To provide access control to the Agent Controller, the configuration file (serviceconfig.xml) provides the Hosts element and its children Allow and Deny. If the Hosts element is in the active configuration, the Allow and Deny child elements are enumerated to determine whether a host will be granted a connection to the Agent Controller. If all of the children have been enumerated and none of the rules match the incoming connection, then the connection is denied by default. There are two ways to describe an Allow or a Deny rule: either by host name or by network masks.
In the case of host names, the IP address of the host requesting a connection is subjected to a reverse DNS lookup. If the names match exactly, the connection is allowed or denied based on the attribute name. There are two wildcards for host names, ALL and LOCAL. ALL, when compared to a host name always returns a match. LOCAL returns a match if the IP address of the host connecting to the Agent Controller matches any of the IP addresses of any network interface on the local host.
Network connection rules are used to allow or deny access from a group of machines based on where they are on the network. In order to use a network connection rule, the Agent Controller uses two numbers, the network, net attribute, and the subnet mask, mask attribute. When a connection is requested from a host, its IP address is logically AND-ed with the mask attribute. If the result of the logical AND equals the net attribute, then the rule matches.
The following examples illustrate how to configure test client access:
Preliminary steps:
Example 1
To allow access from all machines on the network to the Agent Controller when the default configuration is active, add the following fragment to the configuration file:
<Hosts configuration="default">
<Allow host="ALL"/>
</Hosts>
Example 2
To allow access from the localhost and deny all other connections to the Agent Controller when the debug configuration is active, add the following fragment to the configuration file:
<Hosts configuration="debug">
<Allow host="LOCAL"/>
</Hosts>
Example 3
To allow access to the Agent Controller from all machines belonging to the 192.168.0.0 C-class network except 192.168.0.1, and to also allow access from host steamboat, and deny all other hosts, in all configurations, add the following fragment to the configuration file:
<Hosts>
<Deny net="192.168.0.1" mask="255.255.255.255"/>
<Allow net="192.168.0.0" mask="255.255.0.0"/>
<Allow host="steamboat"/>
</Hosts>
Related tasks
Locating the configuration files
Creating configurations and setting the active
configuration
Administering the Agent Controller