UCTL_REQUEST - UCTL UACL entry
Description
A UCTL_REQUEST UACL entry allows or denies access to Universal Control Server services based on client identification and request type.
If access is permitted, the UCTL_REQUEST also specifies whether or not user authentication is required.
There are two forms of the UCTL_REQUEST entry based on the client identification method:
- uctl_request form is for IP-based client identification.
- uctl_cert_request is for X.509 certificate-based client identification.
A uctl_request UACL entry is matched if all of the following occur:
- Request comes from an IP address identified by host.
- Remote end is executing as user remote_user.
- Remote user is requesting to execute a command as local user local_user.
A uctl_cert_request UACL entry is matched if both of the following occur:
- Request comes from a client with a certificate identifier of certid.
- Remote user is requesting to execute a command as local user local_user.
The first matching rule is used to control access.
Usage
Method | Syntax | IBM i | UNIX | Windows | z/OS |
UACL File Keyword | uctl_request host,remote_user,local_user,req_type,req_name,access,auth uctl_cert_request certid,local_user,req_type,req_name,access,auth |
|
|
|
|
Values
req_type specifies what type of request the Manager is requesting.
req_name further qualifies the request. The value of req_name, which depends on the value of req_type, is defined for each req_type below.
Valid values for req_type are:
- refresh
Manager request is for the refresh of an active component's configuration. req_name is a type of component, as specified in each component's definition. Not all component types can have their configurations refreshed from Universal Control.
Note
refresh does not include a Universal Broker REFRESH command, which is not processed by any UACL entry.
- start
Manager is requesting the start of the component.
req_name is the type of component which corresponds to an installed component definition. Not all components can be started from Universal Control. - stop
Manager is requesting component termination.
req_name value is blank.
See Universal Access Control List (UACL) for details on host, remote_user, local_user, and certid specification syntax.
Valid values for access are:
- deny
Service is denied. A message is returned to the remote end. The connection is closed. - allow
Service is accepted and processed.
Valid values for auth are:
- auth
Local user account must be authenticated. The Manager must provide a proper password for the account. - noauth
User ID provided by the Manager does not have to match the user process being stopped.
IBM i, UNIX, z/OS
Additionally, noauth specifies that the local user account does not require user authentication. The Manager still must supply a password to satisfy command syntax rules, but it will not be verified. Any password value will suffice.
Note
noauth should be used with care. Turning off user authentication may violate your local security policies on the Server system.