ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvtcpdialin.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Secure dial-in SLIP connections" />
<meta name="abstract" content="Before someone can establish a dial-in connection to your system with SLIP, you must start a SLIP *ANS configuration profile." />
<meta name="description" content="Before someone can establish a dial-in connection to your system with SLIP, you must start a SLIP *ANS configuration profile." />
<meta name="DC.Relation" scheme="URI" content="rzamvtcpslip.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="tcpdialin" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Secure dial-in SLIP connections</title>
</head>
<body id="tcpdialin"><a name="tcpdialin"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Secure dial-in SLIP connections</h1>
<div><p>Before someone can establish a dial-in connection to your system
with SLIP, you must start a SLIP *ANS configuration profile.</p>
<div class="p">To create or change a SLIP configuration profile, you use the Work
with TCP/IP Point-to-Point (WRKTCPPTP) command. To start a configuration profile,
you use either the Start TCP/IP Point-to-Point (STRTCPPTP) command or an option
from the WRKTCPPTP display. When your system ships, the public authority for
the STRTCPPTP and ENDTCPPTP commands are *EXCLUDE. The options to add, change,
and delete SLIP configuration profiles are available only if you have *IOSYSCFG
special authority. As security administrator, you can use both command authority
and special authority determine who can set up your system to allow dial-in
connections.</div>
<div class="section">If you want to validate systems that dial in to your system, then
you want the requesting system to send a user ID and a password. Your system
can then verify the user ID and password. If the user ID and password are
not valid, your system can reject the session request. To set up dial-in validation,
do the following:</div>
<ol><li><span>Create a user profile that the requesting system can use to establish
the connection. The user ID and password that the requester sends must match
this user profile name and password. <strong>Note:</strong> For the system to perform
password validation, the QSECURITY system value must be set to 20 or higher.
As additional protection, you probably want to create user profiles specifically
for establishing SLIP connections. The user profiles should have limited authority
on the system. If you do not plan to use the profiles for any function except
establishing SLIP connections, you can set the following values in the user
profiles:<span class="option">An initial menu (INLMNU) of *SIGNOFF</span>, <span class="option">An
initial program (INLPGM) of *NONE</span>, and <span class="option">Limit capabilities
(LMTCPB) of *YES.</span> These values prevent anyone from signing on interactively
with the user profile.</span></li>
<li><span>Create an authorization list for the system to check when a requester
tries to establish a SLIP connection. <strong>Note:</strong> You specify this authorization
list in the System access authorization list field when you create or change
the SLIP profile.</span></li>
<li><span>Use the Add Authorization Entry (ADDAUTLE) command to add the user
profile that you created in step 1 to the authorization list. You can create
a unique authorization list for each point-to-point configuration profile,
or you can create an authorization list that several configuration profiles
share.</span></li>
<li><span>Use the WRKTCPPTP command to set up a TCP/IP point-to-point *ANS
profile that has the following characteristics:</span><ol type="a"><li><span>The configuration profile must use a connection dialog script
that includes the user-validation function. User validation includes accepting
a user ID and password from the requester and validating them. The system
ships with several sample dialog scripts that provide this function.</span></li>
<li><span>The configuration profile must specify the name of the authorization
list that you created in step 2. The user ID that the connection dialog script
receives must be in the authorization list.</span></li>
</ol>
</li>
</ol>
<div class="section"><p>Keep in mind that the value of setting up dial-in security is
affected by the security practices and capabilities of the systems that dial
in. If you require a user ID and password, then the connection dialog script
on the requesting system must send that user ID and password. Some systems,
such as iSeries™ servers,
provide a secure method for storing the user IDs and passwords. Other
systems store the user ID and password in the script which might be accessible
to anyone who knows where to find the script on the system.</p>
<p>Because
of the differing security practices and capabilities of your communications
partners, you might want to create different configuration profiles for different
requesting environments. You use STRTCPPTP command to set your system up to
accept a session for a specific configuration profile. You can start sessions
for some configuration profiles only at certain times of the day, for example.
You might use security auditing to log the activity for the associated user
profiles.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvtcpslip.htm" title="TCP/IP support includes Serial Interface Line Protocol (SLIP).">Security considerations for using SLIP</a></div>
</div>
</div>
</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE html`
			`PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
			`<html lang="en-us" xml:lang="en-us">`
			`<head>`
			`<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />`
			`<meta name="security" content="public" />`
			`<meta name="Robots" content="index,follow" />`
			`<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />`
			`<meta name="DC.Type" content="task" />`
			`<meta name="DC.Title" content="Secure dial-in SLIP connections" />`
			`<meta name="abstract" content="Before someone can establish a dial-in connection to your system with SLIP, you must start a SLIP *ANS configuration profile." />`
			`<meta name="description" content="Before someone can establish a dial-in connection to your system with SLIP, you must start a SLIP *ANS configuration profile." />`
			`<meta name="DC.Relation" scheme="URI" content="rzamvtcpslip.htm" />`
			`<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />`
			`<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />`
			`<meta name="DC.Format" content="XHTML" />`
			`<meta name="DC.Identifier" content="tcpdialin" />`
			`<meta name="DC.Language" content="en-us" />`
			`<!-- All rights reserved. Licensed Materials Property of IBM -->`
			`<!-- US Government Users Restricted Rights -->`
			`<!-- Use, duplication or disclosure restricted by -->`
			`<!-- GSA ADP Schedule Contract with IBM Corp. -->`
			`<link rel="stylesheet" type="text/css" href="./ibmdita.css" />`
			`<link rel="stylesheet" type="text/css" href="./ic.css" />`
			`<title>Secure dial-in SLIP connections</title>`
			`</head>`
			`<body id="tcpdialin"><a name="tcpdialin"><!-- --></a>`
			`<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>`
			`<h1 class="topictitle1">Secure dial-in SLIP connections</h1>`
			`<div><p>Before someone can establish a dial-in connection to your system`
			`with SLIP, you must start a SLIP *ANS configuration profile.</p>`
			`<div class="p">To create or change a SLIP configuration profile, you use the Work`
			`with TCP/IP Point-to-Point (WRKTCPPTP) command. To start a configuration profile,`
			`you use either the Start TCP/IP Point-to-Point (STRTCPPTP) command or an option`
			`from the WRKTCPPTP display. When your system ships, the public authority for`
			`the STRTCPPTP and ENDTCPPTP commands are *EXCLUDE. The options to add, change,`
			`and delete SLIP configuration profiles are available only if you have *IOSYSCFG`
			`special authority. As security administrator, you can use both command authority`
			`and special authority determine who can set up your system to allow dial-in`
			`connections.</div>`
			`<div class="section">If you want to validate systems that dial in to your system, then`
			`you want the requesting system to send a user ID and a password. Your system`
			`can then verify the user ID and password. If the user ID and password are`
			`not valid, your system can reject the session request. To set up dial-in validation,`
			`do the following:</div>`
			`<ol><li><span>Create a user profile that the requesting system can use to establish`
			`the connection. The user ID and password that the requester sends must match`
			`this user profile name and password. <strong>Note:</strong> For the system to perform`
			`password validation, the QSECURITY system value must be set to 20 or higher.`
			`As additional protection, you probably want to create user profiles specifically`
			`for establishing SLIP connections. The user profiles should have limited authority`
			`on the system. If you do not plan to use the profiles for any function except`
			`establishing SLIP connections, you can set the following values in the user`
			`profiles:<span class="option">An initial menu (INLMNU) of *SIGNOFF</span>, <span class="option">An`
			`initial program (INLPGM) of *NONE</span>, and <span class="option">Limit capabilities`
			`(LMTCPB) of *YES.</span> These values prevent anyone from signing on interactively`
			`with the user profile.</span></li>`
			`<li><span>Create an authorization list for the system to check when a requester`
			`tries to establish a SLIP connection. <strong>Note:</strong> You specify this authorization`
			`list in the System access authorization list field when you create or change`
			`the SLIP profile.</span></li>`
			`<li><span>Use the Add Authorization Entry (ADDAUTLE) command to add the user`
			`profile that you created in step 1 to the authorization list. You can create`
			`a unique authorization list for each point-to-point configuration profile,`
			`or you can create an authorization list that several configuration profiles`
			`share.</span></li>`
			`<li><span>Use the WRKTCPPTP command to set up a TCP/IP point-to-point *ANS`
			`profile that has the following characteristics:</span><ol type="a"><li><span>The configuration profile must use a connection dialog script`
			`that includes the user-validation function. User validation includes accepting`
			`a user ID and password from the requester and validating them. The system`
			`ships with several sample dialog scripts that provide this function.</span></li>`
			`<li><span>The configuration profile must specify the name of the authorization`
			`list that you created in step 2. The user ID that the connection dialog script`
			`receives must be in the authorization list.</span></li>`
			`</ol>`
			`</li>`
			`</ol>`
			`<div class="section"><p>Keep in mind that the value of setting up dial-in security is`
			`affected by the security practices and capabilities of the systems that dial`
			`in. If you require a user ID and password, then the connection dialog script`
			`on the requesting system must send that user ID and password. Some systems,`
			`such as iSeries™ servers,`
			`provide a secure method for storing the user IDs and passwords. Other`
			`systems store the user ID and password in the script which might be accessible`
			`to anyone who knows where to find the script on the system.</p>`
			`<p>Because`
			`of the differing security practices and capabilities of your communications`
			`partners, you might want to create different configuration profiles for different`
			`requesting environments. You use STRTCPPTP command to set your system up to`
			`accept a session for a specific configuration profile. You can start sessions`
			`for some configuration profiles only at certain times of the day, for example.`
			`You might use security auditing to log the activity for the associated user`
			`profiles.</p>`
			`</div>`
			`</div>`
			`<div>`
			`<div class="familylinks">`
			`<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvtcpslip.htm" title="TCP/IP support includes Serial Interface Line Protocol (SLIP).">Security considerations for using SLIP</a></div>`
			`</div>`
			`</div>`
			`</body>`
			`</html>`