Use the remote access control file to prevent remote dumps and loads, and execution of remote procedure calls (RPCs) from any client or server that is running on unauthorized servers.
Authorization to dump to, or load from, Backup Server is achieved by including the authorized hosts in the hosts.allow file. The default name of the file is hosts.allow, which is by default located in $SYBASE. You can change the location and file name using:
backupserver -h full_path_name/hosts.allow
When you start Backup Server, the location of the file is shown in the error log. For example:
Backup Server: 1.88.1.1: The hosts authentication file used by the backup server is '/remote/myServer/ase157x/SMP/release/hosts.allow'.
If you do not specify a file, $SYBASE/hosts.allow is used. If the location of the file is a relative path, the path is replaced by the absolute path using the directory in which the Backup Server has been started. For example, if you start Backup Server from /usr/u/myServer and Backup Server is started with:
backupserver -h./myhosts.allow
The error log shows:
Backup Server: 1.88.1.1: The hosts authentication file used by the backup server is '/usr/u/myServer/./myhosts.allow'.
If the file hosts.allow does not exist, dump or load commands, or remote procedures, fail.
The format for hosts.allow is:
host_name_running_backupserver [ \t*][,][ \t*] host_name_trying_to_connect
host_name_running_backupserver: hostname | hostname.domain | ipv4 address | ipv6 address
host_name_trying_to_connect: hostname | hostname.domain | ipv4 address | ipv6 address |+ The '+' sign can be used as a wildcard to allow remote dumps to, or loads from, any Backup Server running on the specified host.
Example: # Example of hosts.allow file # Development machine imetsol1 allows access from everywhere imetsol1 + # Group development machine marslinuxX allow access from other # marslinuxX machines only marslinux1 marslinux2 marslinux1 marslinux3 marslinux2 marslinux1 marslinux2 marslinux3 marslinux3 marslinux1 marslinux3 marslinux2
The recommended file permission for UNIX is no greater than640. For Windows, ensure that only authorized users are granted access to the file.
On UNIX, if permission levels are set lower than 640, you see a warning similar to:
Backup Server: 1.86.1.1: Warning: The file './hosts.allow' has an unsafe permission mask 0664. The recommended value is 0640.
On Windows, if you have not established permissions, or if access is granted to everyone, you see a warning similar to:
Backup Server: 1.87.1.1: Warning: The file './hosts.allow' either has no access control or one of the entries allows access to everyone. It is recommended that only the owner has permission to access the file.
If you attempt to load to, or dump from, a remote Backup Server that does not have the appropriate access control record, you see error:
Backup Server: 5.16.2.2: Client-Library error: Error number 44, Layer 4, Origin 1, Severity 4: ct_connect(): protocol specific layer: external error: The attempt to connect to the server failed. Backup Server: 5.3.2.1: Cannot open a connection to the slave site 'REMOTE_BS'. Start the remote Backup Server if it is not running.
If you attempt to execute an RPC on a remote Backup Server that does not have the appropriate access control record, you see error:
Msg 7221, Level 14, State 2:
Server 's', Line 1:
Login to site 'REMOTE_BS' failed.