r12.0 SP4: Can I block or exclude specific IP addresses from connecting to my Directory?

Document ID : KB000050889
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

CA Directory r12.0 SP4 now includes the ability to block specific IP addresses. This is incredibly useful in preventing problem servers from connecting to your Directory.

Solution:

Configuring excluded addresses

To configure the exclude list, you add the " exclude-addresses " configuration command to the DSAs config files.

The command takes the following form:

set exclude-addresses = [ipv4 | ipv6] <address> [, ...];

Some command examples include:

set exclude-addresses = ipv4 ComputerHostname;
set exclude-addresses = ipv4 "host.domain.com";
set exclude-addresses = ipv4 "aaa.bbb.ccc.ddd";
set exclude-addresses = ipv4 Server1, Server2, Server3;
set exclude-addresses = ipv4 Server1, Server2, Server3, ipv6 "fe80::8dd3:2004:13aa:e39b%12";

Save the file, and run "dxsyntax" to confirm that the command has been specified correctly.

Once the DSA has been started, you can confirm that the DSA has loaded the configuration by connecting to the DSA's DXconsole port, and run the command "get stack;".

The output will look like:

Welcome to the DSA Management Console
dsa> get stack;
 
dap-psap         = ""
dsp-psap         = ""
disp-psap        = "DISP"
addresses        = 155.35.166.128:20389
snmp-port        = 20389
console-port     = 20390
snmp-description = DXserver r12.0 (build 4457) Windows_NT/DXgrid 32-Bit
snmp-contact     = support@ca.com
snmp-name        = optus
snmp-location    = http://www.ca.com
snmp-poll-community =
snmp-trap-community = public
xm-free-lists    = 0
xm-total-memory  = 2052629
 
SSL:
 cert-dir    = config/ssld/personalities
 ca-file     = config/ssld/trusted.pem
 fips        = FALSE
 slot        = -1
 
exclude-addresses = aaa.bbb.ccc.ddd, aaa.bbb.ccc.dde, aaa.bbb.ccc.ddf, [fa81:0:0:1:8ea2:1001:12bb:e31b%73]

Testing excluded addresses

To test the configuration, simply use ldapsearch/dxsearch to connect to the applicable Directory server from one of the excluded addresses.

From the LDAP client (excluded address) perspective, you will see that it will fail to connect:

ldapsearch -h 155.35.166.128 -p 20389 -b "o=Democorp,c=AU" -s sub "(oc=*)"
ldap_bind: Can't contact LDAP server (-1)

When connected to the DSAs DXconsole or reviewing the DSA logs, you will see a warning generated which reads:

[208] 20101119.112801.506 WARN : Call from aaa.bbb.ccc.ddd:2385 blocked by 'exclude' list