CA Directory r12.0 SP4 now includes the ability to block specific IP addresses. This is incredibly useful in preventing problem servers from connecting to your Directory.
Configuring excluded addresses
To configure the exclude list, you add the " exclude-addresses " configuration command to the DSAs config files.
The command takes the following form:
set exclude-addresses = [ipv4 | ipv6] <address> [, ...];
Some command examples include:
set exclude-addresses = ipv4 ComputerHostname; set exclude-addresses = ipv4 "host.domain.com"; set exclude-addresses = ipv4 "aaa.bbb.ccc.ddd"; set exclude-addresses = ipv4 Server1, Server2, Server3; set exclude-addresses = ipv4 Server1, Server2, Server3, ipv6 "fe80::8dd3:2004:13aa:e39b%12";
Save the file, and run "dxsyntax" to confirm that the command has been specified correctly.
Once the DSA has been started, you can confirm that the DSA has loaded the configuration by connecting to the DSA's DXconsole port, and run the command "get stack;".
The output will look like:
Welcome to the DSA Management Console dsa> get stack; dap-psap = "" dsp-psap = "" disp-psap = "DISP" addresses = 18.104.22.168:20389 snmp-port = 20389 console-port = 20390 snmp-description = DXserver r12.0 (build 4457) Windows_NT/DXgrid 32-Bit snmp-contact = [email protected] snmp-name = optus snmp-location = http://www.ca.com snmp-poll-community = snmp-trap-community = public xm-free-lists = 0 xm-total-memory = 2052629 SSL: cert-dir = config/ssld/personalities ca-file = config/ssld/trusted.pem fips = FALSE slot = -1 exclude-addresses = aaa.bbb.ccc.ddd, aaa.bbb.ccc.dde, aaa.bbb.ccc.ddf, [fa81:0:0:1:8ea2:1001:12bb:e31b%73]
Testing excluded addresses
To test the configuration, simply use ldapsearch/dxsearch to connect to the applicable Directory server from one of the excluded addresses.
From the LDAP client (excluded address) perspective, you will see that it will fail to connect:
ldapsearch -h 22.214.171.124 -p 20389 -b "o=Democorp,c=AU" -s sub "(oc=*)" ldap_bind: Can't contact LDAP server (-1)
When connected to the DSAs DXconsole or reviewing the DSA logs, you will see a warning generated which reads:
 20101119.112801.506 WARN : Call from aaa.bbb.ccc.ddd:2385 blocked by 'exclude' list