FAQ – Frequently Asked Questions
Updated 13th Aug 2007
The following is a list of frequently asked questions about Bsafe/Enterprise Security for iSeries:
- How can I restrict IP addresses for telnet sessions?
- How can I restrict user access to specific IP addresses?
- How do I protect the Integrated File System (IFS) from Operation Navigator users?
- How does the Bsafe security integrate with OS/400 internal security? Does it conflict with the OS/400 internal security or it is a two-stage security concept?
- How do I restrict specified database files in library from ODBC access?
- Will the system value QRMTSIGN be changed to it's original value after Bsafe/Enterprise Security de-activation?
- How does Bsafe/Enterprise Security work on the iSeries (AS/400)?
- Does Bsafe Solutions software support platforms other than iSeries?
- What connects the client application to the iSeries?
- On what level are the restrictions made?
- What are the maintenance/contingency recommendations for Bsafe/Enterprise Security?
- What happens if our product customer key is no longer valid?
- What is the Check Remote User option in the Pass-through system defaults window?
- Does the product support the sending SNMP alerts via HP Openview?
- Can we create our own queries on the Bsafe database?
- On which computers do I need to install Bsafe/Enterprise Security?
- How does Bsafe/Enterprise Security limit access to specified user applications?
- Who does the installation of the product?
- Where can I find the product installation instructions?
- How do I uninstall the product?
- How long does is take to implement the product?
- What is the difference between the sign-off and exit options in the Bsafe/Enterprise Security green-screen menu.
- We do not run the HTTP server. Can we still use Bsafe/Enterprise Security?
- How Secure is the Bsafe/Enterprise Security PC-client (GUI)?
- Which functions of Client Access are controlled by restricting access to the central server?
- Which functions of Client Access are controlled by restricting access to the remote command server?
- Does Bsafe/Enterprise Security work with the Apache HTTP server?
- If I restrict access by a user to the Delete file function of the file server or database server, will this protect the file from access by that user through a normal, RPG, COBOL or CLP program
- What is program PGM: QIJS/QIJCSGET referred to in the Application Audit?
- What exactly are Bsafe Groups and how do they differ from iSeries group profiles.
- How does the product affect system performance and disk space?
The answers to these questions are as follows:
1. How can I restrict IP addresses for telnet sessions?
In accordance with the approach with other permission restrictions in Bsafe/Enterprise Security, you may prevent telnet access as the system default and then gives access to selected IP addresses only. Alternatively, you may allow telnet access as the default and prevent access to selected individual IP addresses or addresses ranges. The first approach involves the following steps.
1. Remove telnet permissions at the system level by unchecking the telnet permission in the systems default screen.
2. If not yet defined, define the IP addresses (or ranges) in the Bsafe network manager. The Add IP Range Definition screen aids you in identifying valid IP addresses by allowing you to view and select from the IP addresses recorded in the Bsafe log.
3. Return to the Bsafe Manager main screen and select the address range account type. You will see all the IP address ranges previously defined in the network manager. For each range add or change the permissions definition, making sure TELNET permission is marked.
2. How can I restrict user access to specific IP addresses?
1. Go to the Bsafe system defaults. Click the continuation button on the Telnet application permission. Make sure "Activate API on telnet account binding" is marked.
2. Change each OS/400 user profile to be restricted to call the program, RMTLIB/APITEL. This can be the initial program of the user profile or, alternatively, may be called by the users existing initial program. After making this change, the user will no longer be permitted to use Telnet except at the IP addresses designated in the following steps.
3. Go to the Bsafe Manager main screen and select the address range account type. You will see all the IP address ranges previously defined in the network manager. For the address range to which the account is to be permitted, add or change the permissions definition, making sure TELNET permission is marked.
4. Click the continuation button for the TELNET option.
5.
Make
sure the Allow automatic sign-on checkbox is not marked. If it is marked, clear
it to disable automatic sign-on. Click the Account Binding button to open the
Telnet Account Binding window. Mark the users who will be permitted to use
TELNET from this IP address or range then close the window.
3. How do I protect the Integrated File System (IFS) from Operation Navigator users?
Use File Server permissions to protect IFS directories from any user not only the Operation Navigator users. The following list maps the File Server permissions to the Operation Navigator actions:
File Server permissions Operator Navigator action
Rename Rename
Delete Delete
Open Stream File Copy
Open Stream File and Delete Cut
4. How does the Bsafe security integrate with OS/400 internal security? Does it conflict with the OS/400 internal security or it is a two-stage security concept?
The purpose of Bsafe/Enterprise Security is to enhance your iSeries’ security without intervening with the OS/400 internal security. The network requests to the iSeries are handled first of all by Bsafe/Enterprise Security and thereafter by OS/400 thus providing your system with two stages of protection.
5. How do I restrict specified database files in library from ODBC access?
Use the following steps:
1) Select account type (user/group…) from iSeries Manager screen
2) Check Database
3) Press continuation button (…)
4) Check specific function
5) Press continuation button (…)
6) Click the Library List icon
7) Select library from list
8) Click the Object List icon
9) Select objects from list
6. Will the system value QRMTSIGN be changed to it's original value after Bsafe/Enterprise Security de-activation?
No, the QRMTSIGN system value will be changed to *VERIFY regardless of the value it had before Bsafe/Enterprise Security activation.
7. How does Bsafe/Enterprise Security work on the iSeries (AS/400)?
Bsafe/Enterprise Security is divided into a number of program modules. The Gateway program module Bsafe/Enterprise Security takes control of access to the iSeries servers in TCP/IP, SNA communication in the internet and in the intranet. Part of the technique used is exit points. In the system auditing program module OS/400 object level authority is used.
8. Does Bsafe Solutions software support platforms other than iSeries?
Yes. Bsafe Solutions has a security package for IBM mainframes. However Bsafe/Enterprise Security is tailored to the iSeries (AS/400)
9. What connects the client application to the iSeries?
Bsafe/Enterprise Security uses client/server technology. It is a PC-based windows application connecting to your iSeries (AS/400) through the network using the HTTP server.
10. On what level are the restrictions made?
Bsafe restrictions are comprised of 3 parts:
1. Who is restricted.
2. What functions are restricted.
3. To what objects do these restrictions apply.
Who is restricted?
Restrictions can be made for all users, groups of users or individual users. Additionally, IP addresses can be considered ‘users’ for this purpose.
What functions are restricted?
After selecting who is to be restricted, restrictions can be made for each iSeries (AS/400) server at the general level or at the specific function level for that server.
To what objects do these restrictions apply?
After selecting who is to be restricted and to what functions they are to be restricted to, restrictions can be then made to selected libraries, objects and IFS paths
11. What are the maintenance/contingency recommendations for Bsafe/Enterprise Security?
Bsafe/Enterprise Security for iSeries uses 3 libraries as follows:
RMTOBJ
RMTSMP
RMTFIL
RMTOBJ and RMTSMP contain the objects required to run the product whereas RMTFIL contains both your definitions and the event log used in the Application Audit and analyzer.
Therefore, RMTOBJ and RMTSMP should be backup up at least once after installation or upgrade. Additional backups of these libraries are not necessary.
RMTFIL, however, should be backup-up regularly - we suggest the same backup strategy as for other critical data in your organization.
In the event of a contingency, the restoration of these 3 libraries will restore Bsafe/Enterprise Security to operability. Following restoration, re-run the Bsafe/Enterprise Security installation program, CALL PGM(RMTOBJ/SATKNAC)
This is discussed in the full installation guide which appears on the Bsafe website and in the Bsafe/Enterprise Security user guide.
The event log (file SRMTLGP) will expand according to the degree of activity in your system. It's size should be monitored regularly.
The clear log function may be performed only through the native OS/400 interface, from the SYSTEM sub-menu . This is covered in detail in chapter 9.2 of the new user guide which may be downloaded from the Bsafesolutions.com website.
You should determine the frequency of the clear operation and the range of events to purge based on the rate of expansion of the log file and the depth of event history you feel necessary. A small log file will minimise performance degredation but a larger range of logged events on line will allow you to take full advantage of Bsafe/Enterprise Security' statistical analysis capabiltiies.
One of the parameters on the clear operation is the reorganization of the log file. There is no option for reorganization of the other physical files. This may be done from time to time on a one-by-one basis.
12. What happens if our product customer key is no longer valid?
The Bsafe/ iSeries temporary customer code expires at midnight of the expiry date defined for the code (at the end of that date). Beyond that date you will not be able to activate Bsafe/Enterprise Security from either your PC or in native mode, until you receive a new code (the problem should never occur with a permanent customer code).
If you don't intent to use Bsafe/Enterprise Security further, simply sign on with user Bsafe and when you receive the message that the customer code has expired, press F14 to begin the deactivation process. After deactivation has completed, the product may be uninstalled according the instructions in the installation guide.
13. What is the Check Remote User option in the Pass-through system defaults window?
Marking the Check Remote User checkbox to allow access only if the user who made the request on the remote computer exists also on the host computer. Clearing the checkbox will bypass this check.
14. Does the product support the sending SNMP alerts via HP Openview?
Alerts may be defined in Bsafe/Enterprise Security to be sent by a number of means through a standard interface. Bsafe/Enterprise Security uses the IBM supplied SNMP agent to send traps. The following points should be noted.
- The IP address specified in the CHGSNMPA should be of the computer
that
operates the SNMP manager. It doesn't really matter what SNMP manager it is as long as it's a standard SNMP manager as HP OpenView. - You only need to specify the parameters that are shown in the Bsafe IDS message definition. See the on-line User Guide for a full explanation.
15. Can we create our own queries of the Bsafe/Enterprise Security database?
The Bsafe/Enterprise Security database is interfaced to the user through the PC-based Bsafe/Enterprise Security Manager and additionally through the green-screen 5250 screen. Through these interfaces the product provides on-line inquires and both pre-defined and user-defined reports. Bsafe Software Solutions does not support or recommend any alternative means of accessing the product database.
16. On which computers do I need to install Bsafe/Enterprise Security?
Bsafe/Enterprise Security is installed on each iSeries or AS/400 server whose network activity you wish to control and monitor.
Additionally, the product’s PC-client GUI must be installed on each PC you wish to use as a console to view the iSeries network traffic and control permissions definitions. Each client PC can view any of the iSeries servers connected on the same TCP/IP network
17. How does Bsafe/Enterprise Security limit access to specified user applications?
Through Bsafe/Enterprise Security you can limit access to specified iSeries servers and services for data in specified libraries. In this way you can, for example allow ODBC access to libraries INVENTFIL and INVENTAUD only. The specified user will not have ODBC access to other libraries, even if OS/400 object authority allows this.
18. Who does the installation of the product?
Installation is normally done by the customers themselves after they download the iSeries save files and the PC-client installation pack from the Bsafe website. It is a fairly straightforward process and doesn’t require a high degree of technical knowledge. Full, step-by-step instructions for both new installations and also for product upgrades are posted on the Bsafe Solutions website. These instructions also appear in the downloadable on-line user guide.
19. Where can I find the product installation instructions?
Full, step-by-step instructions for both new installations and also for product upgrades are posted on the Bsafe Solutions website. These instructions also appear in the downloadable on-line user guide.
20. How do I uninstall the product?
Full, step-by-step instructions for uninstalling the product are posted on the Bsafe Solutions website. These instructions also appear in the downloadable on-line user guide.
21. How long does is take to implement the product?
Implementation is done gradually. This is achieved by an initial set of system defaults set automatically at installation time. The overall approach adopted is to start off without any restrictions at all and just log network activity. The pattern of network activity will then assist the customer when defining actual restrictions. After initially defining restrictions to the various servers, Bsafe/Enterprise Security is run in simulation mode. This allows the Bsafe protection to operate fully but to warn of unauthorized activity while still to allowing operations to take place.
Finally, after following the simulated protection capabilities of the product, when satisfied that the simulation represents the desired security settings, the administrator can switch the product to real-time protection in which unauthorized access attempts will be rejected. This no-pressure step-by-step implementation can be done at the administrators pace and reduces the chances of any unexpected and unwanted restrictions on authorized activity.
The whole process is normally completed in about three or four sessions with a break of several days at least between sessions while the system gathers information. The time spent on each session will vary according to a number of factors including the number of users, the number of services and the number of IP addresses existing.
22. What is the difference between the sign-off and exit options in the Bsafe/Enterprise Security green-screen menu?
Sign-off executes the signoff command and is suitable when Bsafe/Enterprise Security is run directly from signing-on as a single application (as for the BSAFE user). If however, Bsafe is run from a menu or from the command line, exit will return to the menu or command line, without signing off.
23. We do not run the HTTP server. Can we still use Bsafe/Enterprise Security?
The HTTP server is used to run the Bsafe/Enterprise Security GUI. If the HTTP server is not available the customer will not be able to work with the GUI. He will still be able to use the "green screen" manager for network protection, but some other features, like System Journal or Bsafe Analyzer, will not be available.
The customer doesn't need to use HTTP server to restrict access to iSeries.
24. How Secure is the Bsafe/Enterprise Security PC-client (GUI)?
Any client/server application implementing a GUI will need to use some sort of server on the iSeries. In our case it's the HTTP server. Here are some points worth noting:
1. Bsafe/Enterprise Security uses a dedicated HTTP instance configured to port 1967, 1983, 55555, 55556 or 55557 depending on your platform and operating system as opposed to port 80, which serves for public use.
2. The Bsafe/Enterprise Security instance is secured with a validation list. That means no public use is allowed.
3. The Bsafe/Enterprise Security instance can be additionally secured with SSL.
4. Bsafe/Enterprise Security uses it's own additional level of security, like parameter encryption and sumcheck function.
5. Bsafe/Enterprise Security application doesn't cache administrator passwords on the PC, as does Client Access. As soon as the administrator has logged on to the GUI the user and password used are discarded.
6. The Bsafe/Enterprise Security instance doesn't allow Put functions, only Get.
7. To run any request on the Bsafe/Enterprise Security instance an intruder will need to know the exact script, including parameter encryption and sumcheck.
8. The customer needs the HTTP to run the GUI only. So this instance can be easily shut down when the GUI isn’t being used.
.
25. Which functions of Client Access are controlled by restricting access to the central server?
Preventing access to the central server will not allow that user access to any of the Client Access functions including Telnet, data transfer, ODBC and Operations Navigator.
26. Which functions of Client Access are controlled by restricting access to the Remote command server?
Preventing access to the remote command server will allow Telnet emulation but not allow that user access to data transfer, ODBC or Operations Navigator.
27. Does Bsafe/Enterprise Security work with the Apache HTTP server?
Yes.
28. If I restrict access by a user to the Delete file function of the file server or database server, will this protect the file from access by that user through a normal, RPG, COBOL or CLP program.
No. The reason for this is that Bsafe restrictions are only for networked access and do not apply when accessing files from the command line or through your RPG application in a green-screen Telnet emulation. This applies whether the restriction is made at the function level, or for specifically named files or libraries.
If, however, your application was to use client/server technology then Bsafe would indeed intervene, as this is networked access. It is controlled by Bsafe permissions to the Database server.
OS/400 user/object authorities can in fact also be viewed and changed through Bsafe. This is done by using the Object Authorizations Manager (icon on the main Bsafe/Enterprise Security Manager screen). This is a distinct and completely separate function from the Account Permission definitions.
29. What is program
PGM: QIJS/QIJCSGET referred to in the Application Audit?
The program QIJSCGET in library QIJS is a CLLE program that refers to the Advanced Job Scheduler for Wireless and requires the iSeries Licensed Program 5722-JS1.
From an iSeries command line run the CMD: CALL QIJS/QIJSCINT to view your scheduled jobs.
AJS for Wireless is a software application that allows you to access Advanced Job Scheduler on multiple Internet-accessible devices, such as an Internet-ready phone, PDA Web browser or PC Web browser. The wireless feature of AJS resides on your iSeries system, where AJS is installed, and allows you to access your jobs and activity, as well as send messages to recipients on your system, and stop and start the AJS monitor. AJS for Wireless allows each user to customize the settings and preferences of their browsing experience. For instance, a user can show activity, display jobs, and customize the jobs they display.
AJS for Wireless allows you to access your jobs when you are normally unable to access an iSeries terminal or emulator.
30.
What exactly are Bsafe Groups and how do they differ from
iSeries group profiles?
The Bsafe Group is a flexible and efficient way of defining access permissions in an organization. It is a concept known only within Bsafe/Enterprise Security and is independent of iSeries group profiles. This makes network permissions easier to handle for the following reasons.
1. User’s network permission requirements are normally different to their business application permission requirements (those for which iSeries group profiles are normally created)
2. The members participating in Bsafe Groups can be changed instantly without affecting iSeries authorities.
3. A small number of Bsafe Groups (up to ten groups) is normally enough for even organizations with hundreds, even thousands of users. These can be displayed in a screen or two as opposed to dozens of screens of user profiles in a large company.
However, the Bsafe product is flexible enough to allow assigning permissions to individual user profiles or to iSeries group profiles, if you so wish.
31. How does the product affect system performance and disk usage?
Bsafe/Enterprise Security is a tool for protection, monitoring and reporting and, by definition, it makes use of system resources. However the product is efficient and flexible and has many features to optimize its activity to the needs of the customer. There is no noticeable performance overhead except in rare, highly intensive batch applications. If such a situation is experienced the following options are available to the customer:
1. Full/reduced network log activity for specific users, groups or applications
2. Logging of all activity/unauthorized activity for specific applications
3. System audit activity logging for specific users
These options also affect the rate of growth of the audit log. It should be clear to the system manager that to make maximum use of a powerful auditing tool to review and analyze past events requires sufficient space to log the information, whether it be network activity, database reads, database updates or system activity.
To further assist the administrator in maintaining optimal audit information, the following tools are included to control the size of logs on the iSeries:
1. System journal management to generate and delete receivers
2. Selective network log purge mechanism which can be run automatically by the scheduler
3. Central Audit to extract selected system journal information and keep as long as you need it with option to purge unwanted information. This can be optionally held as an off-line log, saved on the PC saving still more disk space on the iSeries.
4. Setting of upper limits for logs and work files.