Standardized security setup across multiple systems

Nothing supports the popularity of the iSeries-AS/400 machine as much as the number of customers with multiple systems installed. For security officers, it can easily mean a lot of extra work keeping each system configured and setup for company security policies.

While this can be a complex task, IBM has provided a little known capability in OS/400 for quite a while now that can help you to enforce standard security configuration setup rules across separate systems. This is through the use of the CFGSYSSEC (Configure System Security) command. This command, which has no parameters, calls a CL program named QSECCFGS in the QSYS library. This program sets about 25 security-related system values to standard settings recommended by IBM.

The good news for the security officer with multiple systems to control is that this CL program can be changed to meet your unique setup requirements. The base program as shipped with OS/400 can be retrieved and then modified for your unique needs (not unlike the way the system startup program QSTRUPPGM works).

To retrieve the CL program, just run the following command on your system:

This will place a source member in your QCLSRC source physical file named QSECCFGS. To be on the safe side, you should probably rename this, and, when you recompile it, place the new compiled program into QUSRSYS. Once that is done, just change the OS/400 CFGSYSSEC command to run the modified program from QUSRSYS with the following command:

When you review the CL program source that has been retrieved, there is some housekeeping that takes place early in the program, but then you will find a program tag named SKIPUIM:. You can review the settings imposed by the program from this point forward to see how IBM recommends your security be setup and make changes that will implement standard security settings for your own requirements.

To implement the standard security setup across your multiple system enviro

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Systems Management Can you trust all those trigger programs? Are your backups complete? Controlling remote command processing Watch your profiles Avoid locking issues Send message to users at a remote site Security journal receiver management Top 10 backup commands Tracking critical file access in real time Create an iSeries Access image and update it with the latest Service Pack iSeries security tips Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security monitoring on IBM i: Watching your super users Tracking System i program object changes Recovering your AS/400 security configuration System values on i: Setting them up and locking i down A guide to System i security, Part 3: Digging in to the System i security environment iSeries system and application security Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file Change password parameters on the AS/400 without deactivating user's passwords Prevent insiders with *READ or *USE access from circumventing object authority on IBM i Prevent insiders from obtaining user ids and passwords on the IBM i Change the IBM i system to allow only certain types of SSL protocol versions

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

nment, simply install your custom setup program on each system in your network and modify the CFGSYSSEC command on each system to call your modified program in place of the IBM default program. To guard against possible changes being made to the setup, you can even add this to your automatic schedule to run on a weekly or even daily basis to keep these settings enforced. The retrieve CL program is a little tough to read, but perseverance will prevail. I have taken the program from my V4R5 test machine here and updated it with comments to make it easier to see what is going on. If you'd like a copy of this annotated version of the CL program, just drop me a line at "rich@kisco.com" and I'll send you a copy of the source code.

About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the AS/400 market.

==================================
MORE INFORMATION ON THIS TOPIC
==================================

Secure your iSeries
The iSeries is one of the most secure systems, but there are still ways for data to be compromised -- network holes and users with too much authority, for example. The information in this Search400 Featured Topic helps you close up any gaps you may have.

Error message after OS/400 upgrade
One user writes, "After installing the OS/400 upgrade from V4R5 to V5R1 I'm getting the message: User quser not authorized to object qtemp/zrcrpcspc type *usrspv. This message is on our audit log. I'd like to know how to stop it." Search400.com security expert Carol Woodbury offers some advice.

Unique user profiles critical to OS/400 security
Auditing success requires that you are able to identify system actions and accesses down to the individual object and user level, and OS/400 is very successful at tracking system activity and maintaining the proper audit trail for both users and objects. The level of success for gathering and reporting this information depends greatly on whether the user data or user naming convention bears meaning. If user profiles are not traceable to a specific individual because they are, then it's going to be more difficult to get the required information.

Consolidating several clients on a single iSeries
One Search400.com member writes, "We have an administration system that is outsourced with a vendor. Currently, it is hosted on its own iSeries, which is connected to our network. We have 5250, FTP and ODBC access. Our vendor is looking to consolidate several clients on a single machine. He has indicated that he will achieve this by putting each client into a separate subsystem. From an application and network perspective, would this approach provide adequate security and privacy? If not, what would you recommend?" Site expert Carol Woodbury was on hand to help him out.