Client IP filtering support in SSMC
SSMC uses client IP filtering support (such as that provided by Jetty) for
whitelisting and blacklisting remote browser clients by IP address. Administrators
can configure IP filtering by adding IP addresses and subnets to the template file
/opt/hpe/ssmc/ssmcbase/etc/jetty-ipaccess.xml. For details on
the format of this file, see Jetty documentation at https://www.eclipse.org/jetty/javadoc/jetty-9/org/eclipse/jetty/server/handler/IPAccessHandler.html.
Restart SSMC server for any changes to IP filtering to take effect.
Consider the following outcomes before blacklisting or whitelisting IP addresses:
Use caution when editing the
jetty-ipaccess.xmlfile. Improper editing can prevent SSMC from starting or cause SSMC to function abnormally.IPv4 and IPv6 are treated as separate connections from the same host. An SSMC server running on both protocols must enable IP filtering on both IPv4 and IPv6 addresses to achieve 100% blacklisting or whitelisting.
If the include list contains one or more IP addresses then add every other allowed IP address explicitly in the include list. The IP addresses which are not added in the include list are not allowed to access SSMC.
CAUTION:If the include list contains one or more IP addresses then add the loopback IP address as 127.0.0.1. Without loopback IP address, the SSMC appliance could be in an unstable state (repetitive restart).
If you add an explicit IP address to the include list, it overrides an entire address range in the exclude list. All IP addresses associated with the included IP subnet are excluded. Only the one IP address listed is whitelisted.
A similar situation occurs if you add an explicit IP address in the exclude list. The excluded IP address overrides and excludes all IP addresses included in the IP subnet, even if they are listed in the include list.