Application server security in a TCP/IP network

The TCP/IP server has a default security of user ID with clear-text password. This means that, as the server is installed, inbound TCP/IP connection requests must have at least a clear-text password accompanying the user ID under which the server job is to run.

The security can either be changed with the Change DDM TCP/IP Attributes (CHGDDMTCPA) command or under the Network > Servers > TCP/IP > DDM server properties

in iSeries™ Navigator. You must have *IOSYSCFG special authority to change this setting.

There are two settings that can be used for lower server security:

PWDRQD (*NO)
Password is not required.
PWDRQD(*VLDONLY)
Password is not required, but must be valid if sent.

The difference between *NO and *VLDONLY is that if a password is sent from a client system, it is ignored in the *NO option. In the *VLDONLY option, however, if a password is sent, the password is validated for the accompanying user ID, and access is denied if incorrect.

Encrypted password required or PWDRQD(*ENCRYPTED) and Kerberos or PWDRQD(*KERBEROS) can be used for higher security levels. If Kerberos is used, user profiles must be mapped to Kerberos principles using Enterprise Identity Mapping (EIM).

The following example shows the use of the Change DDM TCP/IP Attributes (CHGDDMTCPA) command to specify that an encrypted password must accompany the user ID. To set this option, enter:

CHGDDMTCPA PWDRQD(*ENCRYPTED)

Note: The DDM/DRDA TCP/IP server was enhanced in V4R4 to support a form of password encryption called password substitution. In V4R5, a more widely-used password encryption technique, referred to as the Diffie-Hellman public key algorithm was implemented. This is the DRDA^® standard algorithm and is used by the most recently released IBM^® DRDA application requestors. The older password substitute algorithm is used primarily for DDM file access from PC clients. In V5R1 a 'strong' password substitute algorithm was also supported. The client and server negotiate the security mechanism that will be used, and any of the three encryption methods will satisfy the requirement of PWDRQD(*ENCRYPTED), as does the use of Secure Sockets Layer (SSL) datastreams.