Secure dial-out sessions

Users on your iSeries™ system might want to establish dial-out connections to systems that require user validation.

The connection dialog script on your iSeries server must send a user ID and a password to the remote system. iSeries servers provide a secure method for storing that password. The password does not need to be stored in the connection dialog script.
Note:
  1. your system decrypts the password before sending it. SLIP passwords, like FTP and TELNET passwords, are sent unencrypted (“in the clear”). However, unlike with FTP and TELNET, the SLIP password is sent before the systems establish TCP/IP mode.
  2. Because SLIP uses a point-to-point connection in asynchronous mode, the security exposure when sending unencrypted passwords is different from the exposure with FTP and TELNET passwords. Unencrypted FTP and TELNET passwords might be sent as IP traffic on a network and are, therefore, vulnerable to electronic sniffing. The transmission of your SLIP password is as secure as the telephone connection between the two systems. 2. The default file for storing SLIP connection dialog scripts is QUSRSYS/QATOCPPSCR. The public authority for this file is *USE, which prevents public users from changing the default connection dialog scripts.
When you create a connection profile for a remote session that requires validation, do the following:
  1. Ensure that the Retain Server Security Data (QRETSVRSEC) system value is 1 (Yes). This system value determines whether you will allow passwords that can be decrypted to be stored in a protected area on your system.
  2. Use the WRKTCPPTP command to create a configuration profile that has the following characteristics:
    1. For the mode of the configuration profile, specify *DIAL.
    2. For the Remote service access name, specify the user ID that the remote system expects. For example, if you are connecting to another iSeries server, specify the user profile name on that iSeries server.
    3. For the Remote service access password, specify the password that the remote system expects for this user ID. On your iSeries server, this password is stored in a protected area in a form that can be decrypted. The names and passwords that you assign for configuration profiles are associated with the QTCP user profile. The names and passwords are not accessible with any user commands or interfaces. Only registered system programs can access this password information.
      Note: Keep in mind that the passwords for your connection profiles are not saved when your save the TCP/IP configuration files. To save SLIP passwords, you need to use the Save Security Data (SAVSECDTA) command to save the QTCP user profile.
    4. For the connection dialog script, specify a script that sends the user ID and password. The system ships with several sample dialog scripts that provide this function. When the system runs the script, the system retrieves the password, decrypts it, and sends it to the remote system.
Parent topic: Security considerations for using SLIP