SAFENET/400 REFERENCE GUIDE Version 8.50 ™ © 2008 MP Associates of Westchester, Inc.
How to contact us Direct all inquiries to: Kisco Information Systems 89 Church Street Saranac Lake, New York 12983 Phone: Fax: (518) 897-5002 (518) 897-5003 SafeNet/400 Website: http://www.kisco.com/safenet SafeNet/400 Support Website: http://www.kisco.com/safenet/support Visit the SafeNet/400 Web Site at HTTP://WWW.KISCO.
TABLE OF CONTENTS CHAPTER 1 - SETTING UP USERS..................................................................................... 1.1 SETTING THE USER LOGGING LEVELS ......................................................................................... 1.2 SAFENET ADMINISTRATOR .......................................................................................................... 1.3 SUPER TRUSTED USER CONTROL .........................................................................................
CHAPTER 7 - TESTING YOUR SECURITY SETTINGS .................................................. 7.1 TESTING SAFENET/400 SETTINGS BASED ON YOUR HISTORICAL DATA WITH THE ON-LINE TRANSACTION TESTER ................................................................................................................. 7.2 BATCH TRANSACTION TEST REVIEW/REPORT – SECURITY REPORT BY USER ................................. 7.6 RECOMMENDED APPROACH TO TESTING ....................................................................
SafeNet/400 Reference Guide Chapter 1 - SETTING UP USERS Navigating through the screens You can perform each of the steps outlined in this chapter by using the corresponding option on the SafeNet/400 Main Menu. However, if you are setting up a new user, when you are finished with one screen you can use F9 to advance to the next without returning to the main menu. If you want to skip a step, you can cancel and return to the SafeNet/400 Main Menu.
Setting the User Logging Levels The valid logging levels are: Logging Level A Log all transactions Logging Level R Log only rejected requests Logging Level N No logging As you set up your user logging levels, please keep in mind the following: If you set the logging level on the Server Function (WRKSRV) to NO LOGGING or REJECTIONS, the Server Function (WRKSRV) setting will override the individual user logging level.
SafeNet Administrator You can set up a SafeNet/400 Administrator, or ‘Super Admin’ from the SafeNet/400 Special Jobs Menu or by using the WRKSNADM command. This can also be found on the Special Jobs Menu, Option 5 – Maintain SafeNet Administrators. The WRKSNADM command can be executed by a user with *SECADM or *SECOFR authority.
Super Trusted User Control Under special circumstances it may be necessary to have a user that should not be checked through all the SafeNet/400 security routines. Transactions from these users can bypass the traditional SafeNet/400 security routines; you can choose to simply log them or not log them. From the Special Jobs Menu select Option 4 – Maintain Super-Users in SafeNet.
Entering User Security Levels If you plan on setting any of the Server Functions to Level 3 or Level 4, and anticipate doing anything other than simply logging all requests, the first step in configuring SafeNet/400 is to give the users authority to any Server Functions they require. 1. From the SafeNet/400 Main Menu select Option 2 - Work with User to Server Security or use WRKUSRSRV command The Work User to Server Security Enter User Profile screen appears. 2.
Type 1 in the Option column in front of each server this user will have access to. If they will have access to all the server functions, select *ALL ACTIVE SERVERS To remove access to a particular server, remove the ‘1’ and leave the Option column blank for that server. 4. Enter the Logging Level for each server. A = All R = Rejections only N = No logging When you have finished setting up servers for this user, press ENTER. 5. Enter the Job Run Priority for each server.
Entering User Authorities to Objects Once you have given the user access to the servers, the next step is to enter the level of authority the user has to objects on the System i5 if you plan on setting any of the servers to Level 4. 1. If you used F9 from the previous screen, skip to Step 4. 2. If you are currently on the SafeNet/400 Main Menu, select Option 3 - Work with User to Object Level Security or use WRKUSROBJ command The Work User to Object Security screen is displayed. 3.
4. In the Library or Folder column, enter the name of the library or folder, then TAB to the Object or Sub-Flr column and type in the name of the object or sub-folder. Note: Allowed entries for Library or Folder • • • *ALLLIB *ALLFLR Specific library name When setting up a library, you must enter the complete library name. Generic library names are not allowed.
5. For Data Rights, type an X under the appropriate level of authority. Place an X for each data right that applies. 6. For Existence Rights, type an X if this user will be able to create, delete or move an object. To assign EXCLUSIONS to objects and/or libraries, give the user no rights by leaving the Data Rights and Existence Rights columns blank. 7. Repeat these steps for each object or group of objects for this user profile. PageDown to the next screen if you need more lines.
Exclusions To give all users read access to all objects in all libraries, but exclude them from any objects in the PAYROLL library, give *PUBLIC READ authority to the library and exclude *PUBLIC from the PAYROLL library. 1.10 SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
If the PAYDEPT profile needs to use objects in the PAYROLL library, grant user profile PAYDEPT READ authority to the PAYROLL library. This individual authority overrides the *PUBLIC authority. SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.50 - May 2008 1.
Entering User Authorities to SQL Statements If you are going to set the SQL servers to Level 4 only, the next step is to authorize users to the SQL Statements they may need. 1. If you used F9 from the previous screen, skip to Step 4. 2. If you are currently on the SafeNet/400 Main Menu, select Option 4 - Work with User to SQL Statement Security or use WRKUSRSQL command The Work User to SQL Statements screen is displayed. 3. Type the user profile, the Group or *PUBLIC, then ENTER.
If you would like to see the list of all users who have been defined within SafeNet/400, press F2. 5. When finished making all your selections, ENTER. 6. Press F9 to advance to the next step - setting up user authorities to FTP statements. SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.50 - May 2008 1.
Entering User Authorities to FTP Statements Next you must authorize users to the FTP Statements they may need if you are going to set the FTP Server or FTP Client to Level 4. 1. If you used F9 from the previous screen, continue with Step 4. 2. If you are on the SafeNet/400 Main Menu, select Option 5 - Work with User to FTP Statement Security or use WRKUSRFTP command The Work User to FTP Statements, Enter User ID screen is displayed. 3. Type the user profile or *PUBLIC then ENTER.
If you would like to see the list of all users who have been defined within SafeNet/400, press F2. 5. Press F4 to display the Maintain Special FTP Settings for Users screen Note: Special FTP settings for a user are allowed only when your system is at OS/400 V5R1 or higher. If you are at a previous operating system level, these settings have no effect. For this user, the initial Name Format and List Format will override the settings established by the OS/400 Change FTP Server Attributes command (CHGFTPA).
Name Format • • *LIB indicates that the user sees standard Library/Object OS/400 style names *PATH displays PC or *UNIX style file and directory names. List Format • • *DFT user sees standard OS/400 CHGFTPA server settings *UNIX user sees UNIX style directory listings 6. When finished making all your selections, ENTER. 7. Press F9 to continue to the next step - setting up user authorities to CL commands.
Entering User Authorities to CL Commands Next, if you plan on setting the FTP, DDM or Remote Command Servers to Level 4, you must authorize users to the CL commands they may need. 1. If you used F9 from the previous screen, continue with Step 4. 2. From the SafeNet/400 Main Menu, select Option 6 - Work with User to CL Command Security or use WRKUSRCMD command The Work User to CL Commands, Enter User ID screen is displayed. 3. Type the user profile or *PUBLIC then ENTER.
To remove authorization to a command, FIELD EXIT through the line to blank it out. If you would like to see the list of all users who have been defined within SafeNet/400, press F2. 5. When finished typing all the required CL commands for this user, press ENTER. 6. Press F9 to continue with setting up path names. 1.18 SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
Entering Long Path Names The default SafeNet/400 setting is to use long path names. If you choose to not use long path name support, you must first change the SafeNet/400 default setting. Use the CHGSPCSET command to set the PATHL parameter to *SHORT. Follow these steps to authorize the user to the paths. 1. If you used F9 from the previous screen, continue with Step 4. 2.
4. Enter the paths that the user is authorized to. Paths can be entered up to 256 positions in length, although only the first 60 positions are shown on the display. To enter and/or view a path over 60 positions long, enter 2 in the option column. Use /* to give authority to all folders/paths End the path with * to allow access to all items in subfolders. 5. 1.20 When finished typing all the paths for this user, press ENTER.
Copying an Existing User to Set Up a New User in SafeNet/400 This will allow you to copy the authorities and settings from one user to another within SafeNet/400. The new user profile must already exist in OS/400. 1. From the Special Jobs Menu, select Option 13 – Copy a User Setup to Another User or use the CPYSNUSR command. The Copy SafeNet User/Authorities screen is displayed. 2. Type the user profile you are copying from, then the new profile(s) to add. 3.
Maintain all Security for a User The WRKUSRSEC command, which is not found on any of the SafeNet/400 menus, gives you the ability to perform security maintenance for an individual user without entering several different commands. When you use the WRKUSRSEC command you will be presented with the Maintain All Security for a User screen.
Setting up Time of Day Controls If you want to exclude users from server functions based on the day of the week or the time of day, use Time of Day controls. SafeNet/400 checks authority in the following sequence: Is the authorized to User Specific Server *ALL Servers Group Specific Server *ALL Servers Supplemental Group Specific Server *ALL Servers *PUBLIC *Specific Server *ALL Servers at this time? SafeNet/400 checks until all the tests are passed or until an exclusion rule is encountered.
To set up the Time of Day controls for a specific user, use Option 2 – Work with User to Server Security from the SafeNet/400 Main Menu or the WRKUSRSRV command. Type the user profile, ENTER and then press F10. The User Time-of-Day Maintenance screen appears. To exclude the user from all servers during the same days of the week and time of day, type 2 – Change in front of *ALL. To select individual servers, type 2 in front of the servers you want to change 1.
You can define up to three time ranges and can select which days to exclude by typing X in front of the day. You can also define holidays that will be used to control Time of Day access. Press F9 to display the Time of Day Holiday Maintenance screen. Type the dates and descriptions of your holidays. Press ENTER. SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.50 - May 2008 1.
1.26 SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
Chapter 2 - SETTING UP SERVERS The final step in configuring SafeNet/400 is to enter the Security Level settings for all the server functions. Important: If you do this step first and restrict access to the server functions prior to setting up user rights, you may disrupt network requests until the users’ authority table setup is completed. Setting up the Current Level on the servers should be considered the LAST STEP during the setup process.
SafeNet/400 Server Function Security Levels Level 1: • • • • IBM default Unlimited access, all requests accepted Requests can be logged, reporting available Performance impact - none Level 2: • • • No access at all, all requests for server are rejected Requests can be logged, reporting available Performance impact - not a consideration Level 3: • • • • Access granted on a user-by-user basis to the server Requests can be logged, reporting available Performance impact – minimal TELNET requires use of th
Level 5: • • • • This indicates that SafeNet/400 does not recognize a program assigned to the exit point or has detected a user-defined program assigned. (Use WRKREGINF command to review existing exit point programs.
Setting the Server Function Logging Levels The valid logging levels are: Logging Level A Log all transactions Logging Level R Log only rejected requests Logging Level N No logging As you set up your Server Function logging levels, please remember the following: If you set the logging level on the Server Function to NO LOGGING or REJECTIONS, the Server Function setting will override the individual user logging level.
Basic Server Security - Supported by all Servers Level 1 - IBM Default Level 2 - No access to server Intermediate Server Security - Supported by all Servers Level 3 - Users must be authorized to the server Special Level 3 - *TELNET - controls signon by IP address Advanced Server Security - Supported by Specific Servers Level 4 - The user must be authorized to the server, the objects requested, the FTP Op or SQL Op, CL commands or long path to be used.
Recommended Server Settings Server Description Recommended Setting Central Server - client management Level 1, Log None Central Server - conversion map Level 1, Log None Central Server - license management Level 1, Log None Database Server - entry Level 3, Log All- Limit user access Database Server - data base access - 100 Level 4, Log All - Limit user and object access Database Server - data base access - 200 Level 4, Log All - Limit user and object access Database Server - object informatio
Server Description Recommended Setting Distributed Data Management Level 3, Log All - Limit user access or Level 4, Log All - Limit users to specific objects and commands DHCP Level 1, Log None DRDA DB2 Database Access Request Level 3, Log All - Limit user File Server Level 4, Log All - Limit user and object access FTP Client Server Level 4, Log All - Limit user access & target connection by IP Address FTP Logon Server Level 3, Log All - Limit user access FTP Server Validation Level 4, Log Al
Server Description Recommended Setting Original Message Server Level 1, Log None Original Remote SQL Server Level 4, Log All - Limit user access to objects and SQL statements Original Virtual Print Server Level 1, Log None PWRDWNSYS Level 1, Log All – Log all requests Remote Command/Program Call Level 4, Log All - Limit user and object access and commands REXEC Logon Level 3, Log All - Limit user access REXEC Server Request Validation Level 4, Log All - Limit user, Source IP address TELNET L
Entering Server Function Security Levels 1. From the SafeNet/400 Main Menu select Option 1 - Work with Server Security Settings or use WRKSRV command The Maintain Server Security screen is displayed. 2. Enter the level of security and the logging level that is required for each server description in the Current columns. The Future column lets you enter a setting for each server based on what you think the setting will be in the future.
3. When you have finished entering information for all the servers, press ENTER. The screen is refreshed and any changes you made are reflected in the Current columns. 2.10 SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
Customer Exit Programs If you would like to use your own programs over these server exit points, F18 on the Maintain Server Security screen gives you the ability to do so. SafeNet/400 will look to see if there is a customer-written program to call. If there is, it calls the program, passing two parameters, a one-byte status code, plus the rest of the data string from the client. The customer exit program is always processed BEFORE the SafeNet/400 checks are done.
2.12 SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
Chapter 3 - TELNET, TCP/IP ADDRESS CONTROLS Setting up TELNET TELNET control features are supported only when the server is set to Level 3.
Controlling TELNET Access by IP Address 1. Set the TELNET server to Level 3 using the WRKSRV command. 2. From the SafeNet/400 Main Menu, select Option 7 – Work with TCP/IP Address Security or use the WRKTCPIPA command and enter *TELNET as the server to control 3. Enter the IP address in dotted decimal format (i.e., 10.2.2.2) Use wild card options if desired (10.2.2.x) 4. Enter A or R to accept or reject the request Restricting Access to Specific Device Names 1.
Setting the Required Password Type This field must be set if the TELNET Server is set to Level 3. You must enter the appropriate setting for ALL TELNET IP address controls. As of OS/400 V4R2, only a setting of 0 or 1 is available. A setting of 2, although allowed here for encrypted passwords, is only available in V5R1 of OS/400.
Allow Auto Signon 1. Use the WRKSRV command to set the TELNET server to Level 3 2. Use the WRKTCPIPA *TELNET command to enter the IP address allowed for auto signon 3. Enter the password type (0 or 1 is required) 4. Enter a Y to allow auto signon 5. Use the WRKSIGNON command to enter the IP address, the user profile, library, program or menu that the client will automatically be signed on to.
Logging of TELNET Sessions Under normal signon conditions (no auto signon allowed), each request for a TELNET session is logged into the transaction history file (TRAPOD) by IP address, and a user name of QSYS. QSYS is used because no user profile is associated with the actual TELNET session start request. Each logoff is also recorded by IP address with a user of QSYS. If you use the auto signon feature, the request will be logged with the associated user set up in the Auto Signon Control file.
Setting up TCP/IP Address Controls SafeNet/400 allows you to specify which client IP addresses are either accepted or rejected by the Telnet and the FTP Servers. Turning on TCP/IP Address Checking To set-up and turn on TCP/IP address checking for the FTP Server and Rexec Server 1. Type WRKTCPIPA *FTPSERVER then ENTER 2. Add the IP addresses to the Control Table 3. Type CHGFTPSET then press F4 4. Change Server Source limit by IP Address? to *YES then ENTER 5.
Setting up TCP/IP Address Control Table 1. Use SafeNet/400 Main Menu Option 7 or the WRKTCPIPA command 2. In IP Addresses for Server enter *FTPSERVER, *FTPCLIENT or *TELNET for the proper control table. 3. Type the addresses to accept or reject. A indicates Accept; R indicates Reject. Example 1: Address Accept/ Reject 10.2.2.X 10.2.2.5 A R In this example any address from 10.2.2.1 through 10.2.2.255 will be accepted, with the exception of 10.2.2.5, which will be rejected. Example 2: Address 10.2.
3.8 SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
Chapter 4 - SETTING UP FTP Anonymous FTP Logon To set up for Anonymous Logon, you must fill in the special FTP settings, and set the FTP Logon Server to Level 3 and the FTP Server Validation to Level 4. Follow these steps for FTP: 1. From the SafeNet/400 Main Menu select Option 10 - Go to Special Jobs Menu 2. From the Special Jobs Menu select Option 3 - Change Special FTP Server Settings or use CHGFTPSET command along with F4 The Change SafeNet FTP Settings screen is displayed.
Set the parameters for CHGFTPSET command as follows. The default value is highlighted in bold. Parameter RLOGON Screen Selections Allow Normal USERID FTP Logon Value *YES *NO Description This parameter is used to determine whether or not you want regular OS/400 user Ids to be able to sign on through the FTP server. If you want only anonymous logons, set this to *NO and FTP for anonymous logons to *YES.
GUEST Allow Anonymous *YES GUEST Password *NO To allow Anonymous user logins with the password of GUEST, enter *YES here. You can choose GUEST or use an E-mail address. Note: If you select GUEST, the System i5 still prompts an anonymous user for their E-mail address. SafeNet/400, however, will only allow GUEST as the password.
password of *NONE and *USER for the profile type. If you do this, no one can use this profile to sign on since the password is set to *NONE. APWD 4.4 Password for Above Profile pword Enter the password to be used with the profile in parameter AUSRPRF for Anonymous FTP. SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
Setting up for ANONYMOUS FTP Example 1. Create a user profile on the System i5 called ANONYMOUS, with password *NONE and user class *USER, and set the Current Library. 2. From the Special Jobs Menu, select Option 3 - Change Special FTP Server Settings or use CHGFTPSET command along with F4 3.
If using long path support, use the WRKUSRPTH command to enter the correct path or paths for ANONYMOUS. 14. Select Option 5 - Work with User to FTP Statement Security or use the WRKUSRFTP command to grant the ANONYMOUS user ID authority to specific FTP commands. Use the additional FTP settings if required or if you want the ANONYMOUS profile initial path to be an IFS directory. 4.6 SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
Setting up for Normal User IDs and FTP Servers Example 1. From the Special Jobs Menu select Option 3 - Change Special FTP Security Settings or use CHGFTPSET command 2. On the FTP Security Settings screen, set Allow normal user IDs to log on the FTP to *YES or use RLOGON (*YES) parameter 3. Return to the SafeNet/400 Main Menu and select the following options: • Select Option 1 - Work with Server Security Settings or use WRKSRV command Locate the FTP Logon, FTP Client and/or FTP Server points.
4.8 SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
Chapter 5 - DHCP Controls and Reporting Dynamic Host Configuration Protocol DHCP allows clients to obtain IP network configuration, including an IP address, from a central DHCP server. DHCP servers control whether the addresses they provide to clients are allocated permanently or leased for a specific period of time. When the server allocates a leased license, the client must periodically check with the server to re-validate the address and renew the lease.
Working with DHCP DHCP functions are performed from the DHCP Control and Reports Menu. From the SafeNet/400 Main Menu select Option 13 – Go To DHCP Menu The DHCP Control and Reports Menu appears. The DHCP functions provide the ability to maintain MAC addresses and device names, set IP addresses and ping IP addresses. From the DHCP Control and Reports Menu you can also run reports for active and expired leases, MAC names and IP address lists. 5.
Current DHCP Activity To see current status, from the DHCP menu select Option 1 – Display Current DHCP Activity This screen displays bind and release information Use function keys to switch views: F2 switches between the Currently Active DHCP Addresses Bound and Expired or Released DHCP Addresses screen The Expired or Released addresses list contains information gathered since the last time the list was purged.
Move your cursor to the name you want to change in the Editable Names column. Press ENTER to record the change. To use this function make sure you are looking at the Currently Active DHCP Addresses Bound screen. Use F2 if necessary to switch. F5 pings the addresses This will ping all the IP addresses that are displayed. The responses will flash at the bottom of the screen. When the process has completed, you will see a Ping Status column indicating the results of the pings.
Maintaining MAC Addresses From the DHCP menu select Option 5 – Manually Maintain MAC Addresses to User Names This operates as a standard OS/400 DFU program. Press F9 to use insert mode when editing Press F23 to delete the MAC address and name SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.50 - May 2008 5.
Fixed IP Addresses To assign IP addresses to devices, from the DHCP Menu select Option 6 – Manually Maintain Permanent, Static IP Addressed Devices or use the SNDHCPPR command Even if you are not using DHCP on your System i5, you can use this option to do PING checks for network troubleshooting. If you enter a DHCP IP address you will receive an error message. This is for fixed IP addresses only. 5.6 SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
Purging Expired DHCP Lease Information The Expired or Released DHCP address information is cumulative and will remain in the system until you purge it. From the DHCP Menu select Option 8 – Run Purge of Expired DHCP Lease Information Enter the date and time to purge through. When you ENTER the log of expired DHCP leases will be cleared. SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.50 - May 2008 5.
Ping Checker You can use this option to ping a single IP address or a range of addresses. From the DHCP Menu select Option 10 – IP Address Range Ping Checker Enter the range of IP addresses that you want to ping. Press ENTER and you will begin to see replies flash on the bottom of the screen. When all the IP addresses have been pinged the Status column will display the results of the pings. 5.8 SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
Chapter 6 - REPORTS SafeNet/400 reports are grouped into two categories: • Setup Reports provide information on server settings, user authorities to servers and to data, etc. • Analysis Reports provide data on SafeNet/400 usage - the who, what, where and when information you need to manage your system. Analysis reports have been enhanced to include the ability to select specific dates and/or users, including summaries by group profile.
Setup Reports These reports are accessed through the SafeNet/400 Main Menu, Option 11 – Go to Setup Reports Menu (GO SN3 command) 1. Server Status Prints each Server Function and its security level setting 2. User to Server Security Listing Lists users and the Server Functions they are authorized to 3. User to Object Security Listing Lists users, the libraries and objects they have authority to and the rights the users have to the objects. 4.
Usage Reports These reports are accessed through the SafeNet/400 Main Menu, Option 12 – Go to Analysis Reports Menu (GO SN4 command). Menu SN4 options 2 through 7 also give you the ability to run auto-enrollment reports and perform the auto-enrollment process. 1. Security Report by User (Also Batch Transaction Test Report) Lists each request by user, the Server Functions they are requesting, the server’s security level setting, and whether the request was accepted or rejected.
6.4 SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
Chapter 7 - TESTING YOUR SECURITY SETTINGS Once you have planned your server function Security Level settings, SafeNet/400 gives you a method to test the settings to make sure they will provide the level of security you anticipate. It acts as a “what-if” tool to verify the effect your settings will have before you actually turn on access control.
Testing SafeNet/400 settings based on your historical data with the on-line transaction tester This is the preferred method if you would like immediate feedback. 1. From the SafeNet/400 Main Menu select Option 10 - Go to Special Jobs/Setup Menu or use GO SN2 command) 2. Select Option 10 - On-Line Transaction Testing or use PCTESTR command The On-Line Transaction Testing screen will appear.
3. In the Security Levels to Check field: Type C (Current) to test transactions with your present SafeNet/400 Server Security Levels Type H (Historical) to review the actual status received when the transaction was logged; no new ‘re-testing’ is performed. Type F (Future) to test transactions with your future Server Security Levels. This will test each selected transaction against the future security setting to determine if your security control files are set up correctly.
4. When you press ENTER and a transaction that meets your selection criteria is found, the OnLine Transaction Testing Mode screen is displayed. This describes: 7.
• Additional command keys are shown when rejections are displayed. These additional command keys will allow you to work directly with the appropriate user setting based on the rejection code. 5. You can roll up or down to scroll backward and forward, or you can press ENTER to scroll forward to the next record in the logging file. At any time you can press F12 to return and enter a new starting date and time, server or user, or change the Security Level to check.
Batch Transaction Test Review/Report – Security Report by User You can use this batch report to test all the historical transactions through current and future control file settings. With this report you can make changes to control files, then re-run all the historical transactions back through a security check process to determine if further security set up is required.
2. 3. 4.
Page Down if you would like to print the report to an output file. When you have finished making your selections, ENTER to submit the report to batch. 7.8 SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
Recommended approach to testing A recommended approach to using the On-Line Transaction Testing program is: 1. Set all of the important server functions to Security Level 1, Log All. This will log all requests without affecting any users. Set your Future Server settings or use the preloaded recommended values. Turn off logging on the non-critical servers to limit logging. 2. Collect your requests and print out the Security Report by User from the Network Transaction Analysis Reports Menu.
PCREVIEW Use the PCREVIEW command or Option 9 - On-Line Transaction Review from the SafeNet/400 Special Jobs Menu to review each transaction logged by SafeNet/400. This displays the historical transactions only. No testing can be performed using this tool. 1. Type PCREVIEW and press ENTER. The Network On-Line Transaction Review screen is displayed and the HELP key is active. 2. Using the fields at the top of the screen, you can select only the records you wish displayed.
The On-Line Transaction Review Mode screen is displayed, supplying more detailed information about the specific transaction. You can use the ROLL UP/ROLL DOWN keys to scroll through the sequential transactions or press ENTER to return to the PCREVIEW sub-file screen. If you selected only a specific user or server to be displayed in PCREVIEW, you will find that only those records meeting the selection criteria will be displayed as you scroll through the file with the on-line transaction test program.
7.12 SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
Chapter 8 - BACKUPS AND PURGES Log file Purge When SafeNet/400 is logging client requests, the information is kept in the TRAPOD file in library PCSECDTA. At times this file may grow to a considerable size. This function deletes the records in the TRAPOD file. There are two ways to purge the TRAPOD file: 1. Standard purge using retention days or purge-through date 2.
To perform a standard purge 1. Backup the TRAPOD file to tape, if desired. You will need to issue the ENDTRP command BEFORE beginning the backup. 2. Select Option 8 from the Special Jobs Menu or use the STRPRG command. 3. Enter the number of days to retain information in the TRAPOD file or enter the date to purge through. The default is to retain the information for thirty days. 4. You can direct the processing of the purge to a specific job queue.
To purge the log and archive the records 1. Select Option 8 from the Special Jobs Menu or use the STRPRGARC command. 2. Enter the number of days to retain information in the TRAPOD file or enter the date to purge through. The default is to retain the information for thirty days. 3. Make sure Archive purged records is set to *YES 4. Set Print purged records and Only print rejections to whichever option you wish 5. Use F10 to display Additional Parameters 6.
Automating the log file purge To automatically purge the log file, archive the purged records and generate the transaction report, use the following command or add it to the system job scheduler: SBMJOB CMD(PCSECLIB/STRPRGARC DAYS(XXX) JOB(SECPRG) XXX is the number of days to retain records (060 = 60 days retention) Automating the One Step Security Report To automatically run the security report without purging or archiving any records, use the following command: PRTSECRPT There are no parameters for thi
Automating and Running the Security Report and the Log File Purge Together Use this method to automate both the SafeNet/400 Security Report and the Log File Purge. For this example, the purge is being done on Mondays and Thursdays. You may use any schedule you wish; however, make sure your purge is retaining enough days for reporting purposes. Each of these commands provides parameters to print either only rejections or all transactions. Review these parameters and change as required. Monday 1.
This example runs the Log File Purge and retains only 1 day of data in the file. Saturday 1. Run security report and see entire contents of log PRTSECRPT 2. Run purge and retain 1 day STRPRGARC DAYS(001) Note: It is a good idea to run these commands back-to-back and at off-peak hours to minimize performance impact. 8.6 SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
Daily Backup Procedure Modify your daily backup procedure to follow these guidelines: 1. Enter command CHGSPCSET LOGALL(*NO) This prevents SafeNet/400 from attempting to log requests 2. Issue the ENDTRP command within SafeNet/400 This will end the transaction logging program and subsystem 3. Perform your normal backup steps 4. CHGSPCSET LOGALL(*YES) to begin logging 5.
8.8 SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
Chapter 9 - DE-ACTIVATING AND REMOVING SAFENET/400 You must be signed on as a Super Admin in SafeNet/400 to perform any Activate/De-Activate processes. See ‘SafeNet Administrator’ in Chapter One of this guide. De-activating SafeNet/400 Under some circumstances you may want to de-activate SafeNet/400. It may be necessary when troubleshooting network problems to make sure they are not being caused by an application such as SafeNet/400, or when you need to remove SafeNet/400 from your system.
To activate or de-activate SafeNet/400: Remember, you must be a SafeNet/400 Super Admin to perform this step. 1. From the Special Jobs Menu select Option 6 - Activate/De-Activate SafeNet/400 The Server Activation Control screen is displayed, indicating the current setting. 2. Press F5 to change the setting and return to the Special Jobs Menu. 3. After performing these steps, end all subsystems then restart them to maintain security integrity. 4. Try your network request again.
Removing SafeNet/400 from your system If it becomes necessary to completely remove SafeNet/400 from your System i5, follow these steps. 1. Sign on to the System i5 as QSECOFR or SAFENET. 2. De-activate SafeNet/400. Follow the instructions on the previous pages to de-activate the program. 3. IPL the System i5. 4. Delete library PCSECLIB and PCSECDTA 5. Delete the SAFENET authorization list from your system SafeNet/400 is now completely removed from your system.
9.4 SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
Chapter 10 - PROBLEM DETERMINATION If SafeNet/400 is not working properly, there are a few general things to check. Error Message Received on the System i5 1. Did you perform an IPL after the initial SafeNet/400 installation? It is necessary to IPL your System i5 after completing the installation steps. If you do not IPL your system, you will experience unpredictable results. Recovery: 2. IPL your system then try SafeNet/400 again.
5. Have you made changes to server function Security Levels or user authority tables? If a particular request was working, and now it is not, make sure you have not inadvertently disabled a server function or revoked authorities from a user. Recovery: Double check changes against the request log, use the on-line transaction program to test your authority settings. 10.2 SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
Error Message Received on the Client If you receive an error message indicating a problem with a client or a communications request, or an exit program rejection and SafeNet/400 is active: Check the request log for a ‘REJECTED’ response 1. Use the date and time along with the user ID to find the request that was rejected. Use PCREVIEW or check the Security Report. 2. When you find the request that was rejected, the log will indicate the reason for the rejection.
If you are unsure that SafeNet/400 is the source of the problem 1. Reset the Security Level in SafeNet/400 by following these directions: • From the SafeNet/400 Main Menu select Option 1 – Work with Server Security Settings or use WRKSRV command • If you know which server function the request is using, change the server’s Security Level to 1. If you cannot determine which server function the request is attempting to access, set all the servers to Security Level 1.
If you receive a message on the System i5 about a SafeNet/400 or PCSECLIB program, or you still cannot resolve a client error or client application error, check to see if the system was IPL'd since you: Initially installed SafeNet/400 Applied PTFs to SafeNet/400 If not, you must IPL your system for the changes to take effect. SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.50 - May 2008 10.
If you still cannot resolve the problem 1. Check all the joblogs for the jobs in the subsystems: QSYSWRK QSERVER 2. You may have to change the QDFTJOBD job description to capture the joblogs of certain jobs initiated by client requests. CHGJOBD QDFTJOBD LOGLVL(4 00 *SECLVL) LOGCLPGM(*YES) Note: Remember to change this back to its default when you have resolved the problem or you may generate an excessive number of joblogs. CHGJOBD QDFTJOBD LOGLVL(4 00 *NOLIST) LOGCLPGM(*NO) 3.
Examples of Client Error Messages Some common error messages you may see on a Windows95 client: This message was received on the client when the server function was set to Level 2 - Function Disabled/No Access. This message was received on the client when the user was not authorized to the server. SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.50 - May 2008 10.
This message was received on the client when the user was not authorized to the SQL Select statement. 10.8 SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
Error Codes which Appear in the Log 1 Accepted 0 Rejected Reason unavailable A Rejected Server is turned off B Rejected No authority to server C Rejected No authority to object D Rejected No authority to library E Rejected Invalid Data Rights authority F Rejected Invalid Object Management Rights G Rejected Unauthorized path statement H Rejected No authority to SQL statement I Rejected Incoming commands *OFF J Rejected No authority to Root Directory K Rejected Unauthoriz
10.
Additional Troubleshooting Tips PCREVIEW Command Use the PCREVIEW commands to easily view historical network transactions. You can select various filters to display only the records from the log file you are interested in. From this screen you can request details of the information. TRAPOD File When testing network requests through SafeNet/400 you can see each transaction being written to the TRAPOD file in library PCSECLIB.
10.12 SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
Chapter 11 - SPECIAL SAFENET/400 CONSIDERATIONS This section contains information on procedures that will help you manage and automate certain SafeNet/400 functions. Resetting Level 5 within SafeNet/400 When an installation has a user exit program in place that SafeNet/400 does not recognize, the exit point will automatically be set to Level 5 (unsupported). To allow SafeNet/400 to support this server you must do the following: 1. Remove your user exit program from the registration facility in OS/400.
Follow the instructions to de-activate the program found in Chapter 9 in this guide, ‘Deactivating and Removing SafeNet/400’. 6. Re-activate SafeNet/400 Select Option 6 - Activate/De-Activate SafeNet/400 7. 11.2 Restart your system SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
Pre-Power Down Program Point You can create a power down CL program to be called whenever the PWRDWNSYS command is issued. SafeNet/400 will call this program and log the request whenever the command is processed. To use this feature, create a CL program called PWRDWNCL and place it in library QGPL. SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.50 - May 2008 11.
Using Automatic Alert Notification Alert notification continually monitors network activity and can issue warning messages to up to five different message queues whenever an attempt is made to access an unauthorized server or object. You can also choose to have alerts sent via e-mail. This uses the SNDDST command and requires that you set up a distribution list. When creating a distribution list for alert notification, the List ID Qualifier MUST be your System i5 system name.
Activating SafeNet/400 Alert Notification 1. From the SafeNet/400 Special Jobs Menu select Option 7 - Change Alert Notification Status or use the CHGNOTIFY command and press F4. 2. Type *ON for parameter ALERT to activate alert notification, then ENTER. 3. Enter *YES to receive summarized alerts or *NO for detailed alerts. 4. Enter *YES to receive alerts as e-mail or *NO to receive alerts as workstation messages only. Your system must be configured for SMTP before e-mails can be used. 5.
Profile Swapping Profile Swapping allows you to assign an alternate or a "swapped" user profile to be interrogated by SafeNet/400 and passed to OS/400 for security lookups. When profile swapping is in use, any incoming network transactions or jobs are assigned the alternate profile (the 'Swap to' profile) and passed as this alternate profile to OS/400. OS/400 then performs all security related checking as if the request came from the 'Swap to' profile and not the original profile.
Setting up a Swap Profile Make sure that you have set the SWAPU parameter on the CHGSPCSET command to allow profile swapping. Then follow these steps to set up your alternate profiles. 1. From the Special Jobs Menu, select Option 15 - Swap Profile Maintenance or use the WRKSWPPRF command 2. Enter the user profile to work with. You can type the user profile, use F4 for a list, or type *ALL for a complete list of swap profiles. Press ENTER The Maintain Authorized Swap Profiles screen appears 3.
Journaling SafeNet/400 Security Files You may wish to journal all changes made to any of the SafeNet/400 security files for audit purposes. Three programs are provided to assist with the journaling process: 1. Call PCSECLIB/STRSAFEJRN • • • 2. Call PCSECLIB/ENDSAFEJRN • 3.
Files Contained in SafeNet/400 These files are available for you to use for any additional reporting requirements you may have. All are located in library PCSECDTA. DHCPBLOG Contains DHCP Bindings log reports DHCPRLOG Contains DHCP Release log reports ERRORD File Contains all error codes (accepted/rejected) associated with SafeNet/400. FIXEDIPS Contains fixed IP client addresses (static addresses) IBMFLR File and IBMFLRL (Long paths to IBM folders) Contains all IBM supplied folder names.
TRAPOD File All logged network requests are placed in this file. This file will grow significantly over time, depending on network traffic. Be sure to pay close attention to its size and establish a schedule to purge records. This file can also be used for additional user-developed reporting. See IBM OS/400 Servers and Administration for additional information and record layouts. 11.10 SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
SafeNet/400 Commands Commands Description ADDSNADM Maintain SafeNet administrators ADDSNUSR Allows batch maintenance of SafeNet/400 users ADDUSRCMD Allows batch maintenance of users to commands ADDUSRFTP Allows batch maintenance of users to FTP ADDUSROBJ Allows batch maintenance of users to objects ADDUSRSQL Allows batch maintenance of users to SQL ADDUSRSVR Allows batch maintenance of users to servers CHGFTPSET Change FTP special settings CHGNOTIFY Changes status of Alert Notification
Commands Description PRTSQLUSG Reports SQL statement usage and auto-enrollment PRTSRVUSG Reports server usage and auto-enrollment RMVSNUSR Removes a user from all SafeNet/400 enrollments RMVSNUSR1 Removes all profiles not defined to OS400.
Commands Description WRKSWPPRT Work with Swap Profiles WRKTCPIPA Work with TCP/IP address control WRKUSRCMD Work with user to CL commands WRKUSRFTP Work with user to object FTP statement security WRKUSROBJ Work with user to object security WRKUSRPTH Work with User to IFS path security WRKUSRSEC Work with user security. Permits access to all security screens for an individual user without entering several different commands.
11.14 SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
Chapter 12 - SERVER FUNCTION DESCRIPTIONS This section lists all the current System i5 server functions, their descriptions and information on how they are used. The servers are alphabetized within two groups - the Original Servers and the Optimized Servers. SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.50 - May 2008 12.
Original Servers These servers have been provided by IBM since PC Support/400 became available. Support for these original servers was designed for and is still used to service the original clients: DOS, Extended DOS and OS/2. 12.2 SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
Distributed Data Management Description: Distributed Data Management - 100 Security checking is performed when a remote user or system accesses a System i5 file or issues an incoming remote command via DDM. The remote user must be authorized to perform the operation (open, close, read or write, for example) or the DDM request is rejected. Where used: iSeries Access for Windows Client Access for Windows 3.
3. For Version 4 of SafeNet/400, if *DDM is set to Level 4, you must authorize each user to the CL commands they may issue to the System i5. 4. Most System i5 systems, by default, use the QUSER profile for the communications conversation. QUSER must have authority to all files that are being accessed and must be authorized to the *DDM server function. To change from QUSER as the default, a change to the default communications entry must be made in the QCMN subsystem description.
Original Data Queue Server Description: Original Data Queue Server - 100 A data queue is a System i5 object that is used by System i5 application programs for communications. Applications can use data queues to pass data between jobs. Multiple System i5 jobs can send or receive data from a single data queue. Where used: Client Access for Windows 3.
Original Transfer Function Server Description: Original File Transfer Function - 100 The Client Access transfer function transfers data between the System i5 system and a personal computer. Where used: Client Access for Windows95 - PC5250 Transfers - Automatic file transfer functions (RTOPCB, etc.) Client Access for Windows 3.
4. Full control of library, object and data rights allowed. 5. At Level 4, to select or extract a list of objects from within a library, you must enter the name of the library and use *ALL in the Object or Sub-Flr column. The user will need Read data rights to the library.
Original License Management Server Description: Original License Management Server - 100 The license management server ensures valid licenses are available for Client Access, IBM and non-IBM licensed applications when requested from a client. The license management server performs this process every time a Client Access client requests a license for an application, typically upon session initiation.
Original Message Server Description: Original Message Server - 100 The message function server allows users to communicate with each other by sending messages. Users can communicate with other users at System i5 workstations or with users at personal computers that are attached to the System i5 system. The message function server routes messages sent from PC users to the appropriate user and receives messages for PC users and sends them to the PC workstation.
Original Remote SQL Server Description: Original Remote SQL Server - 100 The remote SQL server processes requests that are received from Client Access products that are using the high-level language remote SQL API. The API allows applications running on the clients to run SQL statements on a remote System i5 system. The databases accessed may be either SQL database files or native System i5 database files. Where used: Client Access for Windows 3.
Original Virtual Print Server Description: Original Virtual Print Server - 100 The virtual print server is used to print data from PC application programs on System i5 printers. Where used: Client Access for Windows 3.
Example 2: To grant authority to only the PAYROLL printer, enter: 12.12 Library or Folder Object or Sub-Folder Read QUSRSYS PAYROLL X SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
Optimized Servers This server support, provided by IBM with Client Access (now iSeries Access for Windows) beginning with OS/400 Version 3 Release 1, services optimized clients: Windows 3.1 (16 bit applications), Optimized OS/2 (32 bit applications) and Windows98, Windows 2000, Windows XP. Additional servers are supplied by IBM for each new release of OS/400. SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.50 - May 2008 12.
Central Server - Client Management Description: Central Server - client mgmt - 100 The central server provides the ability to update the client management database on the System i5. iSeries Access for Windows uses this function when new or existing iSeries Access for Windows clients attach to the server.
Central Server - Conversion Map Description: Central Server - conversion map - 100 The central server provides support for retrieving conversion maps for clients that need them. These conversion maps are usually used on the client for ASCII to EBCDIC conversions and EBCDIC to ASCII conversions.
Central Server - License Management Description: Central Server - license mgmt - 100 The license management support provided by this server is very similar to the support in the original license management server for iSeries Access for Windows clients. The initial request from a client checks out a license for each iSeries Access for Windows user and the server remains active until the client is no longer communicating with the System i5.
DB2 for System i5 Database Access Request - DRDA Description: DRDA DB2/400 Database Access Request This server is used whenever a client requests a DRDA conversation connection. Where used: Rumba Access DB2 for System i5™ DB2 for OS/390™ DB2 Connect™ And more . . . Server Identifier: *DRDA Format Name: *DRDA Levels Supported: Basic Intermediate Limitations: None Recommended Setting: Level 3, Log All (Levels 1,2) (Level 3) Notes: 1.
Database Server - Data Base Access - 100 Description: Database Server - data base access - 100 This server function manipulates data base files on the System i5. It allows operations to data base files, such as: create physical file, add database file member, delete file.
Database Server - Data Base Access - 200 Description: Database Server - data base access - 200 This server function enables the addition of library list entries. Where used: iSeries Access for Windows for Windows95 - Access to System i5 database through ODBC interface - File transfers Used by various ODBC, DRDA™, SQL packages such as Microsoft Access, Microsoft Query, etc.
Database Server - Entry Description: Database Server - Entry - 100 This server function is used at server initiation request. It is the request that always comes first. All other database server requests come after a request to this entry point. This is called whenever a new connection to the database server is started and a new QZDASOINIT job is initiated to service client database requests, such as calling a stored procdure.
Database Server - Object Information - 100 Description: Database Server - object information - 100 This server function is used for requests to retrieve information about certain objects from the data base server.
Notes: 1. List retrievals from *USRLIBL automatically allowed. 2. Data rights enforced. 3. At Levels 3 and 4 users must be authorized to the server function. 4. At Level 4 the user must be authorized to the OBJECT/LIBRARY. 12.22 SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
Database Server - Object information - 200 Description: Database Server - object information - 200 This server function is used for requests to retrieve additional information about certain objects from the data base server, such as primary and foreign key information.
Database Server - SQL Access Description: Database Server - SQL access - 100 Database Server – SQL access – 200 (for V4R1 and above) This server function is used when certain SQL requests are received for the data base server. The QIBM_QZDA_SQL2 exit point takes precedence over the QIBM_QZDA_SQL1 exit point. If a program is registered for the SQL2 exit point, it will be a called, and a program for the SQL1 point will not be called.
Notes: 1. At Levels 3 and 4 users must be authorized to the server function. 2. At Level 4 the user must be authorized to the OBJECT/LIBRARY and the SQL statement. Data authority requirements are determined by the authorized SQL statements for the user. 3. Due to a restriction within IBM's OS/400 for versions prior to V4R1, OS/400 delivers SQL requests to SafeNet/400 with a limit of 512 characters in length.
Data Queue Server Description: Data Queue Server - 100 A data queue is a System i5 object that is used by System i5 application programs for communications. Applications can use data queues to pass data between jobs. Multiple System i5 jobs can send or receive data from a single data queue.
DHCP Address Binding Notify Description: DHCP Address Binding Notification - 100 This server assigns IP addresses to specific client hosts.
DHCP Address Release Notify Description: DHCP Address Release Notification - 100 This server releases an IP address from its specific client host assignment binding. Where used: Any device on a TCP/IP network whenever it requests an IP address from the System i5 when the System i5 is set to be the local network DHCP server Server Identifier: *DHCPR Format name: DHCR0100 Levels Supported: Basic Limitations: None Recommended Setting: Level 1, Log All 12.
File Server Description: File Server - 100 The file server function allows clients to store and access information, such as files and programs, on the System i5 in various formats. This server replaces the shared folder type 2 server that was used prior to Version 3 Release 1. The OS/400 file server interfaces with the integrated file system on the System i5.
Library or Folder Object or Sub-Folder *ALLFLR *ALL To enter *ALLFLR/ *ALL you must be signed on as QSECOFR. Proper Data Rights must be selected also. 12.30 SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.
3. At Level 4, to authorize a user for access to a non-IBM folder within the QDLS file system (shared folders), you must enter two records in the OBJECT/USER security file. Example 1: A user requires access to a folder called PERSONNEL within QDLS. Network Request: /QDLS/PERSONNEL Entries Required: Entry #1 Entry #2 Library or Folder Object or Sub-Folder Read QDLS PERSONNEL PERSONNEL *ALL X X Example 2: You can add specific folder names in place of *ALL to further extend the directory path.
systems Qopensys, Qfilesys.400 and home, key in the first 10 positions of each file system name only. Example: Network Request: /Qfilesys.400/QSYS.LIB/PAYROLL.LIB/SALARY.FIL Entries Required: Entry #1 Entry #2 Entry #3 Library or Folder Object or Sub-Folder Read QFILESYS.4 QSYSLIB PAYROLL.LI QSYS.LIB PAYROLL.LI SALARY.FIL X X X SafeNet/400 will convert all requests to uppercase, then check the first ten characters in each directory name for a match.
FTP Client Request Validation Description: FTP Client Request Validation This function is used whenever the System i5 is a client, issuing FTP commands to a remote system. Where used: System i5 command lines, interactive and batch jobs can initiate an FTP client request Server Identifier: *FTPClient Format Name: VLRQ0100 Levels Supported: Basic Intermediate Advanced (Level 1,2) (Level 3) (Level 4) Usage Notes/Limitations: At Level 3 or Level 4 you can implement IP address controls.
Using FTP Client: • • Sending an object to a remote system An FTP PUT of object ABC in an FTP Client session requires *READ authority to object ABC on the local machine. Get an object from a remote system An FTP GET of object ABC in an FTP Client session requires *OBJMGT authority to the object ABC on the local machine. Using FTP Server: • • 12.34 Send an object to local system An FTP PUT of object ABC in an FTP Server session requires *OBJMGT authority to the object ABC on the LOCAL machine.
FTP Logon Server Description: FTP Logon Server 1 - 100 This server is used any time the System i5 answers an FTP start request from another system or user.
FTP Logon Server Description: FTP Logon Server 2 - 200 This server is used any time the System i5 answers an FTP start request from another system or user. It is available in OS/400 versions V4R2 and above. Where used: Internets and Intranets MS Windows DOS And most other operating systems Server Identifier: *FTPLOGON2 Format Name: TCPL0200 Levels Supported: Basic Intermediate Limitations: None Recommended Setting: Level 3, Log All 12.
FTP Logon Server Description: FTP Logon Server 3 – 300 This server is used any time the System i5 answers an FTP start request from another system or user. It is available in OS/400 versions V5R1 or above.
FTP Server Request Validation Description: FTP Server Request Validation This function is used whenever the System i5 receives an FTP command it must act upon. Where used: Internets and Intranets MS Windows And most other operating systems Server Identifier: *FTPSERVER Format Name: VLRQ0100 Levels Supported: Basic Intermediate Advanced Limitations: None Recommended Setting: Level 4, Log All (Level 1,2) (Level 3) (Level 4) Notes: 1.
Network Print Server - Entry Description: Network Print Server - entry - 100 This server function is used when the network print server is started. Where used: iSeries Access for Windows Server Identifier: QNPSERVR Format Name: ENTR0100 Levels Supported: Basic Intermediate Limitations: None Recommended Setting: Level 3, Log All (Levels 1,2) (Level 3) Notes: 1. At Level 3 users must be granted access to the server function. 2. Level 4 is not required or supported.
Network Printer Server - Spool File Description: Network Print Server - spool file - 100 This server function is used after the network print server receives a request to process an existing spooled output file. Where used: iSeries Access for Windows Server Identifier: QNPSERVR Format Name: SPLF0100 Levels Supported: Basic Intermediate Advanced Limitations: Level 4 grants spool file management rights to the owner of the spool file only.
Pre-Power Down Description: Pre-Power Down Server This program is called whenever the PWRDWNSYS or ENDSYS command is issued Where used: Any interface, command line or program that can issue the PWRDWNSYS or ENDSYS command Server Identifier: PWRDWN Format Name: PWRD0100 Levels Supported: Basic Limitations: None Recommended Setting: Level 1 (Level 1) Notes: 1. To use the pre-power down program call, create a CL program called PWRDWNCL.
Remote Command and Distributed Program Call Server Description: Remote Command/Program Call - 100 The remote command and distributed program call server is provided to allow client users and applications to issue System i5 CL commands and call programs.
REXEC Logon Server Description: REXEC Logon Server 1 - 100 This server is used to validate a client request to start the REXEC Server. It is available in all versions of OS/400.
REXEC Logon Server Description: REXEC Logon Server 2 - 200 This server is used to validate a client request to start the REXEC Server. It is available in OS/400 versions V5R1 and above.
REXEC Request Validation Server Description: REXEC Request Validation Server This server is initiated whenever a client issues a REX statement to the System i5.
ShowCase Strategy** Validation Server Description: Showcase Strategy Validation Server This server is initiated by a client utilizing the Showcase Strategy** product with the proper exit point added to OS/400. Please follow the instructions from Showcase to properly register the ShowCase Exit Program. You MAY have to use the ADDEXITPGM command to add the exit point for ShowCase to your System i5 Server.
TCP Signon Server Description: TCP Signon Server - 100 The signon server provides security for clients that use TCP/IP communications support. This security function prevents access to the System i5 for users with expired passwords or allows entry to only specific users. Where used: iSeries Access for Windows Server Identifier: *SIGNON Format Name: ZSOY0100 Levels Supported: Basic Intermediate Limitations: None Recommended Setting: Level 1, Log All (Level 1,2) (Level 3) Notes: 1.
TELNET Device Initialization TELNET Device Termination Description: TELNET Device Initialization - *TELNETON TELNET Device Termination - *TELNETOFF The TELNET servers provide for security when using TCP/IP and TELNET clients. This point allows the restriction by IP address and password type. Auto-signon can also be configured. TELNET Device Termination allows for session logging and device management upon session termination. *TELNETOFF is dependent upon the setting of *TELNETON.
TFTP Server Request Validation Description: TFTP Server Request Validation Clients utilizing TFTP (Trivial File Transfer Protocol), such as the IBM Net Station use this server. Where used: IBM Net Station Boot Server Identifier: *TFTPSRVR Format name: VLRQ0100 Levels Supported: Basic Intermediate Limitations: None Recommended Setting: Level 3, Log All (Levels 1,2) (Level 3) SafeNet/400 Reference Guide © Copyright 2008 MP Associates of Westchester, Inc. V8.50 - May 2008 12.
User Profile Servers Description: Add User Profile Change User Profile Delete User Profile Restore User Profile These servers are called each time a user profile command is issued. Where used: Any interface or command line that can issue a user profile associated OS/400 command Server Identifier: Format: *CHGPRF *CRTPRF *DLTPRFA *DLTPRFB *RSTPRF CHGP0100 CRTP0100 DLTP0100 DLTP0200 RSTP0100 Levels Supported: Basic Limitations: None Recommended Setting: Level 1, Log All (Levels 1) Notes: 1.
INDEX IP addresses.......................................................................5.6 A L Administrator ...................................................................... 1.3 Alert notification ........................................... 11.4, 11.5, 11.11 Anonymous ................................................... 4.1, 4.2, 4.3, 4.4 Anonymous FTP ................................................................ 4.5 Authorities User to CL commands................................................
Security Levels..............................................................1.5 Setting logging levels ....................................................1.2 Setting up ......................................................................1.1 U User Profiles *PUBLIC .......... 1.5, 1.7, 1.10, 1.11, 1.12, 1.14, 1.17, 1.19 Group............................................................................ 1.1 Swapping................................................ 10.10, 11.6, 11.7 Users Copying ...........
