JANUS CLSOCK: Difference between revisions
m (misc formatting) |
m (→Syntax: typos) |
||
Line 27: | Line 27: | ||
<tr><th>optional_parameters</th> | <tr><th>optional_parameters</th> | ||
<td>These parameters vary with the <var class="term">rule_type</var> value. See [[#JANUS CLSOCK rule types|JANUS CLSOCK rule types]], below. | <td>These parameters vary with the <var class="term">rule_type</var> value. See [[#JANUS CLSOCK rule types|JANUS CLSOCK rule types]], below. </td></tr> | ||
</table> | </table> | ||
Latest revision as of 20:25, 6 December 2016
Defines rules for a Janus socket client
The JANUS CLSOCK command defines the rules for a Janus Sockets client CLSOCK or DEBUGGERCLIENT port. These rules control access to the port. System administrators always have access to a client port, so no CLSOCK rules are required to provide socket access to these users.
The JANUS CLSOCK command is slightly different from most Janus commands in that it usually takes a set of commands to fully specify the rules for a port. For instance, it may take a number of commands to specify the various users and applications that may use a port on the socket-connection $function $Sock_Conn or Socket class method New.
The order in which JANUS CLSOCK commands are specified also affects how they are processed.
Syntax
JANUS CLSOCK portname rule_type [optional_parameters]
Where:
portname | A 1 - 30 character name of the port, or a pattern specifying a set of ports, for which the rule is being defined. Wildcards are allowed. |
---|---|
rule_type | The type of rule being specified for the port or ports. Valid rule_type are:
|
optional_parameters | These parameters vary with the rule_type value. See JANUS CLSOCK rule types, below. |
Usage notes
- The ALLOW and DISALLOW rules are processed together, from most recent to oldest. The optional parameters allowed for the JANUS CLSOCK command depend on the rule_type value. The rule types are shown below, followed by a section giving examples and showing the interaction of JANUS CLSOCK commands.
- The JANUS CLSOCK and JANUS SRVSOCK commands differ from the corresponding rules available with the JANUS WEB command in the following ways:
- JANUS WEB does not allow any optional parameters (for example, USGROUP on the DISALLOW rule).
- The default access for WEBSERV non-SSL ports and SRVSOCK ports is ALLOW. The default access for WEBSERV SSL ports and CLSOCK and DEBUGGERCLIENT ports is DISALLOW.
- ALLOW and DISALLOW are the only rule types for JANUS CLSOCK and JANUS SRVSOCK. There are a number of other rule types for JANUS WEB.
Examples
This is a simple port definition deck that allows connections to any remote site:
JANUS FORCE CLSOCK JANUS DELETE CLSOCK JANUS DEFINE CLSOCK * CLSOCK 5 TIMEOUT 240 REMOTE * * MASTER JANUS CLSOCK CLSOCK ALLOW REMOTE * * JANUS START CLSOCK
Here is a similar port definition deck enhanced to support SSL connections (the SSL 0
option) to any remote port for any valid user (the ALLOW rules).
The ADDCA rule at the end supports connections to ports that are secured with "unrecognized" SSL certificates, typically these would be self-signed certificates created with the Rocket JANSSL application.
JANUS FORCE CLSOCK JANUS DELETE CLSOCK JANUS DEFINE CLSOCK * CLSOCK 5 TIMEOUT 240 REMOTE * * MASTER SSL 0 SSLOPT - SSLMAXCERTL 4096 SSLBSIZE 32767 JANUS CLSOCK CLSOCK ALLOW JANUS CLSOCK CLSOCK ALLOW REMOTE * * JANUS START CLSOCK JANUS ADDCA CLSOCK JANWEB LOCALLY.SIGNED.CERT
JANUS CLSOCK rule types
JANUS CLSOCK ALLOW
The JANUS CLSOCK ALLOW command indicates a combination of conditions which, if all specified, allow either of these:
- A socket-connection $function $Sock_Conn or Socket class method New invocation to access the CLSOCK ports that match pattern portname.
- A TN3270 Debugger user to access the DEBUGGERCLIENT ports that match pattern portname.
The default access for all CLSOCK and DEBUGGERCLIENT ports is to disallow all access &emdash; except system administrators can access any such port, regardless of rules (since a system administrator can always issue JANUS CLSOCK to grant access to herself).
For a non-system administrator, access to a CLSOCK or DEBUGGERCLIENT port depends on the most recent rule for that port that matches the conditions of the $Sock_Conn or New method call, or Sirius Debugger SIRIUS DEBUG ON command:
- If the conditions match all clauses on a JANUS CLSOCK ALLOW rule, access to the port is allowed.
- If the conditions match all clauses on a JANUS CLSOCK DISALLOW rule, access to the port is disallowed.
- If the conditions match neither an ALLOW nor DISALLOW rule, access to the port is disallowed.
If the JANUS CLSOCK ALLOW command is specified with no optional parameters, access to the CLSOCK or DEBUGGERCLIENT ports that match the pattern in portname is unrestricted.
Syntax
JANUS CLSOCK portname ALLOW - [NONE] | [USER userid | USGROUP usgroup] - [FILE procfile] - [PROC procname] - [SUBSYS subsysname] - [REMOTE rmt_host rmt_portnum]
The optional parameters for the JANUS CLSOCK ALLOW command are:
NONE | Indicates that no access is allowed to portname. If NONE is specified, no other optional parameters may be specified. | ||||||
---|---|---|---|---|---|---|---|
USER userid | Indicates that the Model 204 user ID userid may issue a $Sock_Conn or a New method call or a SIRIUS DEBUG ON command for portname.
For example, if userid is The USER parameter cannot be specified if the USGROUP parameter is specified.
| ||||||
USGROUP usgroup | Indicates that a Model 204 user is allowed access to portname if his or her user ID matches an entry in the user group identified by usgroup. User groups are defined with the JANUS DEFINEUSGROUP command. The USGROUP parameter cannot be specified if the USER parameter is specified. | ||||||
FILE procfile | Indicates that access is allowed to portname if invoked by executing an outer procedure stored in a Model 204 file whose name matches the pattern procfile. FILE * indicates that access is allowed by any procedure except a temporary request or an instream procedure. FILE '' indicates that access is allowed only by a temporary request or an in-stream procedure. | ||||||
PROC procname | Indicates that access is allowed to portname if invoked by executing an outer procedure whose name matches the pattern procname. PROC * indicates that access is allowed by any procedure except a temporary request or an in-stream procedure. PROC '' indicates that access is allowed only by a temporary request or an in-stream procedure. | ||||||
SUBSYS subsysname | Indicates that a $Sock_Conn or New call or SIRIUS DEBUG ON command is allowed to access portname if issued from an APSY subsystem with a name that matches the pattern subsysname. SUBSYS * indicates that access is allowed by any subsystem. SUBSYS '' indicates that access is allowed only by a non-subsystem procedure or temporary request, or by an in-stream procedure. | ||||||
REMOTE rmt_host rmt_portnum | Access is allowed to portname if the remote host and port number ($Sock_Conn or New method arguments or their defaults; or SIRIUS DEBUG ON command arguments for the Debugger Client address and port) match rmt_host and rmt_portnum, respectively.
rmt_host is one of the options in the "Remote host formats" table below. rmt_portnum can be either of these:
Note: When the IPGROUP ipgroup or the ipaddr form is used, the rule can match whether a connection is specified by host name or IP address. If the connection is by host name, it is first translated to an IP address, which is then used to match the rule. |
JANUS CLSOCK DISALLOW
The JANUS CLSOCK DISALLOW command indicates a combination of conditions which, if all specified, prevent both of these:
- A socket-connection $function $Sock_Conn or object method invocation from accessing the CLSOCK ports that match pattern portname.
- A Sirius Debugger user from accessing the DEBUGGERCLIENT ports that match pattern portname.
The default access for all CLSOCK and DEBUGGERCLIENT ports is to disallow all access — except system administrators can access any CLSOCK port, regardless of rules (since a system administrator can always issue JANUS CLSOCK to grant access to herself). For a non-system administrator, access to a CLSOCK or DEBUGGERCLIENT port depends on the most recent rule for that port that matches the conditions of the $Sock_Conn or New method call, or Sirius Debugger SIRIUS DEBUG ON command:
- If the conditions match all clauses on a JANUS CLSOCK DISALLOW rule, access to the port is not allowed.
- If the conditions match all clauses on a JANUS CLSOCK ALLOW rule, access to the port is allowed.
- If the conditions match neither an ALLOW nor DISALLOW rule, access to the port is disallowed.
Syntax
JANUS CLSOCK portname DISALLOW - [USER userid | USGROUP usgroup] - [FILE procfile] - [PROC procname] - [SUBSYS subsysname] - [REMOTE rmt_host rmt_portnum]
If the JANUS CLSOCK DISALLOW command is specified with no optional parameters, no access is allowed to the CLSOCK or DEBUGGERCLIENT ports that match the pattern in portname.
The optional parameters for the JANUS CLSOCK DISALLOW command are:
USER userid | Indicates that the Model 204 user ID userid may not issue a $Sock_Conn or a New method call or a SIRIUS DEBUG ON command for portname.
For example, if userid is The USER parameter cannot be specified if the USGROUP parameter is specified.
USER * is allowed, but it is meaningless: it does not change which conditions a rule matches. | ||||||
---|---|---|---|---|---|---|---|
USGROUP usgroup | Indicates that a Model 204 user is not allowed access to portname if his or her user ID matches an entry in the user group identified by usgroup. User groups are defined with the JANUS DEFINEUSGROUP command. The USGROUP parameter cannot be specified if the USER parameter is specified. | ||||||
FILE procfile | Indicates that access is not allowed to portname if invoked by executing an outer procedure stored in a Model 204 file whose name matches the pattern procfile. FILE * indicates that access is allowed by any procedure except a temporary request or an instream procedure. FILE '' indicates that access is allowed only by a temporary request or an in-stream procedure. | ||||||
PROC procname | Indicates that access is not allowed to portname if invoked by executing an outer procedure whose name matches the pattern procname. PROC * indicates that access is allowed by any procedure except a temporary request or an in-stream procedure. PROC '' indicates that access is allowed only by a temporary request or an in-stream procedure. | ||||||
SUBSYS subsysname | Indicates that a $Sock_Conn or New call or SIRIUS DEBUG ON command is not allowed to access portname if issued from an APSY subsystem with a name that matches the pattern subsysname. SUBSYS * indicates that access is allowed only by a non-subsystem procedure or temporary request, or by an in-stream procedure. SUBSYS '' indicates that access is allowed by any subsystem. | ||||||
REMOTE rmt_host rmt_portnum | Indicates that access is not allowed to portname if the remote host and port number (from $Sock_Conn or Socket class New method arguments or their defaults; or SIRIUS DEBUG ON command arguments for the Debugger Client address and port) match rmt_host and rmt_portnum, respectively.
rmt_host is one of the options in the "Remote host formats" table below. rmt_portnum is either of these:
Note: When the IPGROUP ipgroup or the ipaddr form is used, the rule can match whether a connection is specified by host name or IP address. If the connection is by host name, it is first translated to an IP address, which is then used to match the rule. |
Rule matching order and examples
Each execution of a JANUS CLSOCK subcommand adds to the set of rules for the specified port. Individual rules cannot be deleted nor modified. All rules can be deleted only by stopping and deleting the port definition. Deleting a port definition, however, should not be necessary, as long as you follow the two golden rules:
- Specify the most general rules first and the most specific last.
- Specify an initial rule that “clears” all related rules.
The following example illustrates these principles:
JANUS CLSOCK TEST21 DISALLOW * JANUS CLSOCK TEST21 ALLOW SUBSYS ECOMMER* JANUS CLSOCK TEST21 ALLOW PROC FILETRANS REMOTE IPADDR 169.84.111.0-24 9333 JANUS CLSOCK TEST21 ALLOW PROC FILETRANS REMOTE IPADDR 169.84.112.0-24 9333 JANUS CLSOCK TEST21 ALLOW USER SIMP*
In this example, any previously specified ALLOW rules on port TEST21
are made obsolete by the first DISALLOW rule. Once the TEST21
access rules are cleared, the rules allow invocation of $Sock_Conn or the New method for port TEST21
, if any of the following conditions are met:
- It is invoked from a subsystem whose name begins with the string
ECOMMER
. - It is invoked for port number 9333 at a remote host that is on either the subnet 169.84.111.0 or the subnet 169.84.112.0.
- It is invoked by a Model 204 user whose ID begins with the string
SIMP
.