Server security in a TCP/IP network
The TCP/IP server has a default security of user ID with clear-text password. This means that, as the server is installed, inbound TCP/IP connection requests must have at least a clear-text password accompanying the user ID under which the server job is to run.
The security can either be changed with the Change DDM TCP/IP Attributes (CHGDDMTCPA) command or under the in System i Navigator. You must have *IOSYSCFG special authority to use this command. Additionally, you must have *SECADM and *ALLOBJ special authorities modify the PWDRQD parameter.
Change DDM TCP/IP Attributes (CHGDDMTCPA)
Type choices, press Enter.
Autostart server . . . . . . . . *YES *SAME, *NO, *YES
Lowest authentication method . . *VLDONLY *SAME, *USRID, *VLDONLY...
Lowest encryption algorithm . . *DES *SAME, *DES, *AES
Bottom
F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display
F24=More keys
These settings can be used for setting the lowest authentication method allowed by the server:
- PWDRQD (*USRID)
Password is not required.
- PWDRQD(*VLDONLY)
Password is not required, but must be valid if sent.
The difference between *USRID and *VLDONLY is that if a password is sent from a client system, it is ignored in the *USRID option. In the *VLDONLY option, however, if a password is sent, the password is validated for the accompanying user ID, and access is denied if incorrect.
Encrypted user ID and password (or PWDRQD(*ENCUSRPWD)), encrypted password required (or PWDRQD(*USRENCPWD)), and Kerberos (or PWDRQD(*KERBEROS)) can be used for higher security levels. If Kerberos is used, user profiles must be mapped to Kerberos principles using Enterprise Identity Mapping (EIM). DRDA does support using multiple EIM target associations.
The following example shows the use of the Change DDM TCP/IP Attributes (CHGDDMTCPA) command to specify that an encrypted password must accompany the user ID. To set this option, enter:
CHGDDMTCPA PWDRQD(*USRENCPWD)
These settings can be used for setting the lowest encryption algorithm allowed by the server for encrypted authentication methods:
- ENCALG(*AES)
Advanced Encryption Standard (AES) encryption algorithm only will be allowed.
- ENCALG(*DES)
Data Encryption Standard (DES) encryption algorithm or higher strength encryption algorithm will be allowed.
The following example shows the use of the Change DDM TCP/IP Attributes (CHGDDMTCPA) command to specify that AES encryption must be used to authenticate to the server with encrypted authentication methods. To set this option, enter:
CHGDDMTCPA ENCALG(*AES)
ENCALG(*DES) or ENCALG(*AES) determine what the lowest encryption algorithm level that will be supported by the server for encryption of the user ID or password. If you want all data to be encrypted, TLS allows all data over the network to be encrypted and supports a variety of encryption types.
When specifying the lowest encryption algorithm level, it is recommended to choose the strongest encryption algorithm supported. If it is known that the client supports the AES encryption algorithm, it is recommended that the user specify ENCALG(*AES). When it is known both systems support AES, the IBM® i operating system may chose to re-negotiate to AES when ENCALG(*DES) is specified.
- Password substitute algorithm
- Diffie-Hellman public key algorithm (56 bit *DES or 256 bit *AES)
- A strong password substitute algorithm
SELECT
CASE
WHEN AUTOSTART = '*YES' THEN '*YES'
ELSE '*NO' END AS "Autostart server",
CASE
WHEN LAND(DBXRSEC,X'E0') = X'00' THEN '*USRID'
WHEN LAND(DBXRSEC,X'E0') = X'20' THEN '*VLDONLY'
WHEN LAND(DBXRSEC,X'E0') = X'40' THEN '*USRIDPWD'
WHEN LAND(DBXRSEC,X'E0') = X'C0' THEN '*USRENCPWD'
WHEN LAND(DBXRSEC,X'E0') = X'80' THEN '*ENCUSRPWD'
WHEN LAND(DBXRSEC,X'E0') = X'A0' THEN '*KERBEROS'
ELSE '*UNKNOWN' END AS "Lowest authentication method",
CASE
WHEN LAND(DBTFLGS,X'01') = X'01' THEN '*AES'
ELSE '*DES' END AS "Lowest encryption algorithm"
FROM qsys.qadbxrdbd, QATOCSTART WHERE DBXRMTN = '*LOCAL' and SERVER = '*DDM'