Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 3 Managing Access Control Lists : Monitoring Access Control

Monitoring Access Control
You can use several show commands to monitor access control configuration and status.
show product-key
To view the system product keys and features that they unlock, enter the show product-key User EXEC command:
tibco> show product-key
Example:
tibco> show product-key
Product Key : LLLLLLLLLLL-LLLLLLLLLLL-LLLLLLLLLLL-HHHH
Unlocked Features : 1
Access Control Lists (ACLs)
show profile-mapping
To view the configuration of mapping profiles on the P-7500 system, enter the show profile-mapping User EXEC command:
tibco> show profile-mapping [username <name>] [service <mapped-service>] [default]*
Where:
name is the user name of the client. User names are case sensitive.
mapped-service is the Rendezvous Service, specified as a decimal value from 0 to 65,535.
default asks to the profile mapping named default
Entering no username or service displays all profile mappings.
Example:
tibco> show profile-mapping
 
Username :
Service :
ACL Profile : default
 
Username : bob
Service :
ACL Profile : default
show acl client-connect
To view the current client connection control access configuration, enter the show acl client-connect User EXEC command:
tibco> show acl client-connect
Example:
tibco> show acl client-connect
Client Connect Default Action : allow
Exceptions : 3
123.123.123.123/32
123.123.123.0/24
123.123.122.0/24
show acl profile
To view the current ACL profile configurations, enter the show acl profile User EXEC command:
tibco> show acl profile name [detail]
Where:
name is the name of the specified ACL profile. Entering the wildcard character * for the name displays all ACL profiles.
detail asks to show detailed ACL profile information
Examples:
tibco> show acl profile *
 
        Publish      Subscribe
Profile Name  Allow/#Except    Allow/#Except
---------------------------------------------------------------------------------------------
another-acl-profile-name yes / 1        yes / 0
default       no / 0       no / 1
other-acl-profile-name  yes / 2        no / 2
some-acl-profile-name yes / 1       yes / 123
 
tibco> show acl profile other-acl-profile-name
 
Profile Name : other-acl-profile-name
Publish Subject Default Action : allow
Exceptions : 2
a.specific.subject.that.is.not.allowed
a.wildcard.subject.that.is.not.allowed.>
Subscribe Subject Default Action : disallow
Exceptions : 2
a.specific.subject.that.is.allowed
a.wildcard.subject.that.is.allowed.>
show log acl
To view the ACL log for the last 1000 most recent service denials regarding client connections, publishing subjects, or subscription subjects, enter the show log acl User EXEC command:
tibco> show log acl [client-connect | publish-subject | subscribe-subject] [wide]
Where:
client-connect asks to show service denial logs relating only to client connection ACLs
publish-subject asks to show service denial logs relating only to publishing subject ACLs
subscribe-subject asks to show service denial logs relating only to subscription subject ACLs
wide asks to show ACL log information in a wide screen computer display format (300+ character width)
Note: Entering no command parameters displays service denial log information for all ACLs.
Examples:
tibco> show log acl client-connect wide
 
Most recent ACL client-connect denials (max 1000):
-------------------------------------------------------------------------------------
 
tibco> show log acl publish-subject
 
Most recent ACL publish-subject denials (max 1000):
Timestamp
2008-07-29T16:50:46-0400
2008-07-29T16:50:48-0400
2008-07-29T16:50:50-0400
2008-07-29T16:50:52-0400
Username
johndoe123456789$
johndoe
janedoe
fallguy
Subject
a100.b100.c100.d100.e100.f100.g100.$
a100.b100
b100.c100
d100.e100
To clear the global statistics information on ACLs, run the clear stats acl command from the Privileged EXEC level:
tibco> enable
tibco# clear stats acl
To clear the ACL log either globally, or individually for client connections, publishing subjects, or subscription subjects, run the clear log acl command from the Privileged EXEC level:
tibco> enable
tibco# clear log acl [client-connect | publish-subject | subscribe-subject]
Where:
client-connect asks to clear service denial logs relating only to client connection ACLs
publish-subject asks to clear service denial logs relating only to publishing subject ACLs
subscribe-subject asks to clear service denial logs relating only to subscription subject ACLs
Note: Entering no command parameters clears service denial log information for all ACLs.
show stats acl
To view global statistics information on ACLs, enter the show stats acl User EXEC command:
tibco> show stats acl
Example:
tibco> show stats acl
 
Reason           # Denials
----------------------------------------------------------------------
Client Connect   123
Publish Subject  987
Subscribe Subject 456
To clear the global statistics information on ACLs, run the clear stats acl command from the Privileged EXEC level:
tibco> enable
tibco# clear stats acl

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved