Your iSeries-AS/400 has a long tradition of boasting about tight security, but is that really true for your installation?
Your very first and probably most basic decision about security on your system is found in the setting for the QSECURITY system value. You can see your current security level setting by running the "Display Security Attributes" (DSPSECA) command. The last item on the display will be your current QSECURITY level setting.
OS/400 supports five settings from the value '10' through '50'. On more recent versions of OS/400, level '10' has been thankfully retired and is no longer available. Here, in summary form, is what you get at each level:
Level Security Attributes
* 10 -- No security at all. Anyone can sign on to a terminal session, and no passwords are required. (Is it any wonder that this level has been retired?)
* 20 -- Signon password security. Once logged on, all users have access to all objects on the system. This was, at one time, the default setting when your system was shipped from the factory.
* 30 -- Adds object authority to the above. This level requires some object level access planning and implementation.
* 40 -- Adds integrity protection features to the above. This is now the default setting shipped from the factory. At this level, the system enforces the user domain as separate from the system domain. Program requests that cross this border using unapproved interfaces are disallowed.
* 50 -- Adds additional integrity protection features and is intended to meet the U.S. Department of Defense "C2" security requirements. In addition to level 40 controls, certain user objects are restricted, certain messaging options are controlled and modifications to internal control blocks are restricted, as are changes to the way the QTEMP library is processed.
If you are installing a new iSeries-AS/400 system, your options are wide open and you should choose the highest setting that will work for you. Using the recommended level of 40 that comes from the factory is an excellent starting point. Before you settle on this level, however, you should check with any third-party software companies whose software you will be using to make sure that their software will run OK at level 40. Some older OS/400 products "misbehave" by using older, now illegal, hooks into OS/400.
Level 30 can be used if you have software conflicts that prevent you from implementing level 40. You should plan how to implement object access controls, starting with controlling access to libraries and then moving down. Maintenance of object level access controls can be greatly simplified through judicious use of OS/400 Group Profiles. You can break up your user community into logical groupings, create a group profile for each set and then implement your access controls on the group profiles rather than coding controls for each individual user profile. Care should be taken when dealing with the special group profile *PUBLIC as this can easily overrule your best planning efforts.
Level 20 should not be used in normal situations, and level 50 should be used only when you have the specific requirements called for by the C2 standard.So what do you do if you're in charge of a legacy system that is set to level 20 or 30 and you're sure that you need better controls?
Moving from level 30 and higher is fairly easy and just requires that you make the change to the system value and perform an IPL. If you are uncertain about your third-party software, you can activate audit logging for a few weeks before you make the change and then review the logs to see if there are any potential problems at level 40 or 50.
If you are at level 20, the move to level 30 can be overwhelming. This is an issue for many legacy systems. Those systems previously relied on application security and menu controls as their primary safeguards. With the implementation of network server access, this is a security weakness for these systems. If your concern is due to network connections to your system, you might want to consider implementing a third party network security solution. Those products can give you immediate control over network connections to your system without impairing your ability to service your user community.
You can find more information about this topic in the OS/400 manual "Security -- Reference" -- SC41-5302.
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.
- How secure is your iSeries?
The iSeries is one of the most secure systems, but there are still ways for data to be compromised -- network holes and users with too much authority, for example. The information here will help you close up any gaps you may have.
- How to get to level 40 security
Security expert Carol Woodbury describes the benefits of level 40 and level 50 security.
- Best Web Links on Security for the iSeries
Our editors have scoured the Web for the best links on security. So click over to browse our collection of pre-screened resources gathered just for you.