1.2 Restricting Access to ZENworks Control Center

1.2.1 Restrict Access to ZCC Using an IP Address Range

To restrict access to ZENworks Control Center from a subnet or an IP address range, perform the following steps:

  1. Stop the ZENmonitor, ZENserver and ZENloader services.

  2. Back up the existing /opt/novell/zenworks/share/tomcat/webapps/zenworks/WEB-INF/web.xml file. This file might get deleted while modifying the configuration.

  3. (Conditional) If the META-INF folder is not available, create the META-INF folder in the /opt/novell/zenworks/share/tomcat/webapps/zenworks/ location.

  4. (Conditional) If the context.xml file is not available, create the context.xml file in the/opt/novell/zenworks/share/tomcat/webapps/zenworks/META-INF/ folder.

  5. Add the following XML data in the context.xml file:

    <?xml version="1.0" encoding="UTF-8"?>
    <Context docBase="zenworks" crossContext="true" >
     <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="10\.71\.67\.\d+|10\.71\.66\.\d+"/>
    </Context>
  6. Based on whether you want to provide or deny access, make the relevant edits to the context.xml file:

    • To allow access to a certain series of IP addresses: Configure the following line to include the relevant IP address series. For example: <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="10\.71\.67\.\d+|10\.71\.66\.\d+"/>

    • To deny access to a certain series of IP addresses: Configure the following line to include the relevant IP address series. For example: <Valve className="org.apache.catalina.valves.RemoteAddrValve" deny="10\.71\.67\.\d+|10\.71\.66\.\d+"/>

      If the allow attribute is configured, all other IP address ranges are denied by default and vice versa.

      NOTE:Tomcat 7 uses regular expressions for RemoteAddrValve and either allow or deny can be used at once in the xml file.

  7. Deny / allow the zenworks web service, by placing the edited context.xml in zenworks web-service folder

  8. Start the ZENserver, ZENloader and ZENworks Service Monitor services.

To remove the restrictions based on IP addresses, you need to undo the changes listed in the steps above.

1.2.2 Restrict Access to ZCC Using Individual IP Addresses

To restrict access to ZENworks Control Center from a subnet or an IP address, perform the following steps:

  1. Stop the ZENmonitor, ZENserver and ZENloader services.

  2. (Conditional) If the META-INF folder is not available, In the %zenworks_home%/share/tomcat/webapps/zenworks directory, create a folder named META-INF.

  3. (Conditional) If the context.xml file is not available, create the context.xml file and add it to the META-INF folder. The context.xml file should include the following content, with the IP address list to which you want to allow or deny access:

    <?xml version='1.0' encoding='utf-8'?>
    <Context>
    <Valve className="org.apache.catalina.valves.RemoteAddrValve"  allow="<IP Address 1>|<IP Address 2>|.......<IP Address n>"/>
    <Valve className="org.apache.catalina.valves.RemoteAddrValve"   deny="<IP Address 1>|<IP Address 2>|.......<IP Address n>"/>
    </Context>
  4. Based on whether you want to allow or deny access, make the relevant edits to the context.xml file:

    • To allow only a certain list of IP addresses, configure the following line to include the relevant IP addresses. For example: <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="10\.71\.67\.\d+|10\.71\.66\.\d+"/>

    • To deny a certain list of IP addresses, configure the following line to include the relevant IP addresses. For example: <Valve className="org.apache.catalina.valves.RemoteAddrValve" deny="10\.71\.67\.\d+|10\.71\.66\.\d+"/>

      If the allow attribute is configured, all other IP addresses are denied by default and vice versa.

      NOTE:

      • Multiple IP addresses are accepted using the "|" delimiter and the IP address dot character should be escaped using the “\" character.

      • In the context.xml file, you can use either the allow or the deny attribute. Both attributes cannot be used together.

  5. Delete the %zenworks_home%/share/tomcat/work folder.

  6. Start the ZENmonitor, ZENserver, and ZENloader services.

If you want to make changes to the IP address range (allow or deny attribute value):

  1. Stop the ZENmonitor, ZENserver and ZENloader services.

  2. Delete the %zenworks_home%/share/tomcat/conf/Catalina/localhost/zenworks.xml file.

  3. Update the IP changes in the context.xml file.

  4. Start the ZENmonitor, ZENserver, and ZENloader services.

NOTE:

  • Ensure that you backup the META-INF folder before you perform a system update. This will enable you to re-create this folder if it is deleted after a system update.

  • To remove the restrictions based on IP addresses, undo the changes listed in the steps above.