86 lines
5.5 KiB
HTML
86 lines
5.5 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="task" />
|
|
<meta name="DC.Title" content="Secure dial-out sessions" />
|
|
<meta name="abstract" content="Users on your iSeries system might want to establish dial-out connections to systems that require user validation." />
|
|
<meta name="description" content="Users on your iSeries system might want to establish dial-out connections to systems that require user validation." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamvtcpslip.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="tcpsecdialout" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Secure dial-out sessions</title>
|
|
</head>
|
|
<body id="tcpsecdialout"><a name="tcpsecdialout"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Secure dial-out sessions</h1>
|
|
<div><p>Users on your iSeries™ system might want to establish dial-out connections
|
|
to systems that require user validation.</p>
|
|
<div class="section"> The connection dialog script on your iSeries server must send a user ID and
|
|
a password to the remote system. iSeries servers provide a secure method
|
|
for storing that password. The password does not need to be stored in the
|
|
connection dialog script.<div class="note"><span class="notetitle">Note:</span> <ol><li>your system decrypts the password before sending it. SLIP passwords, like
|
|
FTP and TELNET passwords, are sent unencrypted (“in the clear”). However,
|
|
unlike with FTP and TELNET, the SLIP password is sent before the systems establish
|
|
TCP/IP mode. </li>
|
|
<li>Because SLIP uses a point-to-point connection in asynchronous mode, the
|
|
security exposure when sending unencrypted passwords is different from the
|
|
exposure with FTP and TELNET passwords. Unencrypted FTP and TELNET passwords
|
|
might be sent as IP traffic on a network and are, therefore, vulnerable to
|
|
electronic sniffing. The transmission of your SLIP password is as secure as
|
|
the telephone connection between the two systems. 2. The default file for
|
|
storing SLIP connection dialog scripts is QUSRSYS/QATOCPPSCR. The public authority
|
|
for this file is *USE, which prevents public users from changing the default
|
|
connection dialog scripts.</li>
|
|
</ol>
|
|
</div>
|
|
When you create a connection profile for a remote session that
|
|
requires validation, do the following:</div>
|
|
<ol><li><span>Ensure that the Retain Server Security Data (QRETSVRSEC) system
|
|
value is 1 (Yes). This system value determines whether you will allow passwords
|
|
that can be decrypted to be stored in a protected area on your system.</span></li>
|
|
<li><span>Use the WRKTCPPTP command to create a configuration profile that
|
|
has the following characteristics:</span><ol type="a"><li class="substepexpand"><span>For the mode of the configuration profile, specify *DIAL.</span></li>
|
|
<li class="substepexpand"><span>For the Remote service access name, specify the user ID that
|
|
the remote system expects. For example, if you are connecting to another iSeries server,
|
|
specify the user profile name on that iSeries server.</span></li>
|
|
<li class="substepexpand"><span>For the Remote service access password, specify the password
|
|
that the remote system expects for this user ID. On your iSeries server,
|
|
this password is stored in a protected area in a form that can be decrypted.
|
|
The names and passwords that you assign for configuration profiles are associated
|
|
with the QTCP user profile. The names and passwords are not accessible with
|
|
any user commands or interfaces. Only registered system programs can access
|
|
this password information.</span> <div class="note"><span class="notetitle">Note:</span> Keep in mind that the passwords
|
|
for your connection profiles are not saved when your save the TCP/IP configuration
|
|
files. To save SLIP passwords, you need to use the Save Security Data (SAVSECDTA)
|
|
command to save the QTCP user profile.</div>
|
|
</li>
|
|
<li class="substepexpand"><span>For the connection dialog script, specify a script that sends
|
|
the user ID and password. The system ships with several sample dialog scripts
|
|
that provide this function. When the system runs the script, the system retrieves
|
|
the password, decrypts it, and sends it to the remote system.</span></li>
|
|
</ol>
|
|
</li>
|
|
</ol>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvtcpslip.htm" title="TCP/IP support includes Serial Interface Line Protocol (SLIP).">Security considerations for using SLIP</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |