In my last tip, I scratched the surface of the issue of network access to the iSeries by taking a quick look at the network attribute called Job Action. In this tip, we'll take a look at two more network attributes that can give you additional control over this sensitive security area.
As mentioned the last time, there are some simple network attribute settings you can use to implement controls. You can view the network attribute settings on your system using the Display Network Attributes (DSPNETA) command and make changes using the Change Network Attributes (CHGNETA) command. These are the two additional network attributes I'll be addressing:
Client Request Access (PCSACC)
DDM Request Access (DDMACC)
The PCSACC parameter, which has its roots in PC/Support (the early version of Client Access/iSeries Access), controls how a PC will have access to objects on your system. This has no bearing on the use of the workstation emulator; it is just for object access for the various iSeries Access functions.
The possible values for PCSACC are as follows:
- *REJECT -- all object requests are rejected regardless of what they are
- *OBJAUT -- OS/400 object authority is checked and supported (the default setting)
- *REJFAC -- the system checks for a registered exit program and passes authentication to the exit program for processing
- program name -- the registered program name is called to verify authentication
If you just don't want anyone to have object access, then change this parameter to the *REJECT setting. In this day and age of platform integration, this often will not work for you, so you'll have to explore the other options. On the surface, *OBJAUT sounds like a good choice, and for many shops it will work nicely. However, this means that any user profile that is authorized to process and/or update files from an interactive application could also have full access from the iSeries Access side. And that may not be ideal for maximum security.
Using a program name or a registered exit point is the best method, but implementing exit point processing is a daunting challenge and too much for a simple tip article. I recommend that rather than creating your own exit programs, you consider purchasing one of the many good third-party products that are available in today's market. (Editor's note: Vendors that sell exit programs include Bsafe Information Systems, Kisco Information Systems, NetIQ, PowerTech, and Safestone.)
The DDM Request Access setting decides how to handle security from remote systems requesting data using the Distributed Data Management (DDM) functions. These can be from PCs or from other DDM-compatible platforms such as other iSeries systems or even mainframes.
The possible values for the DDMACC are similar to those for PCSACC, minus *REJFAC. The same advice for this applies to it as it does for PCSACC. The program name option provides the only "exit point" available to control DDM access.
If you have specific questions about this topic, e-mail me at firstname.lastname@example.org. All e-mail messages will be answered.
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.