manualshive.com logo in svg

IBM Safenet/400, Reference Manual, Page: 32 / 172

Share
Download
IBM Safenet/400 Reference Manual Download Page 32

 

2.2

 

 SafeNet/400 

Reference 

Guide  

 

©

 Copyright 2008 MP Associates of Westchester, Inc. 

 

V8.50  - May 2008 

 

 

SafeNet/400 Server Function Security Levels 

 

 
Level 1: 

 

• 

IBM default 

• 

Unlimited access, all requests accepted  

• 

Requests can be logged, reporting available 

• 

Performance impact - none 

 

 
Level 2: 

 

• 

No access at all, all requests for server are rejected 

• 

Requests can be logged, reporting available 

• 

Performance impact - not a consideration 
 

 
Level 3: 

 

• 

Access granted on a user-by-user basis to the server 

• 

Requests can be logged, reporting available 

• 

Performance impact – minimal 

• 

TELNET requires use of the TCP/IP control table 

 

 
Level 4: 

 

• 

Access granted on a user to server and object and command basis 

• 

Requests can be logged, reporting available 

• 

Performance impact – higher 
 
Level 4 requires authority to the server function and additionally requires table 
entries for proper authorization to individual or generic objects and/or folders by 
user profile.  Data rights such as read/write and object management rights can be 
assigned on an individual basis.  
 
Level 4 on the 

DDM, FTP

 or 

Remote Command/Program Call Server

 requires 

setting up authorities to CL commands.  
 
For 

DDM, FTP

 or 

Remote Command/Program Call Server

, all commands are 

restricted. 

 

 
 
 

Summary of Contents for Safenet/400

Page 1: ...SAFENET 400 REFERENCE GUIDE Version 8 50 2008 MP Associates of Westchester Inc ...

Page 2: ... Systems 89 Church Street Saranac Lake New York 12983 Phone 518 897 5002 Fax 518 897 5003 SafeNet 400 Website http www kisco com safenet SafeNet 400 Support Website http www kisco com safenet support Visit the SafeNet 400 Web Site at HTTP WWW KISCO COM SAFENET ...

Page 3: ... FROM SAFENET 400 1 21 MAINTAIN ALL SECURITY FOR A USER 1 22 SETTING UP TIME OF DAY CONTROLS 1 23 CHAPTER 2 SETTING UP SERVERS 2 1 RECOMMENDED SERVER SETTINGS 2 6 ENTERING SERVER FUNCTION SECURITY LEVELS 2 9 CUSTOMER EXIT PROGRAMS 2 11 CHAPTER 3 TELNET TCP IP ADDRESS CONTROLS 3 1 SETTING UP TELNET 3 1 SETTING UP TCP IP ADDRESS CONTROLS 3 6 CHAPTER 4 SETTING UP FTP 4 1 SETTING UP FOR ANONYMOUS FTP ...

Page 4: ...REMOVING SAFENET 400 9 1 DE ACTIVATING SAFENET 400 9 1 REMOVING SAFENET 400 FROM YOUR SYSTEM 9 3 CHAPTER 10 PROBLEM DETERMINATION 10 1 ERROR MESSAGE RECEIVED ON THE SYSTEM I5 10 1 ERROR MESSAGE RECEIVED ON THE CLIENT 10 3 EXAMPLES OF CLIENT ERROR MESSAGES 10 7 ERROR CODES WHICH APPEAR IN THE LOG 10 9 ADDITIONAL TROUBLESHOOTING TIPS 10 11 CHAPTER 11 SPECIAL SAFENET 400 CONSIDERATIONS 11 1 RESETTING...

Page 5: ... Main Menu However if you are setting up a new user when you are finished with one screen you can use F9 to advance to the next without returning to the main menu If you want to skip a step you can cancel and return to the SafeNet 400 Main Menu Group Profiles If you have an unlimited user license for SafeNet 400 Group Profiles are available If so you may use F7 to toggle between the group profile ...

Page 6: ... that when you initially set up SafeNet 400 you set the Server Functions to log ALL and set the User to Server logging levels to either ALL or REJECTIONS Then after you have had some experience with checking the logs and interpreting the results you may want to make changes for specific user and server combinations An example of this might include certain trusted user profiles If you trust the use...

Page 7: ...nd can be executed by a user with SECADM or SECOFR authority A user profile must be set up as a SafeNet 400 Super Admin to perform the following Activate or deactivate SafeNet 400 Change copy remove the IBM supplied Q profiles settings in SafeNet 400 Use the WRKSRV CHGSPCSET CHGFTPSET commands A regular SafeNet 400 user or administrator does not have authority to the above functions Unless specifi...

Page 8: ...ese users can bypass the traditional SafeNet 400 security routines you can choose to simply log them or not log them From the Special Jobs Menu select Option 4 Maintain Super Users in SafeNet You can turn logging on or off for Super Trusted Users by using the CHGSPCSET command and changing the LOGUSER parameter to YES or NO Note This should only be used under conditions when you want NONE of the s...

Page 9: ...From the SafeNet 400 Main Menu select Option 2 Work with User to Server Security or use WRKUSRSRV command The Work User to Server Security Enter User Profile screen appears 2 Type the user profile you will be setting up or PUBLIC then ENTER If you would like a list of all user profiles on the system press F4 or type ALL To see a list of users already defined within SafeNet 400 type ALLDFN The Main...

Page 10: ...mn blank for that server 4 Enter the Logging Level for each server A All R Rejections only N No logging When you have finished setting up servers for this user press ENTER 5 Enter the Job Run Priority for each server Do this if you choose to override OS 400 job priority defaults The job priority will be set when the user accesses this server Valid job priorities are 00 the default through 99 A val...

Page 11: ...Option 3 Work with User to Object Level Security or use WRKUSROBJ command The Work User to Object Security screen is displayed 3 Type the user profile name the Group or PUBLIC then ENTER To list all of the user profiles on the system press F4 or type ALL To see a list of users already defined within SafeNet 400 type ALLDFN The Add New Object Authorization screen appears If you would like to see th...

Page 12: ...ary name Generic library names are not allowed Allowed entries for Object ALL Specific object Generic data program or System i5 object name followed by FIL NOT ALLOWED for object Long file or folder names 10 position maximum names over 10 are truncated Generic sub folder names FOLD Generic folder content names NOT ALLOWED for library Long folder names Generic folder names Generic library names ALL...

Page 13: ... steps for each object or group of objects for this user profile PageDown to the next screen if you need more lines ENTER when you have finished keying in all necessary objects and rights The Maintain Authorized Objects by User screen is refreshed and all the information you just entered is displayed Press F9 to continue to the next step setting up user authorities to SQL statements Reminder If yo...

Page 14: ...ciates of Westchester Inc V8 50 May 2008 Exclusions To give all users read access to all objects in all libraries but exclude them from any objects in the PAYROLL library give PUBLIC READ authority to the library and exclude PUBLIC from the PAYROLL library ...

Page 15: ...t 2008 MP Associates of Westchester Inc V8 50 May 2008 If the PAYDEPT profile needs to use objects in the PAYROLL library grant user profile PAYDEPT READ authority to the PAYROLL library This individual authority overrides the PUBLIC authority ...

Page 16: ...ct Option 4 Work with User to SQL Statement Security or use WRKUSRSQL command The Work User to SQL Statements screen is displayed 3 Type the user profile the Group or PUBLIC then ENTER If you would like a list of all user profiles on the system press F4 or type ALL To see a list of users already defined within SafeNet 400 type ALLDFN The Maintain Authorized SQL Statements screen appears 4 Type 1 i...

Page 17: ...of Westchester Inc V8 50 May 2008 If you would like to see the list of all users who have been defined within SafeNet 400 press F2 5 When finished making all your selections ENTER 6 Press F9 to advance to the next step setting up user authorities to FTP statements ...

Page 18: ...the SafeNet 400 Main Menu select Option 5 Work with User to FTP Statement Security or use WRKUSRFTP command The Work User to FTP Statements Enter User ID screen is displayed 3 Type the user profile or PUBLIC then ENTER If you would like a list of all user profiles on the system press F4 or type ALL To see a list of users already defined within SafeNet 400 type ALLDFN The Work with Authorized FTP S...

Page 19: ... at OS 400 V5R1 or higher If you are at a previous operating system level these settings have no effect For this user the initial Name Format and List Format will override the settings established by the OS 400 Change FTP Server Attributes command CHGFTPA Select the parameters as follows Encrypted For SSL connections this should be set to 0 or 2 For regular or non SSL connections leave this set to...

Page 20: ...YSTEM ONLY sent to run on the target system When authorizing users to the GET PUT sub commands the assumed object authority is reversed from authorities required for the FTP Server point and the same objects See the following examples Using FTP Client Sending an object to a remote system An FTP PUT of object ABC in an FTP Client session requires READ authority to object ABC on the local machine Ge...

Page 21: ... 400 Main Menu select Option 6 Work with User to CL Command Security or use WRKUSRCMD command The Work User to CL Commands Enter User ID screen is displayed 3 Type the user profile or PUBLIC then ENTER If you would like a list of all user profiles on the system press F4 or type ALL To see a list of users already defined within SafeNet 400 type ALLDFN The Maintain Authorized CL Commands screen appe...

Page 22: ...emove authorization to a command FIELD EXIT through the line to blank it out If you would like to see the list of all users who have been defined within SafeNet 400 press F2 5 When finished typing all the required CL commands for this user press ENTER 6 Press F9 to continue with setting up path names ...

Page 23: ...r to the paths 1 If you used F9 from the previous screen continue with Step 4 2 From the SafeNet 400 Main Menu select Option 7 Work with User to Long Path Names or use WRKUSRPTH command The Work with User to Path Names Enter User ID screen is displayed 3 Type the user profile or PUBLIC then ENTER If you would like a list of all user profiles on the system press F4 or type ALL To see a list of user...

Page 24: ...can be entered up to 256 positions in length although only the first 60 positions are shown on the display To enter and or view a path over 60 positions long enter 2 in the option column Use to give authority to all folders paths End the path with to allow access to all items in subfolders 5 When finished typing all the paths for this user press ENTER ...

Page 25: ... screen is displayed 2 Type the user profile you are copying from then the new profile s to add 3 When finished entering all the new profiles press ENTER This will set up the new profile in SafeNet 400 and return you to the Special Jobs Menu Removing a User from SafeNet 400 This option allows you to remove a user s authorities and settings from SafeNet 400 1 From the Special Jobs Menu select Optio...

Page 26: ...ance for an individual user without entering several different commands When you use the WRKUSRSEC command you will be presented with the Maintain All Security for a User screen From this screen you can select which of the control files you wish to update for this particular user without entering any additional commands or returning to the SafeNet 400 Main Menu Within each of the applications you ...

Page 27: ...authorized to at this time User Specific Server ALL Servers Group Specific Server ALL Servers Supplemental Group Specific Server ALL Servers PUBLIC Specific Server ALL Servers SafeNet 400 checks until all the tests are passed or until an exclusion rule is encountered Note In Version 8 Time of Day controls are handled differently than in previous releases of SafeNet 400 With Version 8 TOD controls ...

Page 28: ...th User to Server Security from the SafeNet 400 Main Menu or the WRKUSRSRV command Type the user profile ENTER and then press F10 The User Time of Day Maintenance screen appears To exclude the user from all servers during the same days of the week and time of day type 2 Change in front of ALL To select individual servers type 2 in front of the servers you want to change ...

Page 29: ...an define up to three time ranges and can select which days to exclude by typing X in front of the day You can also define holidays that will be used to control Time of Day access Press F9 to display the Time of Day Holiday Maintenance screen Type the dates and descriptions of your holidays Press ENTER ...

Page 30: ...1 26 SafeNet 400 Reference Guide Copyright 2008 MP Associates of Westchester Inc V8 50 May 2008 ...

Page 31: ...tep first and restrict access to the server functions prior to setting up user rights you may disrupt network requests until the users authority table setup is completed Setting up the Current Level on the servers should be considered the LAST STEP during the setup process Typically use the Future Server Settings for initial setup and testing When you are ready to activate SafeNet 400 settings fli...

Page 32: ...porting available Performance impact minimal TELNET requires use of the TCP IP control table Level 4 Access granted on a user to server and object and command basis Requests can be logged reporting available Performance impact higher Level 4 requires authority to the server function and additionally requires table entries for proper authorization to individual or generic objects and or folders by ...

Page 33: ... has detected a user defined program assigned Use WRKREGINF command to review existing exit point programs Not supported Cannot be changed via SafeNet 400 use WRKREGINF command See Appendix A Special Technical Considerations On the following pages you will find these levels grouped together to make it easier for you to decide the appropriate level of security required for each server function ...

Page 34: ...GING or REJECTIONS the Server Function setting will override the individual user logging level If you set the logging level on the Server Function to ALL the individual user logging level will override the Server Function logging level To make sure you are logging transactions correctly we recommend that when you initially set up SafeNet 400 you set the Server Functions to log ALL and set the indi...

Page 35: ...The user must be authorized to the server the objects requested the FTP Op or SQL Op CL commands or long path to be used Supported by the following servers Distributed Data Management Server Original Data Queue Server Network Printer Server Spool file requests Integrated File Server Original Remote SQL Server Original File Transfer Function Server Original Virtual Print Server Database Server Data...

Page 36: ...All Limit user access Database Server data base access 100 Level 4 Log All Limit user and object access Database Server data base access 200 Level 4 Log All Limit user and object access Database Server object information 100 Level 3 Log All Limit user access Database Server object information 200 Level 3 Log All Limit user access Database Server SQL access 100 Level 4 Log All Limit user object and...

Page 37: ... File Server Level 4 Log All Limit user and object access FTP Client Server Level 4 Log All Limit user access target connection by IP Address FTP Logon Server Level 3 Log All Limit user access FTP Server Validation Level 4 Log All Limit user source IP address object FTP sub commands Network Print Server entry Level 1 Log None Network Print Server spool file Level 1 Log None Original Data Queue Ser...

Page 38: ...Level 1 Log None PWRDWNSYS Level 1 Log All Log all requests Remote Command Program Call Level 4 Log All Limit user and object access and commands REXEC Logon Level 3 Log All Limit user access REXEC Server Request Validation Level 4 Log All Limit user Source IP address TELNET Logon Level 1 Log None or TELNET Logoff TFTP Logon Level 1 Log None User Profile Points Level 1 Log All Log all requests TCP...

Page 39: ...ou enter a setting for each server based on what you think the setting will be in the future This makes it possible to use your historical transactions against both current and future server levels for testing purposes Enter a Y in the TOD column to control individual server functions based on time of day When you change the TOD value it becomes effective immediately Make sure you have used the Ti...

Page 40: ...ide Copyright 2008 MP Associates of Westchester Inc V8 50 May 2008 3 When you have finished entering information for all the servers press ENTER The screen is refreshed and any changes you made are reflected in the Current columns ...

Page 41: ...t of the data string from the client The customer exit program is always processed BEFORE the SafeNet 400 checks are done Your custom exit program can do whatever you want When it returns to SafeNet 400 if the status code has been changed to indicate any type of rejection SafeNet 400 stops and logs the request and returns a rejection to the client If the exit program does not change the status cod...

Page 42: ...2 12 SafeNet 400 Reference Guide Copyright 2008 MP Associates of Westchester Inc V8 50 May 2008 ...

Page 43: ...T control features are supported only when the server is set to Level 3 You may use some or all of the features available with the TELNET server point Control access by IP address Allow auto signon bypass signon Restrict IP address to use specific device names enhanced TELNET clients only Restrict access based on the password type sent none clear or encrypted ...

Page 44: ...i e 10 2 2 2 Use wild card options if desired 10 2 2 x 4 Enter A or R to accept or reject the request Restricting Access to Specific Device Names 1 Set the TELNET server to Level 3 using the WRKSRV command 2 Use the WRKTCPIPA command to enter the correct IP address then enter the device name to use for this IP address You may also use a generic device name by putting an at the end of the name If y...

Page 45: ... passwords is only available in V5R1 of OS 400 Valid settings are 0 No password was received or validated 1 A clear text password was received and validated 2 An encrypted password was received SSL TELNET only in V5R1 For normal TN5250 TELNET support is VT100 you must set this to 0 since non enhanced TELNET clients do not support this feature For iSeries Access for Windows TELNET you can use a set...

Page 46: ...IP address the user profile library program or menu that the client will automatically be signed on to For iSeries Access for Windows you must set the TN5250 session parameters on the client setup to bypass signon see the ISeries Access for Windows Setup Guide This is required if you set the password type to 1 in the WRKTCPIPA setting For non iSeries Access for Windows clients named TELNET VT100 c...

Page 47: ...h the actual TELNET session start request Each logoff is also recorded by IP address with a user of QSYS If you use the auto signon feature the request will be logged with the associated user set up in the Auto Signon Control file Each logoff of a TELNET will also record the transaction with the user profile that was automatically signed on When TELNETON is set to Level 3 only devices with IP addr...

Page 48: ...TPSET then press F4 4 Change Server Source limit by IP Address to YES then ENTER 5 Use WRKSRV command and set the FTPSERVER and or REXEC Server exit point to level 3 or 4 To set up and turn on TCP IP address checking for the FTP Client 1 Type WRKTCPIPA FTPCLIENT then ENTER 2 Add the IP addresses to the Control Table 3 Type CHGFTPSET then press F4 4 Change Client Target limit by IP Address to YES t...

Page 49: ... indicates Reject Example 1 Accept Address Reject 10 2 2 X A 10 2 2 5 R In this example any address from 10 2 2 1 through 10 2 2 255 will be accepted with the exception of 10 2 2 5 which will be rejected Example 2 Accept Address Reject 10 2 2 1XX A 10 2 2 14X R In this example all clients with addresses from 10 2 2 100 through 199 will be accepted with the exception of clients addressed 10 2 2 140...

Page 50: ...3 8 SafeNet 400 Reference Guide Copyright 2008 MP Associates of Westchester Inc V8 50 May 2008 ...

Page 51: ...FTP Server Validation to Level 4 Follow these steps for FTP 1 From the SafeNet 400 Main Menu select Option 10 Go to Special Jobs Menu 2 From the Special Jobs Menu select Option 3 Change Special FTP Server Settings or use CHGFTPSET command along with F4 The Change SafeNet FTP Settings screen is displayed Press F9 to see all parameters Here you will find the special parameters to control login acces...

Page 52: ...e IP addresses against a SafeNet 400 control table Use WRKTCPIPA FTPSERVER IPCTLC Client Target limit by IP Add YES NO To validate Target IP addresses against a SafeNet 400 control table Use WRKTCPIPA FTPCLIENT ALOGON Allow Anonymous FTP Logon YES NO If you want users to be able to login with the user ID of Anonymous enter YES If you don t want a user to use the FTP Logon User as Anonymous leave t...

Page 53: ...must specify a valid pre existing user profile to run anonymous user logons in OS 400 when the anonymous user logs on under FTP In other words a user would FTP to a System i5 FTP site running SafeNet 400 and that FTP site would prompt for a user name The user keys ANONYMOUS and the System i5 prompts for a password The user then keys in a valid E mail address and the System i5 starts a job assigned...

Page 54: ...Inc V8 50 May 2008 password of NONE and USER for the profile type If you do this no one can use this profile to sign on since the password is set to NONE APWD Password for Above Profile pword Enter the password to be used with the profile in parameter AUSRPRF for Anonymous FTP ...

Page 55: ...reated in Step 1 above ANONYMOUS Enter password for the ANONYMOUS user profile in APWD parameter 4 Press ENTER 5 Return to the SafeNet 400 Main Menu 6 Select Option 1 Work with Server Security Settings or use WRKSRV command 7 Locate the FTP Logon Server point 8 Change the FTP Logon Server to Level 3 9 Change the FTP Server Validation point to Level 4 If you want to allow for anonymous logons you M...

Page 56: ...USRPTH command to enter the correct path or paths for ANONYMOUS 14 Select Option 5 Work with User to FTP Statement Security or use the WRKUSRFTP command to grant the ANONYMOUS user ID authority to specific FTP commands Use the additional FTP settings if required or if you want the ANONYMOUS profile initial path to be an IFS directory ...

Page 57: ...k with User to Server Security or use WRKUSRSRV command The user ID must be authorized to the FTP Logon server and one of the following FTP Client if an OS 400 user will be FTP ing OUT from your iSeries FTP Server if an OS 400 user will be FTP ing INTO your iSeries Select Option 3 Work with User to Object Level Security or use WRKUSROBJ command Authorize the user ID to their own current library as...

Page 58: ...4 8 SafeNet 400 Reference Guide Copyright 2008 MP Associates of Westchester Inc V8 50 May 2008 ...

Page 59: ...llocated permanently or leased for a specific period of time When the server allocates a leased license the client must periodically check with the server to re validate the address and renew the lease The DHCP client and server programs handle address allocation leasing and lease renewal If you are using DHCP on your System i5 this gives you a way to control it If you are not using DHCP you can s...

Page 60: ...nd Reports Menu From the SafeNet 400 Main Menu select Option 13 Go To DHCP Menu The DHCP Control and Reports Menu appears The DHCP functions provide the ability to maintain MAC addresses and device names set IP addresses and ping IP addresses From the DHCP Control and Reports Menu you can also run reports for active and expired leases MAC names and IP address lists ...

Page 61: ...ys to switch views F2 switches between the Currently Active DHCP Addresses Bound and Expired or Released DHCP Addresses screen The Expired or Released addresses list contains information gathered since the last time the list was purged F7 switches between MAC addresses and the assigned names You will notice that the devices with fixed IP addresses do not change as you toggle between the two displa...

Page 62: ...onses will flash at the bottom of the screen When the process has completed you will see a Ping Status column indicating the results of the pings If you are looking at the active addresses you will ping those If you are looking at expired or released addresses all of those will be pinged Be aware that pinging the expired or released addresses can take a very long time depending on the last time th...

Page 63: ...stchester Inc V8 50 May 2008 Maintaining MAC Addresses From the DHCP menu select Option 5 Manually Maintain MAC Addresses to User Names This operates as a standard OS 400 DFU program Press F9 to use insert mode when editing Press F23 to delete the MAC address and name ...

Page 64: ...vices from the DHCP Menu select Option 6 Manually Maintain Permanent Static IP Addressed Devices or use the SNDHCPPR command Even if you are not using DHCP on your System i5 you can use this option to do PING checks for network troubleshooting If you enter a DHCP IP address you will receive an error message This is for fixed IP addresses only ...

Page 65: ...CP Lease Information The Expired or Released DHCP address information is cumulative and will remain in the system until you purge it From the DHCP Menu select Option 8 Run Purge of Expired DHCP Lease Information Enter the date and time to purge through When you ENTER the log of expired DHCP leases will be cleared ...

Page 66: ...a single IP address or a range of addresses From the DHCP Menu select Option 10 IP Address Range Ping Checker Enter the range of IP addresses that you want to ping Press ENTER and you will begin to see replies flash on the bottom of the screen When all the IP addresses have been pinged the Status column will display the results of the pings ...

Page 67: ...age the who what where and when information you need to manage your system Analysis reports have been enhanced to include the ability to select specific dates and or users including summaries by group profile You can choose to print the reports or create an OUTFILE of the selected records in a readable format to use for your own ad hoc reporting You can also use the analysis reports to take advant...

Page 68: ...ecurity Listing Lists users the libraries and objects they have authority to and the rights the users have to the objects 4 User to SQL Statement Listing Lists all users and the SQL statements they are authorized to use 5 User to FTP Statement Listing Lists all users and the FTP statements they are authorized to use 6 TCP IP Address Control Listing Lists the TCP IP address controls for Workstation...

Page 69: ...inst current and future SafeNet 400 settings Allows what if testing of all historical transactions against current and future control file settings to see if further set up is required 2 User to Server Usage Report Using historical transactions lists each server a user has accessed 3 User to Object Usage Report Using historical transactions lists each LIB OBJ a user has accessed and the type of ac...

Page 70: ...6 4 SafeNet 400 Reference Guide Copyright 2008 MP Associates of Westchester Inc V8 50 May 2008 ...

Page 71: ...rol If you have been logging network requests with SafeNet 400 you can at any time run each historical record through the security checking routines and receive a result of ACCEPTED or REJECTED based on current and future SafeNet 400 settings This allows you to make changes to the server function Security Level the user to server settings or data rights authorities and using previously logged requ...

Page 72: ...400 Main Menu select Option 10 Go to Special Jobs Setup Menu or use GO SN2 command 2 Select Option 10 On Line Transaction Testing or use PCTESTR command The On Line Transaction Testing screen will appear If you want you may enter a beginning date and time or the user or server ID then enter the desired security level to test against your logged transactions If you do not enter a date and time you ...

Page 73: ...test transactions with your future Server Security Levels This will test each selected transaction against the future security setting to determine if your security control files are set up correctly Type 2 3 or 4 for other levels If you want to test your Time of Day controls type Y in Time of Day Check If you want to see only rejected requests type Y in Show only Rejections Important If you elect...

Page 74: ...ing to check The current Security Level for the server The maximum security level setting for this server The user making the request The group profile related to the user The date and time of the request The OS 400 server job name the request came from The format The server function receiving the request Data used if any Whether the request was accepted or rejected and the reason for the rejectio...

Page 75: ...nd forward or you can press ENTER to scroll forward to the next record in the logging file At any time you can press F12 to return and enter a new starting date and time server or user or change the Security Level to check Note Use this tool to develop and test your initial security settings prior to putting them into production You can go back and change the different SafeNet 400 parameters to se...

Page 76: ... you run this security report you can customize it by using Special Jobs Menu Option 1 Select Default Servers for Security Report This option lets you select the specific servers you are interested in then makes them the default each time you run the report Run this report from Menu SN4 the Network Transaction Analysis Reports Menu Option 1 Print Security Report by User or use the PRTSECRPT comman...

Page 77: ...by user then by server within user SRVUSR by server then by user within server 4 Select the correct Security Level Check value H Historical Review only Show status at actual time of client request C Check all transactions against current server settings F Check all transactions against the Future server settings 5 Decide if you want to test the time of day controls Enter Y or N for the Test Time o...

Page 78: ...rence Guide Copyright 2008 MP Associates of Westchester Inc V8 50 May 2008 Page Down if you would like to print the report to an output file When you have finished making your selections ENTER to submit the report to batch ...

Page 79: ... to Security Level 4 4 You can use several tools provided with SafeNet 400 to test your security settings Use the Security Report by User or the on line version PCTESTR These can be run to test the collected transactions against the current or future server settings Use Future Setting 5 Use Show only Rejections on PCTESTR and Print only Rejections on the batch report If your settings are correct f...

Page 80: ... be performed using this tool 1 Type PCREVIEW and press ENTER The Network On Line Transaction Review screen is displayed and the HELP key is active 2 Using the fields at the top of the screen you can select only the records you wish displayed You can select by user server status from and to date For example to review only rejections for today Type R in the Status field By default today s date is e...

Page 81: ... specific transaction You can use the ROLL UP ROLL DOWN keys to scroll through the sequential transactions or press ENTER to return to the PCREVIEW sub file screen If you selected only a specific user or server to be displayed in PCREVIEW you will find that only those records meeting the selection criteria will be displayed as you scroll through the file with the on line transaction test program ...

Page 82: ...7 12 SafeNet 400 Reference Guide Copyright 2008 MP Associates of Westchester Inc V8 50 May 2008 ...

Page 83: ... size This function deletes the records in the TRAPOD file There are two ways to purge the TRAPOD file 1 Standard purge using retention days or purge through date 2 Archive TRAPOD records and generate a report This allows you to specify the number of days to retain records or a purge through date and provides the capability to archive the records to an alternate file and member You can also print ...

Page 84: ...n for thirty days 4 You can direct the processing of the purge to a specific job queue If you leave the default value of JOBD then the default job queue for your job will be used If you choose to use a different job queue you can enter the name here You must have the job queue s library name in your job s library list when you use this option 5 If you ended logging prior to performing a backup iss...

Page 85: ... to whichever option you wish 5 Use F10 to display Additional Parameters 6 Select YES or NO for Remove deleted records YES requires that transaction logging be turned off You can use the following command instead of the menu option STRPRGARC DAYS 060 ARC YES PRT YES PRTR NO RMVDEL NO This will purge the TRAPOD file and retain 60 days of data archive the records print a report listing all records n...

Page 86: ...STRPRGARC DAYS XXX JOB SECPRG XXX is the number of days to retain records 060 60 days retention Automating the One Step Security Report To automatically run the security report without purging or archiving any records use the following command PRTSECRPT There are no parameters for this command To submit this command to batch type SBMJOB CMD PCSECLIB PRTSECRPT For additional selection criteria for ...

Page 87: ...urge is retaining enough days for reporting purposes Each of these commands provides parameters to print either only rejections or all transactions Review these parameters and change as required Monday 1 Run purge and retain 5 days print report of all rejected purged records STRPRGARC DAYS 005 2 Run security report it will print rejections for the last 5 days Thursday through Monday PRTSECRPT Thur...

Page 88: ...ample runs the Log File Purge and retains only 1 day of data in the file Saturday 1 Run security report and see entire contents of log PRTSECRPT 2 Run purge and retain 1 day STRPRGARC DAYS 001 Note It is a good idea to run these commands back to back and at off peak hours to minimize performance impact ...

Page 89: ...NO This prevents SafeNet 400 from attempting to log requests 2 Issue the ENDTRP command within SafeNet 400 This will end the transaction logging program and subsystem 3 Perform your normal backup steps 4 CHGSPCSET LOGALL YES to begin logging 5 Issue the STRTRP command to re start the transaction logging subsystem and program Remember to include the SafeNet 400 data library PCSECDTA in your daily b...

Page 90: ...8 8 SafeNet 400 Reference Guide Copyright 2008 MP Associates of Westchester Inc V8 50 May 2008 ...

Page 91: ... any autostart jobs or other IPL initiated OS 400 activities that may still be allocating SafeNet 400 objects and programs This is not required if you do not need to de allocate all the SafeNet 400 programs Once you have been successful in isolating your network problem you can re activate SafeNet 400 Before de activating Optionally rather than de activating SafeNet 400 you can remove one or more ...

Page 92: ...te De Activate SafeNet 400 The Server Activation Control screen is displayed indicating the current setting 2 Press F5 to change the setting and return to the Special Jobs Menu 3 After performing these steps end all subsystems then restart them to maintain security integrity 4 Try your network request again If SafeNet 400 is active and your request is not successful review your request log and cor...

Page 93: ...move SafeNet 400 from your System i5 follow these steps 1 Sign on to the System i5 as QSECOFR or SAFENET 2 De activate SafeNet 400 Follow the instructions on the previous pages to de activate the program 3 IPL the System i5 4 Delete library PCSECLIB and PCSECDTA 5 Delete the SAFENET authorization list from your system SafeNet 400 is now completely removed from your system ...

Page 94: ...9 4 SafeNet 400 Reference Guide Copyright 2008 MP Associates of Westchester Inc V8 50 May 2008 ...

Page 95: ...n try SafeNet 400 again 2 Is the PTF level on your System i5 current Compare your PTF level with SafeNet 400 required levels Recovery Install the latest cumulative PTF package if necessary 3 Is your client application current on service packs or fixes Check to make sure you have the most recent level of fixes for your client Recovery Apply latest service pack or fix package 4 Is this the first tim...

Page 96: ...ver function Security Levels or user authority tables If a particular request was working and now it is not make sure you have not inadvertently disabled a server function or revoked authorities from a user Recovery Double check changes against the request log use the on line transaction program to test your authority settings ...

Page 97: ...riptions at the end of this chapter 3 If you need to make changes to authorities you can test your changes with the on line transaction program before you implement them See Chapter 7 in this guide Testing your Security Settings If the request does not appear in the log or the Review screen These steps should help you determine if the problem is network related client related or SafeNet 400 relate...

Page 98: ...u cannot determine which server function the request is attempting to access set all the servers to Security Level 1 Try the client request again If the request is successful change the server or servers back to the original Security Level Logging Level All This will log all the client requests 2 Try the client request again If the request is successful run the request log report and review the cl...

Page 99: ...ve a message on the System i5 about a SafeNet 400 or PCSECLIB program or you still cannot resolve a client error or client application error check to see if the system was IPL d since you Initially installed SafeNet 400 Applied PTFs to SafeNet 400 If not you must IPL your system for the changes to take effect ...

Page 100: ...ote Remember to change this back to its default when you have resolved the problem or you may generate an excessive number of joblogs CHGJOBD QDFTJOBD LOGLVL 4 00 NOLIST LOGCLPGM NO 3 End then start both subsystems QSYSWRK QSERVER 4 Try the client request again 5 Check for joblogs and errors 6 You may have to end and re start QSYSWRK and QSERVER to force joblog creation Also try ENDTCPSVR ALL ENDH...

Page 101: ...8 Examples of Client Error Messages Some common error messages you may see on a Windows95 client This message was received on the client when the server function was set to Level 2 Function Disabled No Access This message was received on the client when the user was not authorized to the server ...

Page 102: ...10 8 SafeNet 400 Reference Guide Copyright 2008 MP Associates of Westchester Inc V8 50 May 2008 This message was received on the client when the user was not authorized to the SQL Select statement ...

Page 103: ...ted No authority to library E Rejected Invalid Data Rights authority F Rejected Invalid Object Management Rights G Rejected Unauthorized path statement H Rejected No authority to SQL statement I Rejected Incoming commands OFF J Rejected No authority to Root Directory K Rejected Unauthorized FTP Logon L Rejected Unauthorized FTP Command N Rejected Unauthorized REXEC Logon O Rejected Unauthorized TF...

Page 104: ...d Encrypted password required U Rejected No devices available V Rejected Unauthorized CL command X Rejected Error with Swap Profile Y Rejected Error during Profile Swap Z Rejected User Server Reject Code Specific REJECT in WRKUSRSRV Rejected Time of Day control Rejected Function requires SafeNet 400 regular Admin authority Rejected Function requires SafeNet 400 Super Admin authority ...

Page 105: ... DSPPFM Display Physical File Member command to look at the contents of the TRAPOD file Type B on the Control line and press ENTER This will take you directly to the bottom of the file and enable you to see the last request recorded in the file As a network request is processed by SafeNet 400 a record is written to the TRAPOD file The name of the SafeNet 400 program that processed the request is i...

Page 106: ...10 12 SafeNet 400 Reference Guide Copyright 2008 MP Associates of Westchester Inc V8 50 May 2008 ...

Page 107: ...remove your exit program Important Do not remove any program called from PCSECLIB You may have several servers set to Level 5 You must remove each one Then using the DSPNETA or CHGNETA command verify that the System i5 network attributes DDMACC and PCSACC are both set to OBJAUT If these attributes are not initially set to OBJAUT SafeNet 400 will flag several exit points to Level 5 2 Type the follo...

Page 108: ...ates of Westchester Inc V8 50 May 2008 Follow the instructions to de activate the program found in Chapter 9 in this guide De activating and Removing SafeNet 400 6 Re activate SafeNet 400 Select Option 6 Activate De Activate SafeNet 400 7 Restart your system ...

Page 109: ... Pre Power Down Program Point You can create a power down CL program to be called whenever the PWRDWNSYS command is issued SafeNet 400 will call this program and log the request whenever the command is processed To use this feature create a CL program called PWRDWNCL and place it in library QGPL ...

Page 110: ...SafeNet 400 1 Summarized alerts you can receive a message that gives summarized information regarding SafeNet 400 rejections For example There have been six 6 rejections by SafeNet 400 since 01 01 99 at 12 00 00 This process starts the SAFELOGING subsystem which contains a pre start job called ALERTWATCH SAFELOGING runs from the BASE memory pool and uses very little system resources You can set th...

Page 111: ...receive these alerts You can send alerts to both message queues and distribution lists The alerts are not sent to message queues in BREAK mode To receive these alerts immediately make sure the user message queue is in BREAK mode See CHGMSGQ command in the IBM CL Manual 6 You can enter individual e mail addresses to receive alerts in addition to or instead of message queues and distribution lists U...

Page 112: ...forms all security related checking as if the request came from the Swap to profile and not the original profile The job in OS 400 retains its original user name All authority checking by SafeNet 400 is performed using the original profile name Alternate Profile Swapping is controlled using the CHGSPCSET command SafeNet 400 Menu SN2 Option 2 Set the SWAPU parameter to one of these values NO Do not...

Page 113: ...p Profile Maintenance or use the WRKSWPPRF command 2 Enter the user profile to work with You can type the user profile use F4 for a list or type ALL for a complete list of swap profiles Press ENTER The Maintain Authorized Swap Profiles screen appears 3 On the Maintain Authorized Swap Profiles screen type the Swap To Profile then press ENTER Now whenever a user connects to the System i5 through a c...

Page 114: ...Creates journal receiver SAFE1 in library PCSECLIB Starts journaling on eleven SafeNet 400 control files 2 Call PCSECLIB ENDSAFEJRN Stops journaling on the eleven SafeNet 400 control files 3 Call PCSECLIB DLTSAFEJRN Deletes all associates journals and journal receivers Note Options 2 and 3 END and DELETE require a dedicated System i5 and must be performed from the system console while the System i...

Page 115: ...ins DHCP Release log reports ERRORD File Contains all error codes accepted rejected associated with SafeNet 400 FIXEDIPS Contains fixed IP client addresses static addresses IBMFLR File and IBMFLRL Long paths to IBM folders Contains all IBM supplied folder names You may add additional folder names to this file for automatic READ and or WRITE authority as required MACNAMES Contains MAC addresses wit...

Page 116: ... are placed in this file This file will grow significantly over time depending on network traffic Be sure to pay close attention to its size and establish a schedule to purge records This file can also be used for additional user developed reporting See IBM OS 400 Servers and Administration for additional information and record layouts ...

Page 117: ...SVR Allows batch maintenance of users to servers CHGFTPSET Change FTP special settings CHGNOTIFY Changes status of Alert Notification CHGSPCSET Change SafeNet 400 special settings CPYSNUSR Copy settings from one SafeNet 400 user to another ENDTRP Ends the transaction logging program PCREVIEW Starts the on line transaction review process PCTESTR Starts the on line transaction testing program PRTCLU...

Page 118: ...ves user s authorities to objects RMVUSRSQL Removes user s authorities to SQL RMVUSRSRV Removes user s authorities to server functions SETSAFENET OPTION A Activates SafeNet 400 SETSAFENET OPTION B Deactivates SafeNet 400 SETVER Used to change the license code level of SafeNet 400 STRALRT Starts Alert Notification monitoring STRPRG Starts purge of log file STRPRGARC Starts archive purge security re...

Page 119: ...ith user to CL commands WRKUSRFTP Work with user to object FTP statement security WRKUSROBJ Work with user to object security WRKUSRPTH Work with User to IFS path security WRKUSRSEC Work with user security Permits access to all security screens for an individual user without entering several different commands WRKUSRSQL Work with user to object SQL statement security WRKUSRSRV Work with user to se...

Page 120: ...11 14 SafeNet 400 Reference Guide Copyright 2008 MP Associates of Westchester Inc V8 50 May 2008 ...

Page 121: ...ter Inc V8 50 May 2008 Chapter 12 SERVER FUNCTION DESCRIPTIONS This section lists all the current System i5 server functions their descriptions and information on how they are used The servers are alphabetized within two groups the Original Servers and the Optimized Servers ...

Page 122: ...tes of Westchester Inc V8 50 May 2008 Original Servers These servers have been provided by IBM since PC Support 400 became available Support for these original servers was designed for and is still used to service the original clients DOS Extended DOS and OS 2 ...

Page 123: ...8 or System 36 Communication Server Identifier DDM Format Name DDM Levels Supported Basic Levels 1 2 Intermediate Level 3 Advanced Level 4 Plus special setting for remote command processing CL command authority checking is performed at Level 4 Limitations See the Special Jobs Menu for incoming remote commands Cannot check authority of files objects or commands imbedded in the command string Recomm...

Page 124: ...may issue to the System i5 4 Most System i5 systems by default use the QUSER profile for the communications conversation QUSER must have authority to all files that are being accessed and must be authorized to the DDM server function To change from QUSER as the default a change to the default communications entry must be made in the QCMN subsystem description See your system administrator for assi...

Page 125: ... a single data queue Where used Client Access for Windows 3 1 Client Access for OS 2 Client Access for DOS with Extended Memory Client Access for DOS Server Identifier DQSRV Format Name DTAQ0100 Levels Supported Basic Levels 1 2 Intermediate Level 3 Advanced Level 4 Limitations None Recommended Setting Level 1 Log All Notes 1 At Levels 3 and 4 users must be granted access to the server function 2 ...

Page 126: ...OS 2 Interactive and automatic file transfer functions File transfer from within a RUMBA emulation session Client Access for DOS with Extended Memory Interactive and automatic file transfer functions File transfer from within a RUMBA or PC5250 emulation session Client Access for DOS Interactive and automatic file transfer functions Server Identifier TFRFCL Format Name TRAN0100 Levels Supported Bas...

Page 127: ...mple 1 To get a list of all files in USRLIBL there must be an entry for the user requesting the list Library or Folder Object or Sub Folder Read USRLIBL ALL X Example 2 To get a list of all files in the library PAYROLL enter Library or Folder Object or Sub Folder Read PAYROLL ALL X 6 CRTFILE YES CRTMBR YES To do a REPLACE with a CREATE FILE YES or a CREATE MEMBER YES Existence Rights must be given...

Page 128: ...nt Access client requests a license for an application typically upon session initiation When a Client Access client disconnects from the System i5 the license is released and is available for another client to use Where used Client Access for Windows 3 1 Client Access for OS 2 Client Access for DOS with Extended Memory Client Access for DOS Server Identifier LMSRV Format Name LICM0100 Levels Supp...

Page 129: ...ched to the System i5 system The message function server routes messages sent from PC users to the appropriate user and receives messages for PC users and sends them to the PC workstation Where used Client Access for OS 2 Client Access for DOS with Extended Memory Client Access for DOS Server Identifier MSGFCL Format Name MESS0100 Levels Supported Basic Levels 1 2 Intermediate Level 3 Limitations ...

Page 130: ...tabase files or native System i5 database files Where used Client Access for Windows 3 1 Client Access for OS 2 Client Access for DOS with Extended Memory Client Access for DOS Server Identifier RQSRV Format Name RSQL0100 Levels Supported Basic Levels 1 2 Intermediate Level 3 Advanced Level 4 Limitations ODBC support on Windows 3 1 and Client Access for DOS with Extended Memory clients DO NOT use ...

Page 131: ...or DOS with Extended Memory Client Access for DOS Server Identifier VPRT Format Name Always Blanks Levels Supported Basic Levels 1 2 Intermediate Level 3 Advanced Level 4 Limitations None Recommended Setting Level 3 or 4 Log All Notes 1 At Levels 3 and 4 users must be authorized to the server function 2 At Level 4 for each printer that is opened the user must have authority to the printer Example ...

Page 132: ...Net 400 Reference Guide Copyright 2008 MP Associates of Westchester Inc V8 50 May 2008 Example 2 To grant authority to only the PAYROLL printer enter Library or Folder Object or Sub Folder Read QUSRSYS PAYROLL X ...

Page 133: ...erver support provided by IBM with Client Access now iSeries Access for Windows beginning with OS 400 Version 3 Release 1 services optimized clients Windows 3 1 16 bit applications Optimized OS 2 32 bit applications and Windows98 Windows 2000 Windows XP Additional servers are supplied by IBM for each new release of OS 400 ...

Page 134: ...atabase on the System i5 iSeries Access for Windows uses this function when new or existing iSeries Access for Windows clients attach to the server Where used iSeries Access for Windows Server Identifier CNTRLSRV Format Name ZSCS0100 Levels Supported Basic Levels 1 2 Intermediate Level 3 Limitations None Recommended Setting Level 1 Log All Notes 1 At Level 3 users must be authorized to the server ...

Page 135: ...or clients that need them These conversion maps are usually used on the client for ASCII to EBCDIC conversions and EBCDIC to ASCII conversions Where used iSeries Access for Windows Server Identifier CNTRLSRV Format Name ZSCN0100 Levels Supported Basic Levels 1 2 Intermediate Level 3 Limitations None Recommended Setting Level 1 Log All Notes 1 At Level 3 users must be authorized to the server funct...

Page 136: ...s Access for Windows clients The initial request from a client checks out a license for each iSeries Access for Windows user and the server remains active until the client is no longer communicating with the System i5 Where used iSeries Access for Windows Server Identifier CNTRLSRV Format Name ZSCL0100 Levels Supported Basic Levels 1 2 Intermediate Level 3 Limitations None Recommended Setting Leve...

Page 137: ... Request This server is used whenever a client requests a DRDA conversation connection Where used Rumba Access DB2 for System i5 DB2 for OS 390 DB2 Connect And more Server Identifier DRDA Format Name DRDA Levels Supported Basic Levels 1 2 Intermediate Level 3 Limitations None Recommended Setting Level 3 Log All Notes 1 At Levels 3 and 4 users must be authorized to the server function ...

Page 138: ...ystem i5 database through ODBC interface File transfers Used by ODBC Microsoft Access and Microsoft Query for object manipulation Used by functions Create source physical file Create database file based on existing file Add clear delete database file member Override database file Delete database file override Delete file Server Identifier NDB Format Name ZDAD0100 Levels Supported Basic Levels 1 2 ...

Page 139: ...ase through ODBC interface File transfers Used by various ODBC DRDA SQL packages such as Microsoft Access Microsoft Query etc Server Identifier NDB Format Name ZDAD0200 Levels Supported Basic Levels 1 2 Intermediate Level 3 Advanced Level 4 Limitations Does not support generic library names Does not support long object names Recommended Setting Level 4 Log All Notes 1 At Levels 3 and 4 users must ...

Page 140: ...ew QZDASOINIT job is initiated to service client database requests such as calling a stored procdure Where used iSeries Access for Windows Access to System i5 database through ODBC interface File transfers Server Identifier SQL Format Name ZDAI0100 Levels Supported Basic Levels 1 2 Intermediate Level 3 Limitations None Recommended Setting Level 3 Log All Notes 1 At Level 3 users must be authorized...

Page 141: ...atabase through ODBC interface File transfers Server Identifier RTVOBJINF Format Name ZDAR0100 Levels Supported Basic Levels 1 2 Intermediate Level 3 Advanced Level 4 Usage Used to retrieve information for the following objects Library or collection SQL package File or table SQL package statement Field or column File member Index Record format Relational database or RDB Special columns Limitations...

Page 142: ...sociates of Westchester Inc V8 50 May 2008 Notes 1 List retrievals from USRLIBL automatically allowed 2 Data rights enforced 3 At Levels 3 and 4 users must be authorized to the server function 4 At Level 4 the user must be authorized to the OBJECT LIBRARY ...

Page 143: ...re used iSeries Access for Windows Access to System i5 database through ODBC interface File transfers Server Identifier RTVOBJINF Format Name ZDAR0200 Levels Supported Basic Levels 1 2 Intermediate Level 3 Usage Used for requests to retrieve information for the following objects Foreign keys Primary keys Limitations You must restrict access to the user s default library list through user profile p...

Page 144: ...program for the SQL1 point will not be called Where used iSeries Access for Windows Access to System i5 database through ODBC interface File transfers Called by these functions ALTER TABLE DROP PACKAGE CALL DROP TABLE COMMENT ON DROP VIEW COMMIT GRANT CREATE COLLECTION INSERT CREATE DATABASE LABEL ON CREATE INDEX LOCK TABLE CREATE TABLE REVOKE CREATE VIEW ROLLBACK DELETE SELECT DROP COLLECTION SET...

Page 145: ...nts for the user 3 Due to a restriction within IBM s OS 400 for versions prior to V4R1 OS 400 delivers SQL requests to SafeNet 400 with a limit of 512 characters in length Since most SQL statements are normally much less than this limit this is not a concern for most users However if this limit is exceeded SafeNet 400 will log a truncated request string into the history file For V4R1 and above thi...

Page 146: ... jobs can send or receive data from a single data queue Where used iSeries Access for Windows Server Identifier DATAQSRV Format name ZHQ00100 Levels Supported Basic Levels 1 2 Intermediate Level 3 Advanced Level 4 Limitations None Recommended Setting Level 1 Log All Notes 1 At Levels 3 and 4 users must be granted access to the server function 2 At Level 4 users must be granted access to specific d...

Page 147: ...otification 100 This server assigns IP addresses to specific client hosts Where used Any device on a TCP IP network whenever it requests an IP address from the System i5 when the System i5 is set to be the local network DHCP server Server Identifier DHCPB Format name DHCA0100 Levels Supported Basic Level 1 Limitations None Recommended Setting Level 1 Log All ...

Page 148: ...00 This server releases an IP address from its specific client host assignment binding Where used Any device on a TCP IP network whenever it requests an IP address from the System i5 when the System i5 is set to be the local network DHCP server Server Identifier DHCPR Format name DHCR0100 Levels Supported Basic Level 1 Limitations None Recommended Setting Level 1 Log All ...

Page 149: ...s to entire file system Windows Explorer and other applications Server Identifier FILESRV Format Name PWFS0100 Levels Supported Basic Levels 1 2 Intermediate Level 3 Advanced Level 4 Limitations Directory structure has a maximum of 20 deep Does not differentiate between upper and lower case file names Does not support long file names Names over 10 characters are truncated Allows setting of global ...

Page 150: ...eference Guide Copyright 2008 MP Associates of Westchester Inc V8 50 May 2008 Library or Folder Object or Sub Folder ALLFLR ALL To enter ALLFLR ALL you must be signed on as QSECOFR Proper Data Rights must be selected also ...

Page 151: ...e 2 You can add specific folder names in place of ALL to further extend the directory path Network Request QDLS PERSONNEL PAYROLL SALARY Entries Required Library or Folder Object or Sub Folder Read Entry 1 QDLS PERSONNEL X Entry 2 PERSONNEL ALL X Entry 3 PAYROLL SALARY X Entry 4 SALARY ALL X 4 This is a typical iSeries Access for Windows user security set up if automatic read to IBM folders is not...

Page 152: ...nvert all requests to uppercase then check the first ten characters in each directory name for a match Note When native libraries or objects are accessed via the file server LIB file etc are added to the end of the name You must enter the LIB or file in the user to object control file If the same user accesses these same objects through another server also SQL for example you must also enter the a...

Page 153: ...r Level 4 you can implement IP address controls This will allow you to limit what target addresses systems an FTP client can connect to See commands CHGFTPSET IPCTLC YES and WRKTCPIPA FTPCLIENT You can also review Setting up TCP IP Address Controls in Chapter 3 of this guide Recommended Setting Level 4 Log All Important Note When the FTP Client point is set to Level 4 only the GET and PUT FTP sub ...

Page 154: ...Get an object from a remote system An FTP GET of object ABC in an FTP Client session requires OBJMGT authority to the object ABC on the local machine Using FTP Server Send an object to local system An FTP PUT of object ABC in an FTP Server session requires OBJMGT authority to the object ABC on the LOCAL machine Get an object from the local system An FTP GET of object ABC in an FTP Server session r...

Page 155: ...any time the System i5 answers an FTP start request from another system or user It is available in OS 400 versions V3R7 through V4R1 Where used Internets and Intranets MS Windows DOS And most other operating systems Server Identifier FTPLOGON Format Name TCPL0100 Levels Supported Basic Level 1 2 Intermediate Level 3 Limitations None Recommended Setting Level 3 Log All ...

Page 156: ... any time the System i5 answers an FTP start request from another system or user It is available in OS 400 versions V4R2 and above Where used Internets and Intranets MS Windows DOS And most other operating systems Server Identifier FTPLOGON2 Format Name TCPL0200 Levels Supported Basic Level 1 2 Intermediate Level 3 Limitations None Recommended Setting Level 3 Log All ...

Page 157: ...d any time the System i5 answers an FTP start request from another system or user It is available in OS 400 versions V5R1 or above Where used Internets and Intranets MS Windows DOS And most other operating systems Server Identifier FTPLOGON3 Format Name TCPL0300 Levels Supported Basic Level 1 2 Intermediate Level 3 Limitations None Recommended Setting Level 3 Log All ...

Page 158: ...l 1 2 Intermediate Level 3 Advanced Level 4 Limitations None Recommended Setting Level 4 Log All Notes 1 At Level 4 users must be authorized to the objects and the FTP statements they require and the CL commands they may issue to the System i5 3 Only at Level 4 are ANONYMOUS logons allowed This is in conjunction with the special FTP security settings See Chapter 4 in this guide Setting up FTP CHGF...

Page 159: ...is server function is used when the network print server is started Where used iSeries Access for Windows Server Identifier QNPSERVR Format Name ENTR0100 Levels Supported Basic Levels 1 2 Intermediate Level 3 Limitations None Recommended Setting Level 3 Log All Notes 1 At Level 3 users must be granted access to the server function 2 Level 4 is not required or supported ...

Page 160: ...ooled output file Where used iSeries Access for Windows Server Identifier QNPSERVR Format Name SPLF0100 Levels Supported Basic Levels 1 2 Intermediate Level 3 Advanced Level 4 Limitations Level 4 grants spool file management rights to the owner of the spool file only Recommended Setting Level 4 Log All Notes 1 At Levels 3 and 4 users must be granted access to the server function 2 Level 4 requires...

Page 161: ...is called whenever the PWRDWNSYS or ENDSYS command is issued Where used Any interface command line or program that can issue the PWRDWNSYS or ENDSYS command Server Identifier PWRDWN Format Name PWRD0100 Levels Supported Basic Level 1 Limitations None Recommended Setting Level 1 Notes 1 To use the pre power down program call create a CL program called PWRDWNCL ...

Page 162: ...ting Limitations Cannot check Library Object security on imbedded command strings Recommended Setting Level 4 Log All Notes 1 For X 1002 Remote Command Call the same rules apply here as for DDM commands You must use the Special Jobs Menu to allow or reject remote commands entering via this server In addition see Note 3 below One setting controls both RMTSRV X 1002 and DDM command servers 2 Used by...

Page 163: ...OS 400 Where used Windows and OS 2 Desktop Add in Applications Other Clients using REXEC Applications Server Identifier REXLOGON Format name TCPL0100 Levels Supported Basic Levels 1 2 Intermediate Level 3 Limitations None Recommended Setting Level 3 Log All Usage Notes You can limit FTP connections from specific IP Addresses See commands CHGFTPSET IPCTL YES and WRKTCPIPA FTPSERVER You can also rev...

Page 164: ...and above Where used Windows and OS 2 Desktop Add in Applications Other Clients using REXEC Applications Server Identifier REXLOGON2 Format name TCPL0300 Levels Supported Basic Levels 1 2 Intermediate Level 3 Limitations None Recommended Setting Level 3 Log All Usage Notes You can limit FTP connections from specific IP Addresses See commands CHGFTPSET IPCTL YES and WRKTCPIPA FTPSERVER You can also...

Page 165: ...d Windows and OS 2 Desktop Add in Applications Other Clients using REXEC Applications Server Identifier REXSERVER Format name VLRQ0100 Levels Supported Basic Levels 1 2 Intermediate Level 3 Advanced Level 4 Limitations None Recommended Setting Level 3 Log All Usage Notes You can limit FTP connections from specific IP Addresses See commands CHGFTPSET IPCTL YES and WRKTCPIPA FTPSERVER You can also r...

Page 166: ...ng Showcase Strategy Application Server Identifier SHOWCASE Format name SRCS0100 Levels Supported Basic Levels 1 2 Intermediate Level 3 Advanced Level 4 Limitations None Recommended Setting Level 4 Log All Important Notes on setting up a user for ShowCase Strategy Although Showcase uses SQL statements to access OS 400 data SafeNet 400 does NOT verify the SQL statement authority SafeNet 400 ONLY ve...

Page 167: ...upport This security function prevents access to the System i5 for users with expired passwords or allows entry to only specific users Where used iSeries Access for Windows Server Identifier SIGNON Format Name ZSOY0100 Levels Supported Basic Level 1 2 Intermediate Level 3 Limitations None Recommended Setting Level 1 Log All Notes 1 Level 3 requires specific authority to the server function 2 Level...

Page 168: ...device management upon session termination TELNETOFF is dependent upon the setting of TELNETON Where used Any TN5250 TELNET client MS Windows iSeries Access for Windows Server Identifier TELNETON TELNETOFF Format Name INIT0100 TERM0100 Levels Supported Basic Level 1 2 Intermediate Level 3 Limitations See Chapter 3 in this guide TELNET TCP IP Address Controls Recommended Setting Level 3 Log All Not...

Page 169: ... Description TFTP Server Request Validation Clients utilizing TFTP Trivial File Transfer Protocol such as the IBM Net Station use this server Where used IBM Net Station Boot Server Identifier TFTPSRVR Format name VLRQ0100 Levels Supported Basic Levels 1 2 Intermediate Level 3 Limitations None Recommended Setting Level 3 Log All ...

Page 170: ...h time a user profile command is issued Where used Any interface or command line that can issue a user profile associated OS 400 command Server Identifier Format CHGPRF CHGP0100 CRTPRF CRTP0100 DLTPRFA DLTP0100 DLTPRFB DLTP0200 RSTPRF RSTP0100 Levels Supported Basic Levels 1 Limitations None Recommended Setting Level 1 Log All Notes 1 This point simply logs which user profile was affected who perf...

Page 171: ... 1 7 2 7 6 7 7 History file 12 25 See also TRAPOD I IP address controls 3 6 IP addresses 5 6 L Level 5 Re set 11 1 Logging Levels 1 2 2 4 Long path name 1 19 6 2 M MAC address 5 5 P PCREVIEW 7 10 7 11 10 3 10 4 10 11 11 11 PCTESTR 7 1 7 2 7 9 11 11 Ping 5 8 Pre Power Down Program Point 11 3 PTF 10 1 Purges DHCP addresses 5 7 TRAPOD 8 1 R Rejections See Error Codes Removing SafeNet 400 9 3 S Server...

Page 172: ...ser Profiles PUBLIC 1 5 1 7 1 10 1 11 1 12 1 14 1 17 1 19 Group 1 1 Swapping 10 10 11 6 11 7 Users Copying 1 21 Removing 1 21 Security Levels 1 5 Setting logging levels 1 2 Setting up 1 1 W WRKUSRSEC 1 22 ...

Reviews:

No comments