Security Options

Learn about the many security considerations and options for securing IBM® Navigator for i.

In today's world, security is a key focus for everyone. Security entails running applications that are secure and free of vulnerabilities, encrypted communications from point to point, and ensuring that unauthorized users are not allowed to manage and access information and features on the IBM i. The IBM Navigator was created from the ground up with focus on all security areas at the center of the design and implementation.

User Access

When a user connects to Navigator, an IBM i user profile and password is required. This sign-in authorization is the first line of security for authority and authorization. Navigator is then running as that user; and can only access and manage those areas that the profile is authorized to do. As Navigator is intended to be a client where you can point to and manage many IBM i endpoint nodes, each endpoint also requires a specific user and password for access. There are multiple ways that you can configure Navigator for each user to provide that endpoint user and password. Details on these options can be found at:
  • Access Authorization

Function usage

Navigator runs on each endpoint node as the user that was provided for that specific IBM i. Navigator will ensure that a user is not allowed to access or manage more than they are authorized too. This is good. But in addition, some administrators find the need to add extra restrictions for various functional areas. Additional restrictions can be easily handled with Function Usage IDs. A user profile may need to be added to a specific function usage ID to access that functional area. By not adding a user profile to a function usage ID, that profile is restricted from that functional area. In previous version of Navigator, this interface was called Application Administration; but behind the scenes it was built on the function usage ID support. Today with the new Navigator we are simply naming it Function Usage.

Note: Today there exist 72 function usage IDs that were created to restrict and control various features and functions within older application such as the Windows Navigator Client, original web Navigator, and Access client solutions. After discussions with industry security experts, we created a new simplified set of IDs instead of trying to determine a remapping of these function usage IDs into the functions for the new Navigator. Details on these new function usage IDs can be found at:
  • Function Usage IDs

Encryption support

There are multiple connection points in Navigator to consider. Each can (and should) be encrypted to ensure the highest levels of security. Users connect to IBM Navigator by using a web browser on the PC or mobile device of their choice. By default, Navigator ships non-encrypted. It is recommended that users enable encryption by leveraging their own companies certificate.Additionally, users can then connect from this initial IBM i to many other IBM i endpoint nodes. The user can enable encryption between each of these endpoints. For details on how to configure encryption by using TLS, see:

  • Setting up TLS Encryption