JP1/IM - Manager and JP1/Base(agent host)
JP1/IM - Manager (manager host)		JP1/Base (agent host)
Version	Communication encryption function	Version 12-00 or earlier		Version 12-00 or later
		Version 12-00 or earlier		Disabled	Enabled^#2 (White list available)	Enabled^#2 (White list not available)
		Disabled	Enabled	Disabled	Enabled^#2 (White list available)	Enabled^#2 (White list not available)
12-00 or earlier	Disabled	U	U	U	U	N
12-00 or earlier	Enabled^#1	U	U	U	U	N
12-10 or later	Disabled	U	U	U	U	N
	Enabled (White list available)^#2	U	U	U	U	N
	Enabled (White list not available)^#2	N	N	N	N	Y

Legend:

Y: Encrypted communication is used.

U: Unencrypted communication is used.

N: Communication is blocked.

#1

This is the case when either jp1imcmda or jp1bsuser is set for the BASESSL parameter in the SSL communication definition file of JP1/Base.

#2

This is the case when jp1bsagent is set for the BASESSL parameter in the SSL communication definition file of JP1/Base.

To Page Top

(6) Connectivity between JP1/IM - Manager and JP1/IM - Agent

Table 14‒28: Connectivity between JP1/IM - Manager and JP1/Agent
JP1/IM - Manager		JP1/IM - Agent
Version	Communication encryption function	Version 13-00 or later
Version	Communication encryption function	Enabled	Disabled
13-00 or later	Enabled	E	N^#
13-00 or later	Disabled	N^#	U

Legend

E: Communicate with encryption

U: Communicate with unencryption

N: Cannot communicate

#

When using the communication encryption function, enable all the communication encryption settings of JP1/IM - Manager and JP1/IM - Agent (JP1/IM agent management base).

Note that if some of the settings are disabled, some of the communication might not be encrypted or communication may fail.

To Page Top

(7) Connectivity of IM Configuration Management

The table below explains connectivity of the synchronization function for JP1/IM - Manager's IM Configuration Management information. The synchronization function acquires IM configuration (remote configurations) by establishing connection from the integrated manager to base managers. Depending on the versions of the connection-source JP1/IM - Manager and the connection-target JP1/IM - Manager and whether the communication encryption function is enabled, communication is encrypted, unencrypted, or blocked.

Table 14‒29: Connectivity of IM Configuration Management
JP1/IM - Manager (connection source integrated manager)		JP1/IM - Manager (connection-target base manager)
Version	Communication encryption function	Version 10-50 or earlier	Version 11-00 or later
		Communication encryption function
		Always disabled	Disabled	Enabled (jp1imcmda)^#
10-50 or earlier	Always disabled	U	U	N
11-00 or later	Disabled	U	U	Y
11-00 or later	Enabled (`jp1imcmda`)^#	U	U	Y

Legend:

Y: Connection can be established for encrypted communication.

U: Connection can be established for unencrypted communication.

N: Connection cannot be established.

#

This applies when jp1imcmda is specified in the BASESSL parameter in the SSL communication definition file in JP1/Base.

To Page Top

(8) Connectivity between JP1/IM - Manager and linked products

The following tables show the connectivity between JP1/Service Support and JP1/IM - Manager.

Table 14‒30: Connectivity between JP1/Service Support and JP1/IM - Manager
JP1/Service Support		JP1/IM - Manager
Version	Communication encryption function	Version	Incident registration-mode ^#	Communication
	Disabled	10-10 or later	1, 2, or 3	U
	Enabled	10-10 or later		E
	Enabled	11-50 or later		E
Before 12-00	Always disabled	09-50 or later	1, 2, or 3	U

Legend

E: Connect with encryption

U: Connect with unencryption

#

You can switch the incident registration mode by setting a value in the SS_MODE parameter in the definition file for manually registering incidents.

For details about the definition file for manually registering incidents (incident.conf), see Definition file for manually registering incidents (incident.conf) in Chapter 2. Definition Files in the JP1/Integrated Management 3 Manager Command, Definition File and API Reference.

To Page Top

(9) TLS 1.3 Support

SSL communication protocol-version supports TLS 1.2 and TLS 1.3. The following tables show the connectivity for each version of TLS.

JP1/Base defaults are TLS 1.2.

Table 14‒31: Version-specific connectivity for TLS
Client side		Server-side TLS versioning ^#1
		JP1/IM - Manager Version 13-00 or later				JP1/IM - Manager Version 12-50 or earlier
		TLS 1.3 and TLS 1.2	TLS 1.3		TLS 1.2	TLS 1.2
JP1/IM - Manager, JP1/IM - View	Version 13-00 or later	TLS 1.3^#2			TLS 1.2^#3
JP1/IM - Manager, JP1/IM - View	Version 12-50 or earlier	TLS 1.2^#4		Communication disabled ^#5
JP1/IM - Agent	Version 13-00 or later	TLS 1.3^#2
JP1/IM - Agent	Version 13-00 or later	TLS 1.2^#4		Communication disabled ^#5

#1: Indicates the setting made in SSLPROTOCOL parameter of SSL communication definition file of JP1/Base.
#2: TLS 1.3 set on the server-side is used.
#3: TLS 1.2 set on the server-side is used.
#4: Because the client-side does not support TLS 1.3, TLS 1.2 of the settings that are set on the server-side are used.
#5: The communication fails because the client-side does not support TLS 1.3.

To Page Top

(10) Connectivity for each format of the server certificate

The communication encryption feature allows you to use RSA format and ECC format certificates for server certificates. Authentication method used between the client and server is determined by the format of the server-side certificate. The following tables show authentication method used depending on the format of the server-side certificate.

Client side		Server-side certificate format
		ECC	RSA	RSA
		JP1/IM - Manager Version 13-00 or later		JP1/IM - Manager Version 12-50 or earlier
JP1/IM - Manager, JP1/IM - View	Version 13-00 or later	ECC	RSA	RSA
JP1/IM - Manager, JP1/IM - View	Version 12-50 or earlier	Unsupported ^#
JP1/IM - Agent	Version 13-00 or later	ECC

#: Although it is not supported, because it is not suppressed programmatically, encrypted communication using ECC format authentication method is enabled.

To Page Top