Server security in a TCP/IP network
The TCP/IP server has a default security of user ID with clear-text password. This means that, as the server is installed, inbound TCP/IP connection requests must have at least a clear-text password accompanying the user ID under which the server job is to run.
The security can either be changed with the Change DDM TCP/IP Attributes (CHGDDMTCPA) command or under the in System i Navigator. You must have *IOSYSCFG special authority to change this setting. Additionally, you must have *SECADM and *ALLOBJ special authorities modify the PWDRQD parameter.
Change DDM TCP/IP Attributes (CHGDDMTCPA)
Type choices, press Enter.
Autostart server . . . . . . . . *YES *SAME, *NO, *YES
Lowest authentication method . . *VLDONLY *SAME, *USRID, *VLDONLY...
Lowest encryption algorithm . . *DES *SAME, *DES, *AES
Bottom
F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display
F24=More keys
These settings can be used for setting the lowest authentication method allowed by the server:
- PWDRQD (*USRID)
Password is not required.
- PWDRQD(*VLDONLY)
Password is not required, but must be valid if sent.
The difference between *USRID and *VLDONLY is that if a password is sent from a client system, it is ignored in the *USRID option. In the *VLDONLY option, however, if a password is sent, the password is validated for the accompanying user ID, and access is denied if incorrect.
Encrypted user ID and password (or PWDRQD(*ENCUSRPWD)), encrypted password required (or PWDRQD(*USRENCPWD)), and Kerberos (or PWDRQD(*KERBEROS)) can be used for higher security levels. If Kerberos is used, user profiles must be mapped to Kerberos principles using Enterprise Identity Mapping (EIM).
The following example shows the use of the Change DDM TCP/IP Attributes (CHGDDMTCPA) command to specify that an encrypted password must accompany the user ID. To set this option, enter:
CHGDDMTCPA PWDRQD(*USRENCPWD)
These settings can be used for setting the lowest encryption algorithm allowed by the server for encrypted authentication methods:
- ENCALG(*AES)
Advanced Encryption Standard (AES) encryption algorithm only will be allowed.
- ENCALG(*DES)
Data Encryption Standard (DES) encryption algorithm or higher strength encryption algorithm will be allowed.
The following example shows the use of the Change DDM TCP/IP Attributes (CHGDDMTCPA) command to specify that AES encryption must be used to authenticate to the server with encrypted authentication methods. To set this option, enter:
CHGDDMTCPA ENCALG(*AES)
ENCALG(*DES) or ENCALG(*AES) determine what the lowest encryption algorithm level that will be supported by the server for encryption of the user ID or password. If you want all data to be encrypted, SSL allows all data over the network to be encrypted and supports a variety of encryption types.
- Password substitute algorithm
- Diffie-Hellman public key algorithm (56 bit *DES or 256 bit *AES)
- A strong password substitute algorithm
The following example shows how to verify the CHGDDMTCPA command settings via
SQL:SELECT
CASE
WHEN AUTOSTART = '*YES' THEN '*YES'
ELSE '*NO' END AS "Autostart server",
CASE
WHEN LAND(DBXRSEC,X'E0') = X'00' THEN '*USRID'
WHEN LAND(DBXRSEC,X'E0') = X'20' THEN '*VLDONLY'
WHEN LAND(DBXRSEC,X'E0') = X'40' THEN '*USRIDPWD'
WHEN LAND(DBXRSEC,X'E0') = X'C0' THEN '*USRENCPWD'
WHEN LAND(DBXRSEC,X'E0') = X'80' THEN '*ENCUSRPWD'
WHEN LAND(DBXRSEC,X'E0') = X'A0' THEN '*KERBEROS'
ELSE '*UNKNOWN' END AS "Lowest authentication method",
CASE
WHEN LAND(DBTFLGS,X'01') = X'01' THEN '*AES'
ELSE '*DES' END AS "Lowest encryption algorithm"
FROM qsys.qadbxrdbd, QATOCSTART WHERE DBXRMTN = '*LOCAL' and SERVER = '*DDM'