Product Description

PCSACC/400 provides easy and rapid access control to IBM OS/400 DB2/400 database file objects that are not secured sufficiently. All required access authority is defined within the security database of PCSACC/400.

Description of the security problems

Solutions

Controlled Access

How the security concept works

Contents of security program package

Installation

Requirements

back to top

Description of the security problems

OS/400 offers a broad range of object level security functions.

Assignment of object authority for physical data base files in most cases is sufficient. It can be specified using group profiles, authority lists or by adopting authority via programs with USRPRF(*OWNER) and by working with the *EXCLUDE function and GRT... commands. These are easy to use functions to assign necessary object authorities.

It is important to use these functions.

Are you working without special object level security and are you achieving security for your users via menus? This is, in most cases, a very simple and effective method to prevent users from unauthorized data access.

IBM iSeries Access für Windows, remote DDM access and TCP/IP FTP, TFTP, REXEC do not cooperate with security concepts based on normal user menus.

All users can have access to all database files that are not protected and can read and write these files.

IBM filetransfer can replace data and this may destroy your original data.

If you have assigned authority to each user, you should check if that is really sufficient. Data access via 5250 terminal is controlled by an application program. This is not true for access via PC's. Users have access to all *PUBLIC data.

back to top

Solutions

You need access control on OS/400 via interface programs (Api's). Entries have to be made in network attributes for interface programs for IBM Client Access Original clients (PCSACC parameter) and/or DDM access (DDMACC parameter) and/or with the command WRKREGINF.

PCSACC/400 provides these interface programs including the necessary security database.

You can keep your existing security concept and avoid all the effort that will be necessary to implement security that is object oriented and conform with the system's architecture.

You do not need to specify restrictions for each database file by using *EXCLUDE. PCSACC/400 changes the normal OS/400 authorities. You only define your required access authorities within the security database.

PCSACC/400 provides a rapid and effective method to create these definitions, it is not necessary for you to know each of these authorities.

back to top

Controlled access

IBM iSeries Access for Windows

• SQL/ODBC and file transfer
  
• IFS (Integrated File System)
  
• execution of remote commands (RMTCMD) and Distributed Program Call (iSeries Navigator)
• data queues

And all programs that use these interfaces, like:

RUMBA/400

file transfer from an to PC

ShowCase for IBM iSeries 400 (AS/400)

file transfer from an to PC, all versions including Showcase ODBC

, Showcase Century

DDM

data access via remote AS/400 and clients (IBM VA RPG, IBM Visual Age and IBM Visual Gen) execution of remote command (SBMRMTCMD)

TCP/IP FTP/TFTP and TCP/IP REXEC (RUNRMTCMD via IP)

File access to database files in libraries, IFS accesses and command execution via server and client accesses.

TCP/IP TELNET including 5250/TELNET

Check IP address, check names or assignment of names, generic names, number of sessions, Check Autosignon.

back to top

How the security concept works

PCSACC/400 provides several interface programs.

Special data base files contain structured information about authorities of PC, DDM and TCP/IP FTP/TFTP/REXEC users. Only authorized access will be stored.

All this kind of information is separated into user-, library-, file-, member-, folder security data and information about remote commands and distributed calls. IP- and mail addresses will also be stored. Generic names can be used on file level and separation based on applications (SQL/ODBC, FTP, DDM,) is possible.

Access to data base files can be controlled even for single members (Read- and write authority).

Separating authorities for libraries and data record for example, allows to specify general read authority for a library but update or creation of files can be prohibited. These authorities can even be specified for files. For most cases this is a reasonable method.

Creation and deletion of libraries via remote SQL (CREATE/DROP collection) is controlled as well.

The maximum string length for SQL/ODBC has been enhanced to 32512 Bytes. PCSACC/400 supports names of up to 128 Bytes for SQL/ODBC tables. "QGPL"."This is my nice file" is a valid table name and is supported by PCSACC/400.

For DDM access additional authorities are defined to allow controlling of file accesses (CHGPF, DLTF).

Execution of RMTCMD, SBMRMTCMD and the new Distributed Program Call can be controlled on user level by releasing CALL's with specifications of program names and library. It is also possible to define complete CL Commands together with information about the length that has to be checked. Remote call's via remote SQL can also be controlled.

TCP/IP FTP/TFTP/REXEC users will generally be controlled, but accesses to database files, IFS or command execution is checked via additional control fields.

ANONYMOUS control as well as checking of IP addresses is provided. An FTP signon with an internal PCSACC/400 user and a password based on an IP address allows switching (Crossover) to an i5/OS (OS/400) user who does not have a password. With this, misuse of this
user profile is impossible. Use of a weekly calender is allowed for Anonymous - and/or Crossover accesses. Beginning with OS/400 V4R4 TCP/IP FTP exit program PCSLO2 allows controlling of start modes: Either QSYS.LIB with a current library or the IFS mode with a home directory can be used.

Starting with OS/400 V5R2 IP address control is now possible for DDM and for all Hostserver(SQL/ODBC; Netserver, remote command/iSeries Navigator and data queues). Thereby working with a weekly calendar is possible too.

PCSACC/400 complements operationsof a firewall in a reasonable way on a Linux partition or an integrated Netfinity Server. PCSACC/400 operates like an application firewall. All generally released files (like *PUBLIC) can be assigned to a default user, and so have to be defined only once, for example: QIWS... folder.

When starting with PCSACC/400 in the QDEFAULT user record is specified that non-registered users shall automatically be registered and all their activities shall be written into logging files - learning phase of PCSACC/400. With command CVTPCSLOG this information can be automatically converted into authority structures.

All files of the security concept in library QPCS are protected with PUBLIC (*EXCLUDE). Access to these files is possible via programs of the security concept only. Therefore they adopt the authorities of user QPCS. By that, access to these files is totally controlled by programs.

Users QPCS and QSECOFR will be treated as 'master security officer' and are allowed to change all authority data. They cannot be removed from the security database files.

The user exit program contains information about the kind of access and checks against the stored records, whether access can be allowed.

Error messages will be displayed or sent to user. Additionally, these informations can be routed to a central user, e.g. QSYSOPR (local or remote).

This provides an easy and simple but effective control for all accesses from PC users to data on your AS/400 and cannot be circumvented.

PC accesses local or remote via SNA/APPN or TCP/IP, accesses via DDM or TCP/IP FTP/TFTP/REXEC server or client accesses cannot circumvent controlling, as it is performed by system functions on AS/400.

PCSACC/400 provides a subset of IBM OS/400 authorities.

Extensive access authority may be restricted. If a user has no authority for an OS/400 object, access is rejected by OS/400, without calling the user exit program at all.

Stored data can be kept at minimum, based upon a 3 level hirachy with *PUBLIC authorithies, user groups and additional invidual authorities and the possiblity to generally allow READ access on library level.

back to top

Contents of security program package

PCSACC/400 supports multiple languages: German 2929, German International 2939 and US English 2924.

PCSACC/400 provides a number of interface programs, including program PCSNETA for activation and deactivation of these interface programs. This application also contains the necessary maintenance menus for STRSBS, ENDSBS, STRHOSTSVR etc. Subexit programs are possible for all interfaces.

Maintenance program CHGPCS allow creation and maintenance of authority structures and can be called by authorized users only. This program contains a lot of functions. It provides a good overview about stored authorithies via coloured display of users (controlled users = blue, non controlled users = green and locked users = red), by activation and deactivation with one single entry of 'A/U/T' (A=activation, U=deactivation, T=Test activation) and by offering different, additional reports.

All reports can be created via command. New user records can also be created via command. This function can be integrated into existing CL programs. File informations of library QPCS can be printed. Reorganization allows scheduled removal of information data.

If there is a 5250 emulation in use, that doesn´t support radio buttons, like e.g. MOCHA, you can activate an alternative function using the user properties.

The programs contain extensive online documentation and field sensitive detail information provided by panelgroups (help). Additionally an online-user-guide is provided. It can be displayed or printed any time.

back to top