ibm-information-center/dist/eclipse/plugins/i5OS.ic.ddm_5.4.0.1/rbae5targetsecurity.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Application server security in a TCP/IP network" />
<meta name="abstract" content="The TCP/IP server has a default security of user ID with clear-text password. This means that, as the server is installed, inbound TCP/IP connection requests must have at least a clear-text password accompanying the user ID under which the server job is to run." />
<meta name="description" content="The TCP/IP server has a default security of user ID with clear-text password. This means that, as the server is installed, inbound TCP/IP connection requests must have at least a clear-text password accompanying the user ID under which the server job is to run." />
<meta name="DC.subject" content="password, encrypted, Kerberos, Diffie-Hellman, encryption" />
<meta name="keywords" content="password, encrypted, Kerberos, Diffie-Hellman, encryption" />
<meta name="DC.Relation" scheme="URI" content="rbae5elementtcpip.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzalv/rzalvmst.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1999, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1999, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rbae5targetsecurity" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Application server security in a TCP/IP network</title>
</head>
<body id="rbae5targetsecurity"><a name="rbae5targetsecurity"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Application server security in a TCP/IP network</h1>
<div><p>The TCP/IP server has a default security of user ID with clear-text
password. This means that, as the server is installed, inbound TCP/IP connection
requests must have at least a clear-text password accompanying the user ID
under which the server job is to run.</p>
<p>The security can either be changed with the <span class="cmdname">Change DDM TCP/IP
Attributes (CHGDDMTCPA)</span> command or under the <span class="menucascade"><span class="uicontrol">Network</span> &gt; <span class="uicontrol">Servers</span> &gt; <span class="uicontrol">TCP/IP</span> &gt; <span class="uicontrol">DDM
server properties</span></span></p>
<p> in <span class="keyword">iSeries™ Navigator</span>. You must
have *IOSYSCFG special authority to change this setting.</p>
<p>There are two settings that can be used for lower server security:</p>
<ul><li>PWDRQD (*NO)  <p>Password is not required.</p>
</li>
<li>PWDRQD(*VLDONLY) <p>Password is not required, but must be valid if sent.</p>
</li>
</ul>
<p>The difference between *NO and *VLDONLY is that if a password is sent from
a client system, it is ignored in the *NO option. In the *VLDONLY option,
however, if a password is sent, the password is validated for the accompanying
user ID, and access is denied if incorrect.</p>
<p>Encrypted password required or PWDRQD(*ENCRYPTED) and Kerberos or PWDRQD(*KERBEROS)
can be used for higher security levels. If Kerberos is used, user profiles
must be mapped to Kerberos principles using Enterprise Identity Mapping (EIM). </p>
<p>The following example shows the use of the <span class="cmdname">Change DDM TCP/IP Attributes
(CHGDDMTCPA)</span> command to specify that an encrypted password must
accompany the user ID. To set this option, enter:</p>
<p><samp class="codeph">CHGDDMTCPA PWDRQD(*ENCRYPTED)</samp></p>
<div class="p"> <div class="note"><span class="notetitle">Note:</span> The DDM/DRDA TCP/IP server was enhanced in V4R4 to support a form
of password encryption called password substitution. In V4R5, a more widely-used
password encryption technique, referred to as the Diffie-Hellman public key
algorithm was implemented. This is the DRDA<sup>®</sup> standard algorithm and is used by
the most recently released IBM<sup>®</sup> DRDA application requestors. The older password substitute
algorithm is used primarily for DDM file access from PC clients. In V5R1 a
'strong' password substitute algorithm was also supported. The client and
server negotiate the security mechanism that will be used, and any of the
three encryption methods will satisfy the requirement of PWDRQD(*ENCRYPTED),
as does the use of Secure Sockets Layer (SSL) datastreams.</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rbae5elementtcpip.htm" title="DDM and DRDA over native TCP/IP does not use i5/OS communications security services and concepts such as communications devices, modes, secure location attributes, and conversation security levels which are associated with Advanced Program-to-Program Communication (APPC). Therefore, security setup for TCP/IP is quite different.">Elements of security in a TCP/IP network</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="../rzalv/rzalvmst.htm">Enterprise Identity Mapping (EIM)</a></div>
</div>
</div>
</body>
</html>