81 lines
5.9 KiB
HTML
81 lines
5.9 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="concept" />
|
||
|
<meta name="DC.Title" content="Application server security in a TCP/IP network" />
|
||
|
<meta name="abstract" content="The TCP/IP server has a default security of user ID with clear-text password. This means that, as the server is installed, inbound TCP/IP connection requests must have at least a clear-text password accompanying the user ID under which the server job is to run." />
|
||
|
<meta name="description" content="The TCP/IP server has a default security of user ID with clear-text password. This means that, as the server is installed, inbound TCP/IP connection requests must have at least a clear-text password accompanying the user ID under which the server job is to run." />
|
||
|
<meta name="DC.subject" content="password, encrypted, Kerberos, Diffie-Hellman, encryption" />
|
||
|
<meta name="keywords" content="password, encrypted, Kerberos, Diffie-Hellman, encryption" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rbae5elementtcpip.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="../rzalv/rzalvmst.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1999, 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1999, 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rbae5targetsecurity" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Application server security in a TCP/IP network</title>
|
||
|
</head>
|
||
|
<body id="rbae5targetsecurity"><a name="rbae5targetsecurity"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Application server security in a TCP/IP network</h1>
|
||
|
<div><p>The TCP/IP server has a default security of user ID with clear-text
|
||
|
password. This means that, as the server is installed, inbound TCP/IP connection
|
||
|
requests must have at least a clear-text password accompanying the user ID
|
||
|
under which the server job is to run.</p>
|
||
|
<p>The security can either be changed with the <span class="cmdname">Change DDM TCP/IP
|
||
|
Attributes (CHGDDMTCPA)</span> command or under the <span class="menucascade"><span class="uicontrol">Network</span> > <span class="uicontrol">Servers</span> > <span class="uicontrol">TCP/IP</span> > <span class="uicontrol">DDM
|
||
|
server properties</span></span></p>
|
||
|
<p> in <span class="keyword">iSeries™ Navigator</span>. You must
|
||
|
have *IOSYSCFG special authority to change this setting.</p>
|
||
|
<p>There are two settings that can be used for lower server security:</p>
|
||
|
<ul><li>PWDRQD (*NO) <p>Password is not required.</p>
|
||
|
</li>
|
||
|
<li>PWDRQD(*VLDONLY) <p>Password is not required, but must be valid if sent.</p>
|
||
|
</li>
|
||
|
</ul>
|
||
|
<p>The difference between *NO and *VLDONLY is that if a password is sent from
|
||
|
a client system, it is ignored in the *NO option. In the *VLDONLY option,
|
||
|
however, if a password is sent, the password is validated for the accompanying
|
||
|
user ID, and access is denied if incorrect.</p>
|
||
|
<p>Encrypted password required or PWDRQD(*ENCRYPTED) and Kerberos or PWDRQD(*KERBEROS)
|
||
|
can be used for higher security levels. If Kerberos is used, user profiles
|
||
|
must be mapped to Kerberos principles using Enterprise Identity Mapping (EIM). </p>
|
||
|
<p>The following example shows the use of the <span class="cmdname">Change DDM TCP/IP Attributes
|
||
|
(CHGDDMTCPA)</span> command to specify that an encrypted password must
|
||
|
accompany the user ID. To set this option, enter:</p>
|
||
|
<p><samp class="codeph">CHGDDMTCPA PWDRQD(*ENCRYPTED)</samp></p>
|
||
|
<div class="p"> <div class="note"><span class="notetitle">Note:</span> The DDM/DRDA TCP/IP server was enhanced in V4R4 to support a form
|
||
|
of password encryption called password substitution. In V4R5, a more widely-used
|
||
|
password encryption technique, referred to as the Diffie-Hellman public key
|
||
|
algorithm was implemented. This is the DRDA<sup>®</sup> standard algorithm and is used by
|
||
|
the most recently released IBM<sup>®</sup> DRDA application requestors. The older password substitute
|
||
|
algorithm is used primarily for DDM file access from PC clients. In V5R1 a
|
||
|
'strong' password substitute algorithm was also supported. The client and
|
||
|
server negotiate the security mechanism that will be used, and any of the
|
||
|
three encryption methods will satisfy the requirement of PWDRQD(*ENCRYPTED),
|
||
|
as does the use of Secure Sockets Layer (SSL) datastreams.</div>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rbae5elementtcpip.htm" title="DDM and DRDA over native TCP/IP does not use i5/OS communications security services and concepts such as communications devices, modes, secure location attributes, and conversation security levels which are associated with Advanced Program-to-Program Communication (APPC). Therefore, security setup for TCP/IP is quite different.">Elements of security in a TCP/IP network</a></div>
|
||
|
</div>
|
||
|
<div class="relconcepts"><strong>Related concepts</strong><br />
|
||
|
<div><a href="../rzalv/rzalvmst.htm">Enterprise Identity Mapping (EIM)</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|