2.7 JP1/AJS3 security considerations
This section describes security measures for the safe use of JP1/AJS3.
As security measures, we recommend that you use firewalls and JP1/AJS3 functions that prevent access from unauthorized users and prevent the execution of jobs from unintended hosts.
The figure and table below show an example of measures taken to prevent access by unauthorized users. The numbers in the figure correspond to the numbers in the table.
No |
Operation from unauthorized user |
Protective measure |
Description |
---|---|---|---|
1 |
Access from outside the company |
Firewall |
Placing a firewall prevents access from unauthorized users. For details about the firewall, see 2.3.2 Firewall and communication basics. |
2 |
Placement of DMZ |
By placing the Web Console server in the DMZ, users can access the JP1/AJS3 system safely from a LAN outside the company. |
|
3 |
Eavesdropping on communication data |
Encryption of communication paths |
Messages are encrypted by using technologies such as VPN and SSL. The Web GUI also supports HTTPS communication. For details about communication encryption with SSL, see 2.3.6 Encryption of JP1/AJS3 communications with SSL. |
4 |
Login from inside the company |
Restrictions on physical access to machines |
Consider the locations of the machines to restrict physical accesses. |
5 |
Proper management of OS users |
Manage OS user accounts properly so that general users without administrator permissions are not permitted to log in to manager hosts. Do not assign OS users permissions other than those necessary for executing a job. |
|
6 |
Proper management of JP1 users |
Manage JP1 user accounts properly. In particular, change the initial password for the JP1 user jp1admin. Add JP1 users only when necessary, and set appropriate permissions for each JP1 user. |
|
7 |
Connection source restrictions in JP1/AJS3 |
Use a JP1/AJS3 function to limit the hosts that can access manager hosts or agent hosts. For details, see 2.3.9 Restricting hosts that can access JP1/AJS3. |
|
8 |
Proper management of embedded database administrators |
Manage accounts for embedded database administrators properly and change the passwords for them. For details about how to do this, see B. Notes on Using the Embedded-Database Commands in the manual JP1/Automatic Job Management System 3 Command Reference. |
|
9 |
Unauthorized use of the JP1/AJS3 - View login history |
Preventing the login history from being displayed |
Using a JP1/AJS3 function, you can prevent the previously used JP1 login user names and the names of previously connected hosts from appearing on the Login screen of JP1/AJS3 - View. By hiding previously used login information, you can prevent unauthorized users from logging in to the system by using valid JP1 user names. For details, see 11.2.6 Preventing the history of previously used login user and connected host names from appearing on the Login screen in the JP1/Automatic Job Management System 3 Operator's Guide. We recommend that you disable the predictive conversion functionality of character input software such as IMEs. If this functionality is enabled, suggestions might be displayed when a user is inputting information in User name, Password, or Host to connect, even though previously used login information is set to be hidden. |