EPICS Home EPICS Controls Argonne National Laboratory

Experimental Physics and
Industrial Control System

Format page
for printing


Search Tech-talk
2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  <2024 Index 2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  <2024
<== Date ==> <== Thread ==>
Subject: Re: separate ca/pva ports for r/w and r/o access?
From: "Johnson, Andrew N. via Core-talk" <core-talk at aps.anl.gov>
To: Zimoch Dirk <dirk.zimoch at psi.ch>, "core-talk at aps.anl.gov" <core-talk at aps.anl.gov>
Date: Fri, 26 Jan 2024 18:37:52 +0000

The IOC servers can't do what you're trying, any port they accept connections through will be r/w unless you configure Access Security for the clients, in which case you don't need the second port. Michael added IP address support to the access security system fairly recently (I forget if you have to turn it on though), so if you know what all the IP addresses or DNA names are of one or the other client groups (r/w or r/o) you can just set up an access security file with a HAG containing just those addresses. I forget whether it allows for subnet addresses. However, that only works for IOCs recent-enough versions of Base.

 

It would be relatively easy to run separate CA (and PVA) gateways on a other ports to provide read-only access; this would work for all EPICS versions.

 

- Andrew

 

-- 

Complexity comes for free, Simplicity you have to work for.

 

 

On 1/26/24, 10:50 AM, "Core-talk" <core-talk-bounces at aps.anl.gov> wrote:

 

Hi folks,

Today someone asked me if it is possible to filter write access to records with
a firewall. The idea is to run a read/write server and a read-only server on the
same IOC on two different ports.

I guess the answer is no. At least my attempts to start two CA server on the
same IP address failed. I tried:
EPICS_CAS_INTF_ADDR_LIST="<my IP> <my IP>:5070"
But it seems ports are ignored in EPICS_CAS_INTF_ADDR_LIST.
Also, I would not know how to make a server readonly. All

Would this be a "simple" way to handle write access filtering per firewall
rules, opening the r/w port only to selected client IP addresses?

Dirk

Replies:
Re: separate ca/pva ports for r/w and r/o access? Ralph Lange via Core-talk
References:
separate ca/pva ports for r/w and r/o access? Zimoch Dirk via Core-talk
Navigate by Date:
Prev: separate ca/pva ports for r/w and r/o access? Zimoch Dirk via Core-talk
Next: Re: separate ca/pva ports for r/w and r/o access? Ralph Lange via Core-talk
Index: 2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  <2024
Navigate by Thread:
Prev: separate ca/pva ports for r/w and r/o access? Zimoch Dirk via Core-talk
Next: Re: separate ca/pva ports for r/w and r/o access? Ralph Lange via Core-talk
Index: 2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  <2024
ANJ, 26 Jan 2024 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·