{AJS構築}21.2　JP1/AJS3への接続を制限する設定

物理ホスト

--設定

----マネージャでの作業

cp -p /etc/opt/jp1ajs2/conf/permitted_host_manager.conf.model /etc/opt/jp1ajs2/conf/permitted_host_manager.conf
chmod +w /etc/opt/jp1ajs2/conf/permitted_host_manager.conf
vim /etc/opt/jp1ajs2/conf/permitted_host_manager.conf
# Connection permitted host
127.0.0.1
192.168.137.181
192.168.137.182
192.168.137.183

cp -p /etc/opt/jp1ajs2/conf/permitted_host_agent.conf.model /etc/opt/jp1ajs2/conf/permitted_host_agent.conf
chmod +w /etc/opt/jp1ajs2/conf/permitted_host_agent.conf
vim /etc/opt/jp1ajs2/conf/permitted_host_agent.conf
# Connection permitted host
127.0.0.1
192.168.137.181
192.168.137.182
192.168.137.183

/opt/jp1ajs2/bin/jajs_spmd_stop
/opt/jp1ajs2/bin/jajs_spmd_status
/opt/jp1ajs2/bin/ajsqlstop
/opt/jp1ajs2/bin/ajsqlstatus

--有効にする場合
/opt/jp1ajs2/bin/jajs_config -k "[JP1_DEFAULT\JP1AJS2COMMON]" "CONNECTIONRESTRICTION"="all"

--無効にする場合
/opt/jp1ajs2/bin/jajs_config -k "[JP1_DEFAULT\JP1AJS2COMMON]" "CONNECTIONRESTRICTION"="none"

/opt/jp1ajs2/bin/jajs_config -k "[JP1_DEFAULT\JP1AJSMANAGER]" "CONRESTRICTLOG"="all"
/opt/jp1ajs2/bin/jajs_config -k "[JP1_DEFAULT\JP1AJSMANAGER]" "CONRESTRICTSYSLOG"="all"

/opt/jp1ajs2/bin/jajs_spmd
/opt/jp1ajs2/bin/jajs_spmd_status
/opt/jp1ajs2/bin/ajsqlstart
/opt/jp1ajs2/bin/ajsqlstatus

vim /etc/opt/jp1ajs2/conf/permitted_host_manager.conf
192.168.137.184

/opt/jp1ajs2/bin/jajs_pmtcon -m -v
/opt/jp1ajs2/bin/jajs_pmtcon -m -u

vim /etc/opt/jp1ajs2/conf/permitted_host_agent.conf
192.168.137.184

/opt/jp1ajs2/bin/jajs_pmtcon -a -v
/opt/jp1ajs2/bin/jajs_pmtcon -a -u

----エージェントでの作業

/opt/jp1ajs2/bin/jajs_spmd_stop
/opt/jp1ajs2/bin/jajs_spmd_status
/opt/jp1ajs2/bin/ajsqlstop
/opt/jp1ajs2/bin/ajsqlstatus

--有効にする場合
/opt/jp1ajs2/bin/jajs_config -k "[JP1_DEFAULT\JP1AJS2COMMON]" "CONNECTIONRESTRICTION"="all"
--無効にする場合
/opt/jp1ajs2/bin/jajs_config -k "[JP1_DEFAULT\JP1AJS2COMMON]" "CONNECTIONRESTRICTION"="none"

/opt/jp1ajs2/bin/jajs_spmd
/opt/jp1ajs2/bin/jajs_spmd_status
/opt/jp1ajs2/bin/ajsqlstart
/opt/jp1ajs2/bin/ajsqlstatus

vim /etc/opt/jp1ajs2/conf/permitted_host_agent.conf
192.168.137.184

/opt/jp1ajs2/bin/jajs_pmtcon -a -v
/opt/jp1ajs2/bin/jajs_pmtcon -a -u

--動作確認
tail -f /var/log/messages
ls -ltr /var/opt/hitachi/HNTRLib2/spool
tail -f /var/opt/hitachi/HNTRLib2/spool/hntr21.log

----マネージャへの接続制限の確認

mmm190からmmm181へリモートコマンドを実行

export JP1_USERNAME=jp1admin
export AJSMANAGERHOST=mmm181
/opt/jp1ajs2/bin/ajsprint -F AJSROOT1 "/*"
export -n AJSMANAGERHOST

接続元制限していない場合、リモートコマンド実行可能

接続元制限している場合、リモートコマンドは実行できない

----エージェントへの接続制限の確認
mmm190からmmm182へジョブを実行

vim /root/job1.sh
#!/bin/bash
OUT=`date`" "`id`
echo $OUT >> /root/job1.log

vim /root/unitbackup.txt

unit=jg1,,jp1admin,;
{
ty=g;
cm="jg1";
el=jobnet1,n,+0+0;
cl=su;
op=mo;
op=tu;
op=we;
op=th;
op=fr;
cl=sa;
unit=jobnet1,,jp1admin,;
{
ty=n;
cm="jobnet1";
sz=10x8;
el=job11,j,+80+48;
sd=1,2019/11/03;
st=1,23:58;
cy=1,(1,d);
sh=1,ca;
shd=1,2;
ex="mmm182";
unit=job11,,jp1admin,;
{
ty=j;
cm="job1";
sc="/root/job1.sh";
un="root";
tho=0;
ex="mmm182";
}
}
}

export JP1_USERNAME=jp1admin
/opt/jp1ajs2/bin/ajsleave -F AJS3SCHEDULE001 /jg1/jobnet1
/opt/jp1ajs2/bin/ajsdefine -F AJS3SCHEDULE001 -f -d / /root/unitbackup.txt
/opt/jp1ajs2/bin/ajsprint -F AJS3SCHEDULE001 "/*"

/opt/jp1ajs2/bin/ajsentry -F AJS3SCHEDULE001 -n /jg1/jobnet1
/opt/jp1ajs2/bin/ajsshow -F AJS3SCHEDULE001 -R /jg1/jobnet1

接続元制限していない場合、ジョブは実行可能

接続元制限している場合、ジョブは異常検出終了(KAVU4721-E 要求が拒否されました(10808))

論理ホスト

--設定

----マネージャでの作業

cp -p /mnt/sdc2/jp1ajs/jp1ajs2/conf/permitted_host_manager.conf.model /mnt/sdc2/jp1ajs/jp1ajs2/conf/permitted_host_manager.conf
chmod +w /mnt/sdc2/jp1ajs/jp1ajs2/conf/permitted_host_manager.conf
vim /mnt/sdc2/jp1ajs/jp1ajs2/conf/permitted_host_manager.conf
# Connection permitted host
127.0.0.1
192.168.137.190
192.168.137.191
192.168.137.192
192.168.137.194
192.168.137.195
192.168.137.196
192.168.137.183

cp -p /mnt/sdc2/jp1ajs/jp1ajs2/conf/permitted_host_agent.conf.model /mnt/sdc2/jp1ajs/jp1ajs2/conf/permitted_host_agent.conf
chmod +w /mnt/sdc2/jp1ajs/jp1ajs2/conf/permitted_host_agent.conf
vim /mnt/sdc2/jp1ajs/jp1ajs2/conf/permitted_host_agent.conf
# Connection permitted host
127.0.0.1
192.168.137.190
192.168.137.191
192.168.137.192
192.168.137.194
192.168.137.195
192.168.137.196
192.168.137.183

/etc/opt/jp1ajs2/jajs_stop.cluster mmm190
/opt/jp1ajs2/bin/jajs_spmd_status -h mmm190

/opt/jp1ajs2/bin/ajsqldetach -h mmm190
/opt/jp1ajs2/bin/ajsqlstop
/opt/jp1ajs2/bin/ajsqlstatus -h mmm190

--有効にする場合
/opt/jp1ajs2/bin/jajs_config -k "[mmm190\JP1AJS2COMMON]" "CONNECTIONRESTRICTION"="all"
--無効にする場合
/opt/jp1ajs2/bin/jajs_config -k "[mmm190\JP1AJS2COMMON]" "CONNECTIONRESTRICTION"="none"

/opt/jp1ajs2/bin/jajs_config -k "[mmm190\JP1AJSMANAGER]" "CONRESTRICTLOG"="all"
/opt/jp1ajs2/bin/jajs_config -k "[mmm190\JP1AJSMANAGER]" "CONRESTRICTSYSLOG"="all"

/etc/opt/jp1ajs2/jajs_start.cluster mmm190
/opt/jp1ajs2/bin/jajs_spmd_status -h mmm190

/opt/jp1ajs2/bin/ajsqlstart
/opt/jp1ajs2/bin/ajsqlattach -h mmm190
/opt/jp1ajs2/bin/ajsqlstatus -h mmm190

vim /mnt/sdc2/jp1ajs/jp1ajs2/conf/permitted_host_manager.conf
192.168.137.184

/opt/jp1ajs2/bin/jajs_pmtcon -h mmm190 -m -v
/opt/jp1ajs2/bin/jajs_pmtcon -h mmm190 -m -u

vim /mnt/sdc2/jp1ajs/jp1ajs2/conf/permitted_host_agent.conf
192.168.137.184

/opt/jp1ajs2/bin/jajs_pmtcon -h mmm190 -a -v
/opt/jp1ajs2/bin/jajs_pmtcon -h mmm190 -a -u

----エージェントでの作業

/etc/opt/jp1ajs2/jajs_stop.cluster mmm194
/opt/jp1ajs2/bin/jajs_spmd_status -h mmm194

/opt/jp1ajs2/bin/ajsqldetach -h mmm194
/opt/jp1ajs2/bin/ajsqlstop
/opt/jp1ajs2/bin/ajsqlstatus -h mmm194

--有効にする場合
/opt/jp1ajs2/bin/jajs_config -k "[mmm194\JP1AJS2COMMON]" "CONNECTIONRESTRICTION"="all"
--無効にする場合
/opt/jp1ajs2/bin/jajs_config -k "[mmm194\JP1AJS2COMMON]" "CONNECTIONRESTRICTION"="none"

/etc/opt/jp1ajs2/jajs_start.cluster mmm194
/opt/jp1ajs2/bin/jajs_spmd_status -h mmm194

/opt/jp1ajs2/bin/ajsqlstart
/opt/jp1ajs2/bin/ajsqlattach -h mmm194
/opt/jp1ajs2/bin/ajsqlstatus -h mmm194

vim /mnt/sdc2/jp1ajs/jp1ajs2/conf/permitted_host_agent.conf
192.168.137.184

/opt/jp1ajs2/bin/jajs_pmtcon -h mmm194 -a -v
/opt/jp1ajs2/bin/jajs_pmtcon -h mmm194 -a -u

--動作確認
tail -f /var/log/messages
ls -ltr /var/opt/hitachi/HNTRLib2/spool
tail -f /var/opt/hitachi/HNTRLib2/spool/hntr24.log

----マネージャへの接続制限の確認

mmm181からmmm190へリモートコマンドを実行

export JP1_USERNAME=jp1admin
export AJSMANAGERHOST=mmm190
/opt/jp1ajs2/bin/ajsprint -F AJS3SCHEDULE001 "/*"
export -n AJSMANAGERHOST

接続元制限していない場合、リモートコマンド実行可能

接続元制限している場合、リモートコマンドは実行できない

----エージェントへの接続制限の確認
mmm181からmmm194へジョブを実行

vim /mnt/sdc2/job1.sh
#!/bin/bash
OUT=`date`" "`id`
echo $OUT >> /mnt/sdc2/job1.log

vim /root/unitbackup.txt

unit=jg1,,jp1admin,;
{
ty=g;
cm="jg1";
el=jobnet1,n,+0+0;
cl=su;
op=mo;
op=tu;
op=we;
op=th;
op=fr;
cl=sa;
unit=jobnet1,,jp1admin,;
{
ty=n;
cm="jobnet1";
sz=10x8;
el=job11,j,+80+48;
sd=1,2019/11/03;
st=1,23:58;
cy=1,(1,d);
sh=1,ca;
shd=1,2;
ex="mmm194";
unit=job11,,jp1admin,;
{
ty=j;
cm="job1";
sc="/mnt/sdc2/job1.sh";
un="root";
tho=0;
ex="mmm194";
}
}
}

export JP1_USERNAME=jp1admin
/opt/jp1ajs2/bin/ajsleave -F AJSROOT1 /jg1/jobnet1
/opt/jp1ajs2/bin/ajsdefine -F AJSROOT1 -f -d / /root/unitbackup.txt
/opt/jp1ajs2/bin/ajsprint -F AJSROOT1 "/*"

/opt/jp1ajs2/bin/ajsentry -F AJSROOT1 -n /jg1/jobnet1
/opt/jp1ajs2/bin/ajsshow -F AJSROOT1 -R /jg1/jobnet1

接続元制限していない場合、ジョブは実行可能

接続元制限している場合、ジョブは異常検出終了(KAVU4721-E 要求が拒否されました(1301))

--待機系への反映
--マネージャ

共通定義情報の出力
/opt/jp1base/bin/jbsgetcnf -h mmm190 > /root/jbscnf.txt
scp /root/jbscnf.txt mmm192:/root

共通定義情報の取り込み
ssh mmm192 "/opt/jp1base/bin/jbssetcnf /root/jbscnf.txt"

--エージェント

共通定義情報の出力
/opt/jp1base/bin/jbsgetcnf -h mmm194 > /root/jbscnf.txt
scp /root/jbscnf.txt mmm196:/root

共通定義情報の取り込み
ssh mmm196 "/opt/jp1base/bin/jbssetcnf /root/jbscnf.txt"