103 lines
6.6 KiB
HTML
103 lines
6.6 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="task" />
|
|
<meta name="DC.Title" content="Secure dial-in SLIP connections" />
|
|
<meta name="abstract" content="Before someone can establish a dial-in connection to your system with SLIP, you must start a SLIP *ANS configuration profile." />
|
|
<meta name="description" content="Before someone can establish a dial-in connection to your system with SLIP, you must start a SLIP *ANS configuration profile." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamvtcpslip.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="tcpdialin" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Secure dial-in SLIP connections</title>
|
|
</head>
|
|
<body id="tcpdialin"><a name="tcpdialin"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Secure dial-in SLIP connections</h1>
|
|
<div><p>Before someone can establish a dial-in connection to your system
|
|
with SLIP, you must start a SLIP *ANS configuration profile.</p>
|
|
<div class="p">To create or change a SLIP configuration profile, you use the Work
|
|
with TCP/IP Point-to-Point (WRKTCPPTP) command. To start a configuration profile,
|
|
you use either the Start TCP/IP Point-to-Point (STRTCPPTP) command or an option
|
|
from the WRKTCPPTP display. When your system ships, the public authority for
|
|
the STRTCPPTP and ENDTCPPTP commands are *EXCLUDE. The options to add, change,
|
|
and delete SLIP configuration profiles are available only if you have *IOSYSCFG
|
|
special authority. As security administrator, you can use both command authority
|
|
and special authority determine who can set up your system to allow dial-in
|
|
connections.</div>
|
|
<div class="section">If you want to validate systems that dial in to your system, then
|
|
you want the requesting system to send a user ID and a password. Your system
|
|
can then verify the user ID and password. If the user ID and password are
|
|
not valid, your system can reject the session request. To set up dial-in validation,
|
|
do the following:</div>
|
|
<ol><li><span>Create a user profile that the requesting system can use to establish
|
|
the connection. The user ID and password that the requester sends must match
|
|
this user profile name and password. <strong>Note:</strong> For the system to perform
|
|
password validation, the QSECURITY system value must be set to 20 or higher.
|
|
As additional protection, you probably want to create user profiles specifically
|
|
for establishing SLIP connections. The user profiles should have limited authority
|
|
on the system. If you do not plan to use the profiles for any function except
|
|
establishing SLIP connections, you can set the following values in the user
|
|
profiles:<span class="option">An initial menu (INLMNU) of *SIGNOFF</span>, <span class="option">An
|
|
initial program (INLPGM) of *NONE</span>, and <span class="option">Limit capabilities
|
|
(LMTCPB) of *YES.</span> These values prevent anyone from signing on interactively
|
|
with the user profile.</span></li>
|
|
<li><span>Create an authorization list for the system to check when a requester
|
|
tries to establish a SLIP connection. <strong>Note:</strong> You specify this authorization
|
|
list in the System access authorization list field when you create or change
|
|
the SLIP profile.</span></li>
|
|
<li><span>Use the Add Authorization Entry (ADDAUTLE) command to add the user
|
|
profile that you created in step 1 to the authorization list. You can create
|
|
a unique authorization list for each point-to-point configuration profile,
|
|
or you can create an authorization list that several configuration profiles
|
|
share.</span></li>
|
|
<li><span>Use the WRKTCPPTP command to set up a TCP/IP point-to-point *ANS
|
|
profile that has the following characteristics:</span><ol type="a"><li><span>The configuration profile must use a connection dialog script
|
|
that includes the user-validation function. User validation includes accepting
|
|
a user ID and password from the requester and validating them. The system
|
|
ships with several sample dialog scripts that provide this function.</span></li>
|
|
<li><span>The configuration profile must specify the name of the authorization
|
|
list that you created in step 2. The user ID that the connection dialog script
|
|
receives must be in the authorization list.</span></li>
|
|
</ol>
|
|
</li>
|
|
</ol>
|
|
<div class="section"><p>Keep in mind that the value of setting up dial-in security is
|
|
affected by the security practices and capabilities of the systems that dial
|
|
in. If you require a user ID and password, then the connection dialog script
|
|
on the requesting system must send that user ID and password. Some systems,
|
|
such as iSeries™ servers,
|
|
provide a secure method for storing the user IDs and passwords. Other
|
|
systems store the user ID and password in the script which might be accessible
|
|
to anyone who knows where to find the script on the system.</p>
|
|
<p>Because
|
|
of the differing security practices and capabilities of your communications
|
|
partners, you might want to create different configuration profiles for different
|
|
requesting environments. You use STRTCPPTP command to set your system up to
|
|
accept a session for a specific configuration profile. You can start sessions
|
|
for some configuration profiles only at certain times of the day, for example.
|
|
You might use security auditing to log the activity for the associated user
|
|
profiles.</p>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvtcpslip.htm" title="TCP/IP support includes Serial Interface Line Protocol (SLIP).">Security considerations for using SLIP</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |