Before someone can establish a dial-in connection to your system
with SLIP, you must start a SLIP *ANS configuration profile.
To create or change a SLIP configuration profile, you use the Work
with TCP/IP Point-to-Point (WRKTCPPTP) command. To start a configuration profile,
you use either the Start TCP/IP Point-to-Point (STRTCPPTP) command or an option
from the WRKTCPPTP display. When your system ships, the public authority for
the STRTCPPTP and ENDTCPPTP commands are *EXCLUDE. The options to add, change,
and delete SLIP configuration profiles are available only if you have *IOSYSCFG
special authority. As security administrator, you can use both command authority
and special authority determine who can set up your system to allow dial-in
connections.
If you want to validate systems that dial in to your system, then
you want the requesting system to send a user ID and a password. Your system
can then verify the user ID and password. If the user ID and password are
not valid, your system can reject the session request. To set up dial-in validation,
do the following:
- Create a user profile that the requesting system can use to establish
the connection. The user ID and password that the requester sends must match
this user profile name and password. Note: For the system to perform
password validation, the QSECURITY system value must be set to 20 or higher.
As additional protection, you probably want to create user profiles specifically
for establishing SLIP connections. The user profiles should have limited authority
on the system. If you do not plan to use the profiles for any function except
establishing SLIP connections, you can set the following values in the user
profiles:An initial menu (INLMNU) of *SIGNOFF, An
initial program (INLPGM) of *NONE, and Limit capabilities
(LMTCPB) of *YES. These values prevent anyone from signing on interactively
with the user profile.
- Create an authorization list for the system to check when a requester
tries to establish a SLIP connection. Note: You specify this authorization
list in the System access authorization list field when you create or change
the SLIP profile.
- Use the Add Authorization Entry (ADDAUTLE) command to add the user
profile that you created in step 1 to the authorization list. You can create
a unique authorization list for each point-to-point configuration profile,
or you can create an authorization list that several configuration profiles
share.
- Use the WRKTCPPTP command to set up a TCP/IP point-to-point *ANS
profile that has the following characteristics:
- The configuration profile must use a connection dialog script
that includes the user-validation function. User validation includes accepting
a user ID and password from the requester and validating them. The system
ships with several sample dialog scripts that provide this function.
- The configuration profile must specify the name of the authorization
list that you created in step 2. The user ID that the connection dialog script
receives must be in the authorization list.
Keep in mind that the value of setting up dial-in security is
affected by the security practices and capabilities of the systems that dial
in. If you require a user ID and password, then the connection dialog script
on the requesting system must send that user ID and password. Some systems,
such as iSeries™ servers,
provide a secure method for storing the user IDs and passwords. Other
systems store the user ID and password in the script which might be accessible
to anyone who knows where to find the script on the system.
Because
of the differing security practices and capabilities of your communications
partners, you might want to create different configuration profiles for different
requesting environments. You use STRTCPPTP command to set your system up to
accept a session for a specific configuration profile. You can start sessions
for some configuration profiles only at certain times of the day, for example.
You might use security auditing to log the activity for the associated user
profiles.