Nirvana Enterprise Manager - Interface VIA Entitlements

Introduction

Each interface defined within a Nirvana Realm server can have an associated ACL list, known as a VIA list.

The VIA list enables list of users to be defined who are entitled to connect to the Nirvana realm using a specific protocol 'via' a specific interface.

If for example, a realm has an HTTP (nhp) interface running on port 80, and we also a sockets (nsp) interface running on port 9000, and you want all external clients to connect using the nhp interface, and all internal clients to connect using the nsp interface, this can be achieved by providing the nhp and nsp interfaces with a list of subjects that are able to connect via the different interfaces.

This ensures that any user that tries to connect via the nsp interface who is not part of the nsp interface VIA list but exists in the nhp via list will be rejected and will not be able to establish a connection via nsp. The same will apply for the nhp interface. Alternatively, by simply adding a list of via entries to the nhp interface (and leaving the nsp via list empty), any user trying to connect via nsp interface who is found in any other interface via list will be rejected. This allows you to tie specific users to specific interfaces.

The default behaviour for all interfaces is that when no VIA lists exist on any defined interfaces, all users can connect on any interface (Realm acls permitting). When a user subject exists on an interface, that subject cannot use any other interface other than the one they are listed in.

This is an extra level of security that allows administrators of Realm Servers to define a strict approach to who can connect to the realm via specific protocols. This is particularly useful if for example you run many services on a single Nirvana realm server and wish to ensure that specific clients / groups of clients are using completely separate interfaces.

Interface ACL (VIA List)

In order to view the VIA list for an interface, select the realm where the interface is running, and then select the 'Interfaces' tab in the Enterprise Manager. From the interface list for the realm, select the interface from the table of interfaces, and choose the tab labelled 'VIA' from the bottom of the interface panel. The image below shows the result of an acl entry being added to the default socket interface running on port 9000. By adding this entry, the user johsmith@192.168.1.2 can only use the nsp0 interface which is using the sockets protocol on port 9000.

As with all Nirvana ACLs widlcards are fully supported so that for example, *@192.168.1.2 or johnsmith@* are both relevant enforceable VIA rules.

Interface VIA entries can be added to by clicking on the 'Add' button from the VIA panel and entering the subject. Entries can be removed by selecting the entry and clicking the 'Delete' button.

Any changes to the interface VIA list will not take effect at the server until the 'Apply' button has been clicked on the VIA panel. Changes can also be disgarded without updating the server by clicking on the 'Cancel' button on the VIA list panel.