Networked Host Access Control through Whitelists

SSMC application provides three mechanisms to control host access.
The options for Host access control are provided at different levels of application stack:
  1. HTTP level by configuring jetty using jetty-ipaccess.xml. For more information, see Client IP Filtering support in SSMC

  2. TCP level using the standard Linux TCP wrappers, /etc/hosts.allow, /etc/hosts.deny

  3. IP tables using the security configuration file, /ssmc/bin/config_security.sh

NOTE:

Options 1 and 2 are not available when SSMC is configured for security standards compliance. In this scenario, use Option 3.

The IP tables-based host access control mechanism requires you to set up the access rules. These rules are configured using the following properties in/ssmc/conf/security_config.properties file:

PropertyDescription
ssmc.inbound.hosts.allow Comma-separated list of IPv4 addresses of whitelisted hosts which require inbound access. Includes all the client terminals from where SSMC web and SSH will be accessed. The property supports CIDR (/) and range (-) notations to specify IP ranges.
ssmc.outbound.hosts.allow Comma-separated list of IPv4 addresses of whitelisted hosts which require outbound access. Includes all managed arrays, DNS, SMTP, Remote Logging server, HPE Service Processor, Web-proxy for HPE InfoSight connection, and so on. The property supports CIDR (/) and range (-) notations to specify IP ranges.
FQDN host names are not supported for any of the host access control properties. In a DHCP environment, include the full IP range that the DHCP server may assign to a given host to set up whitelist and allow access to that host.
NOTE:

SSMC 3.7 does not support IPv6 for the host access feature. When the host access feature is enabled, all outbound and inbound traffic to and from the networked hosts are denied by default and allowed by exception (whitelists). In other words, you must make a conscious host entry in the ssmc.outbound.hosts.allow and (ssmc.inbound.hosts.allow) properties to allow outbound and inbound access to the hosts.

IMPORTANT: If you want to add storage arrays using their FQDN for management (through Admin console web GUI), ensure that both DNS server and the array IP addresses are whitelisted for outbound access from SSMC.

Enable or disable host access

To set rules and enable host access, execute the following command:

sudo /ssmc/bin/config_security.sh -o host_access -a set -f

To reset rules and disable the host access, execute the following command:

sudo /ssmc/bin/config_security.sh -o host_access -a reset -f

Example 1

If host access is enabled with 192.168.11.2 set in the inbound whitelist. Only the specified host is able to access the SSMC appliance through SSH or web ports. In this scenario, array connections or DNS resolution is not possible.

  • Inbound access is allowed from all networked hosts.

  • Outbound access is restricted to all hosts. 

ssmc.inbound.hosts.allow=192.168.11.2
ssmc.outbound.hosts.allow=
Example 2

The rule allows all networked hosts to access SSMC from ranges 192.168.11.1/24 and 192.168.10.1 -192.168.10.10 and the host 192.168.10.25. SSMC can establish outbound connections to networked hosts only in the range 192.168.12.1-192.168.12.5. 

ssmc.inbound.hosts.allow=192.168.11.1/24,192.168.10.1-
192.168.10.10,192.168.10.25
ssmc.outbound.hosts.allow=192.168.12.1-192.168.12.5