90 lines
6.7 KiB
HTML
90 lines
6.7 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Secure access" />
|
|
<meta name="abstract" content="Access control restricts the availability of system resources to only those users you have authorized to interact with the resources. The server allows you to control authorization of users to system resources." />
|
|
<meta name="description" content="Access control restricts the availability of system resources to only those users you have authorized to interact with the resources. The server allows you to control authorization of users to system resources." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzajcplan4758.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzajcterrytable.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzajcterrytable.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzajcrolesprofiles.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzajcprereqssl.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzajccustomapp4758.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="secureaccess" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Secure access</title>
|
|
</head>
|
|
<body id="secureaccess"><a name="secureaccess"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Secure access</h1>
|
|
<div><p>Access control restricts the availability of system resources to
|
|
only those users you have authorized to interact with the resources. The server
|
|
allows you to control authorization of users to system resources.</p>
|
|
<p>Your organization should identify each system resource in the organization's
|
|
security hierarchy. The hierarchy should clearly delineate the levels of access
|
|
authorization users have to resources.</p>
|
|
<p>All of the service programs in i5/OS™ Option 35 are shipped with *EXCLUDE
|
|
authority for *PUBLIC. You must give users *USE authority for the service
|
|
program that they need to use. In addition, you must also give users *USE
|
|
authority to the QC6SRV service program in library QCCA.</p>
|
|
<p>Users who take part in setting up a Cryptographic Coprocessor must have
|
|
*IOSYSCFG special authority to use the Master_Key_Process (CSNBMKP), Access_Control_Initialize
|
|
(CSUAACI), or Cryptographic_Facility_Control (CSUACFC) security application
|
|
programming interfaces (SAPIs). These three SAPIs are used to perform all
|
|
configuration steps for the Cryptographic Coprocessors. For all SAPIs, users
|
|
may require additional object authorities.</p>
|
|
<p>For the most secure environments, consider assigning the role of Coprocessor
|
|
Administrators to a set of users who do not have *ALLOBJ special authority.
|
|
This way, users with *ALLOBJ special authority cannot alter the configuration
|
|
of the Coprocessor because they will not be able to log on to an administrative
|
|
role on the Coprocessor. They can, however, control object authority to the
|
|
SAPI service programs, preventing misuse by the administrators.</p>
|
|
<p>In order to use the Cryptographic Coprocessor configuration web utility,
|
|
users must have *SECADM special authority.</p>
|
|
<p>Cryptographic Coprocessors have separate access controls which are unrelated
|
|
to the access controls of the server. The Cryptographic Coprocessor access
|
|
controls allow you to control access to the Cryptographic Coprocessor hardware
|
|
commands. </p>
|
|
<p>For even more security, limit the capabilities of the default role within
|
|
your Cryptographic Coprocessor. Assign capabilities among other roles to require
|
|
two or more people to perform security-sensitive functions, like changing
|
|
the master key. You can do this when you work with roles and profiles.</p>
|
|
<div class="note"><span class="notetitle">Note:</span> You should consider some standard physical security measures as well,
|
|
such as keeping your server behind a locked door.</div>
|
|
</div>
|
|
<div>
|
|
<ul class="ullinks">
|
|
<li class="ulchildlink"><strong><a href="rzajcterrytable.htm">Object authorities that are required for SAPI</a></strong><br />
|
|
Refer to this table for information regarding the object authorities that SAPI requires.</li>
|
|
</ul>
|
|
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajcplan4758.htm" title="This information is pertinent to those planning to install an IBM Cryptographic Coprocessor in their server.">Plan for the Cryptographic Coprocessor</a></div>
|
|
</div>
|
|
<div class="relconcepts"><strong>Related concepts</strong><br />
|
|
<div><a href="rzajcrolesprofiles.htm" title="Cryptographic Coprocessors use role-based access control. In a role-based system, you define a set of roles, which correspond to the classes of Coprocessor users. You can enroll each user by defining an associated user profile to map the user to one of the available roles.">Create and define roles and profiles</a></div>
|
|
<div><a href="rzajcprereqssl.htm" title="Read this information to make the Cryptographic Coprocessor ready for use with SSL.">Configure the Cryptographic Coprocessor for use with DCM and SSL</a></div>
|
|
<div><a href="rzajccustomapp4758.htm" title="This scenario could help an i5/OS programmer reason through the process of writing a program that calls the Cryptographic Coprocessor to verify user data such as financial personal identification numbers (PINs), which are entered at automatic teller machines (ATMs).">Scenario: Write an i5/OS application to use the Cryptographic Coprocessor</a></div>
|
|
</div>
|
|
<div class="relref"><strong>Related reference</strong><br />
|
|
<div><a href="rzajcterrytable.htm" title="Refer to this table for information regarding the object authorities that SAPI requires.">Object authorities that are required for SAPI</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |