Trusted Hosts

All realms support the notion of trusted hosts. By default, if no user ID is specified, the currently logged-in system user ID is used. Authentication credentials (in realms that use them) are not required when a request originates from a trusted host and the requester does not provide a user ID (thereby defaulting to the current system username). Realms can override this behavior.

You can specify a list of trusted hosts as part of the node's initial configuration, and you can later update the trusted host list with an epadmin command to a running node.

Specify the node's initial trusted host list with a configuration file of type security with root object TrustedHosts.

The node's host machine is always trusted by default, so you do not need to specify localhost, or or ::1.

You can provide a comma-separated list of hosts in any of the following formats:

  • Simple host names

  • Fully qualified domain names

  • Partially qualified domain names

  • IPv4 single addresses

  • IPv6 single addresses

  • CIDR blocks of IPv4 addresses

After the node is installed and running, you can use epadmin load configuration to load a new TrustedHosts configuration file. You can then deactivate the current configuration and activate the new one. See epadmin help configuration for assistance.

There can be only one active trusted host configuration per node.

Even when switched to an enterprise-level realm such as LDAP or OIDC that requires and manages credentials for each user, you can still require connections to a node to originate from a trusted host. This adds white list security on top of the realm's authentication security to further narrow the range of authorized users.