SPS connection policies

Hello,

I configured two different SPS connections under "SSH Control". Is it possible to make them both work using SPP initiated workflow? This question because when I create the ARP on the SPP, the only options showed under SPS connection policy are "safeguard_default" and "SPS initiated workflow". How is it possible to add the connection created on the SPS to the SPP?

Thank you

  • Hi,

    When you join SPP and SPS, the SSH connection policy (safeguard_default) is auto generated and used by default for SSH sessions on port 22

    SPS checks connection policies from top in order and so if the first connection policy matches then it wins the session and no other connection policies will be used if assigned the same port.

    Therefore, it would not be possible to use two SPS connection policies with the same port as only the first one would win always.

    Not clear on the use-case you are looking to implement with two connection policies for SSH sessions but i would suggest consulting with PSO team on new configurations for a solution based on what you are looking to accomplish.

    Thanks!

  • Hello Tawfiq,

    let me explain better the use case! 

    My aim is to create and test a new channel policy that is connected to a new content policy (the term "new" means that it is not part of the safeguard_default connection). So, I created a different SSH connection, test_connection, and I inserted the same info as the safeguard_default one, except for the content policy.

    The problem now is that as I try to connect to a target (using SPP initiated workflow), safeguard default is always the chosen connection. Even though I moved up the lastly created row on the SPS connections portal, I'm not able to let this connection be taken. 

    So I wondered if is it necessary to make same change on the SPP side, maybe changing the "Entitlement > ARP > Security tab > SPS connection policy" but I only see the safeguard_default one.

    Hope I was clear enough, thank you!

  • Hello Tawfiq,

    Let me try to explain better my use case:

    - as we joint SPP and SPS, the "safeguard_default" connection was automatically created and, as we decided to use the SPP-initiated workflow, in the ARP on the SPP the SPS connection policy chosen is always the "safeguard_default"

    - I configured a new connection policy under SSH control on the SPS because I needed to test same features (channel policy and content policy in detail) 

    Now, if I try to make a new request toward a target, even though the first connection under SSH control is the new one, it always selects the safeguard_default so I am not able to test these features. I was wondering if in this case I should change the SPP connection policy (as it stands now it does not seem to be possible because in the drop down menu I only see safeguard_default and SPS initiated workflow) or in which way I can simultaneously use two different SPS ssh connections.

    Thank you!

  • If the purpose of this is to test a different channel rule with a content policy then it may be easier to keep the same default SSH connection policy then inside of the Channel Policy add a new channel rule > select "Session Shell" and select the Content policy you wish to test and specify a target server either by IP address or Hostname then this rule to be the top of the Channel Policy.

    In this case you would have the default channel policy "safeguard_default" but inside of it there are two Session Shell channel rules:

    1. first session shell rule which has the content policy selected and the target server that will be applicable for this content policy

    2. second session shell rule which is the original one and does *not* have any content policy or target listed.

    This way if the session is going to the target server in the top channel rule then the content policy is applied

    If the session is pointed to a different target then the second channel rule applies and no content policy is applied.

    hope this helps?

    Thanks!

  • If the SPS connection policy does not appear on the SPP side then there is possibly some missing configuration on the SPS side > SPS connection policy.

    Did you enable the checkbox "Share connection policy with SPP" inside of the new SPS connection policy?

    Are you planning on using both connection policies at the same time? if so that would not work if both are using the same port number.

    Thanks!