OMS_ACCESS - UACL Entry
Description
An OMS_ACCESS UACL entry controls from which TCP/IP addresses clients are permitted to establish a TCP/IP connection with the OMS server.
Usage
Method | Syntax | IBM i | HP NonStop | UNIX | Windows | z/OS |
UACL File Keyword | oms_access host,access,certrule |
Values
Valid values for access are
- allow to allow access to the OMS server.
- deny to deny access to OMS server.
Refer to UACL Entries for details on host specification.
Default is allow.
Valid values for certrule are:
- cert - When access is allow, the connect is initially accepted but subject to OMS_CERT_ACCESS evaluation.
- nocert - Access is governed by host matching rather than client certificate presentation.
Default is nocert.
Examples
Scenario 1
The following example grants access to any OMS client (e.g., UAG Server) with an IP address of 10.20.30.40, provided that client did not provide an X.509 certificate. It will refuse all other connection requests from clients that do not present a certificate. (With no encoded ,cert rules, connections from clients that provide X.509 certificates are permitted access by default.)
oms_access | 10.20.30.40,allow |
oms_access | ALL,deny |
Scenario 2
The following example conditionally grants access to any OMS client (e.g., UAG Server) with an IP address of 10.20.30.40 that presents an X.509 certificate. Before accepting the connection, OMS Server will look for a matching CERT_MAP entry and use its certid value to evaluate the OMS_CERT_ACCESS rules.
oms_access | 10.20.30.40,allow,cert |
Scenario 2a
Given the following CERT_MAP and OMS_CERT_ACCESS entries, OMS Server will accept the above connection.
- OMS will see that the cert_map entry S2A matches the incoming client request
- OMS will apply the OMS_CERT_ACCESS rule with the S2A id, which grants access to client connection requests originating from 10.20.30.40
cert_map | id=S2A,ipaddress=10.20.30.40 |
oms_cert_access | S2A,allow |
oms_cert_access | *,deny |
Scenario 2b
Given the following CERT_MAP and OMS_CERT_ACCESS entries, OMS Server will reject the above connection.
- OMS will fail to find a cert_map entry that matches the incoming client certificate's information
- OMS will apply the global OMS_CERT_ACCESS rule which rejects all connection requests from clients whose certificate information does not match a cert_map entry
cert_map | id=S2A,ipaddress=10.20.40.50 |
oms_cert_access | S2A,allow |
oms_cert_access | *,deny |
Scenario 3
The following example is functionality equivalent to Scenario 1, above.
oms_access | 10.20.30.40,allow,nocert |
Scenario 4
For a more detailed example, consider the following UACL entries:
1 | oms_access | 10.20.30.40,allow,nocert |
2 | oms_access | all,allow,cert |
3 | oms_access | all,deny,nocert |
1 | oms_cert_access | S4,allow |
2 | oms_cert_access | *,deny |
1 | cert_map | id=S4,ipaddress=10.20.30.40 |
Scenario 4a
A client with a reported IP address of 10.20.30.40 attempts to connect to OMS Server and that client does not provide an X.509 certificate.
Result: OMS Server grants the connection using oms_access rule 1.
Scenario 4b
A client with a reported IP address of 10.20.40.50 attempts to connect to OMS Server and that client does not provide an X.509 certificate.
Result: OMS Server rejects the connection using oms_access rule 3.
Scenario 4c
A client with a reported IP address of 10.20.40.50 attempts to connect to OMS Server. That client presents an X.509 certificate to OMS.
In this case:
- OMS Server will first evaluate oms_access rules with a certrule value of cert.
- OMS Server will conditionally accept the condition based on oms_access rule 2.
- OMS Server will use the information to the client certificate to locate a matching cert_map entry.
- No matching cert_map entry exists, OMS Server proceeds to the next oms_cert_access entry.
Result: OMS Server rejects the connection using oms_cert_access rule 2.
Scenario 4d
A client with a reported IP address of 10.20.30.40 attempts to connect to OMS Server. That client presents an X.509 certificate to OMS.
In this case:
- OMS Server will first evaluate oms_access rules with a certrule value of cert.
- OMS Server will conditionally accept the condition based on oms_access rule 2.
- OMS Server will use the information to the client certificate to locate a matching cert_map entry.
- The cert_map rule is a match.
- OMS Server uses the cert_map's id value to locate a matching oms_cert_access entry.
Result: OMS Server accepts the connection using oms_cert_access rule 1.
Default
oms_access | ALL,allow.nocert |