OMS_ACCESS - UACL Entry

Description

An OMS_ACCESS UACL entry controls from which TCP/IP addresses clients are permitted to establish a TCP/IP connection with the OMS server.

Usage

Method

Syntax

IBM i

HP NonStop

UNIX

Windows

z/OS

UACL File Keyword

oms_access host,access,certrule



(tick)

(tick)


Values

Valid values for access are

  • allow to allow access to the OMS server.
  • deny to deny access to OMS server.

Refer to UACL Entries for details on host specification.

Default is allow.


Valid values for certrule are:

  • cert - When access is allow, the connect is initially accepted but subject to OMS_CERT_ACCESS evaluation.
  • nocert - Access is governed by host matching rather than client certificate presentation.

Default is nocert.

Examples

Scenario 1

The following example grants access to any OMS client (e.g., UAG Server) with an IP address of 10.20.30.40, provided that client did not provide an X.509 certificate. It will refuse all other connection requests from clients that do not present a certificate. (With no encoded ,cert rules, connections from clients that provide X.509 certificates are permitted access by default.)

oms_access

10.20.30.40,allow

oms_access

ALL,deny


Scenario 2

The following example conditionally grants access to any OMS client (e.g., UAG Server) with an IP address of 10.20.30.40 that presents an X.509 certificate. Before accepting the connection, OMS Server will look for a matching CERT_MAP entry and use its certid value to evaluate the OMS_CERT_ACCESS rules.

oms_access

10.20.30.40,allow,cert

Scenario 2a

Given the following CERT_MAP and OMS_CERT_ACCESS entries, OMS Server will accept the above connection.

  • OMS will see that the cert_map entry S2A matches the incoming client request
  • OMS will apply the OMS_CERT_ACCESS rule with the S2A id, which grants access to client connection requests originating from 10.20.30.40
cert_mapid=S2A,ipaddress=10.20.30.40
oms_cert_accessS2A,allow
oms_cert_access*,deny
Scenario 2b

Given the following CERT_MAP and OMS_CERT_ACCESS entries, OMS Server will reject the above connection.

  • OMS will fail to find a cert_map entry that matches the incoming client certificate's information
  • OMS will apply the global OMS_CERT_ACCESS rule which rejects all connection requests from clients whose certificate information does not match a cert_map entry
cert_mapid=S2A,ipaddress=10.20.40.50
oms_cert_accessS2A,allow
oms_cert_access*,deny

Scenario 3

The following example is functionality equivalent to Scenario 1, above.

oms_access

10.20.30.40,allow,nocert

Scenario 4

For a more detailed example, consider the following UACL entries:

1oms_access10.20.30.40,allow,nocert
2oms_accessall,allow,cert
3oms_accessall,deny,nocert
1oms_cert_accessS4,allow
2oms_cert_access*,deny
1cert_mapid=S4,ipaddress=10.20.30.40
Scenario 4a

A client with a reported IP address of 10.20.30.40 attempts to connect to OMS Server and that client does not provide an X.509 certificate.

Result: OMS Server grants the connection using oms_access rule 1.

Scenario 4b

A client with a reported IP address of 10.20.40.50 attempts to connect to OMS Server and that client does not provide an X.509 certificate.

Result: OMS Server rejects the connection using oms_access rule 3.

Scenario 4c

A client with a reported IP address of 10.20.40.50 attempts to connect to OMS Server. That client presentsĀ an X.509 certificate to OMS.

In this case:

  • OMS Server will first evaluate oms_access rules with a certrule value of cert.
  • OMS Server will conditionally accept the condition based on oms_access rule 2.
  • OMS Server will use the information to the client certificate to locate a matching cert_map entry.
  • No matching cert_map entry exists, OMS Server proceeds to the next oms_cert_access entry.

Result: OMS Server rejects the connection using oms_cert_access rule 2.

Scenario 4d

A client with a reported IP address of 10.20.30.40 attempts to connect to OMS Server. That client presentsĀ an X.509 certificate to OMS.

In this case:

  • OMS Server will first evaluate oms_access rules with a certrule value of cert.
  • OMS Server will conditionally accept the condition based on oms_access rule 2.
  • OMS Server will use the information to the client certificate to locate a matching cert_map entry.
  • The cert_map rule is a match.
  • OMS Server uses the cert_map's id value to locate a matching oms_cert_access entry.

Result: OMS Server accepts the connection using oms_cert_access rule 1.

Default

oms_access

ALL,allow.nocert