The IBM i platform provides comprehensive solution capabilities for a highly secure system environment. Sophisticated technologies combine to minimize the potential risk posed by security threats, while better enabling you to rapidly adapt and respond to changing security policy requirements.
Industry unique, virus-resistant, object-based architecture.

• Integrated security features
• System monitoring and management capabilities
• World-class ISV security portfolio

IBM i is considered one of the most secure systems in the industry. Read more about the security features, Business Partner security solutions for IBM i, and exciting recent enhancements in security.

Built-in IBM i

Built-in tools

Over the last two decades the IBM i platform has built its reputation as a secure system. For companies that rely on IBM i for operations, it may come as a surprise that most of what is needed to comply technologically is already sitting in their computer rooms. The IBM i operating system comes equipped with tools for securing, monitoring, and logging built right in.

Built-in security

IBM i provides excellent object level security features to control access to resources--who can read a particular file, for example. These security features are built into every IBM i system, whether you use them or not.

IBM i can provide field-level security as well. You may need tools to supplement the built-in IBM i security, such as restricting access during certain time periods, or allowing users to read a particular file but not to download it. Take the time to learn what you have, and how it can be used for your organization.

Built-in logging

Also provided with IBM i are excellent logging facilities to track the activity occurring on the system–The Security Audit journal, the System History Log, Message Queues, and Journals, just to name a few. Many activities are automatically logged, such as when particular users sign on and off, and you can enable additional logging for many other types of activities as well. These logs provide a detailed accountability to what is occurring on the IBM i system. These logs can be monitored proactively to identify potential problems, or post-mortem to trace a particular problem.

Built-in monitoring

Lastly, in the area of monitoring, the IBM i system provides good tools for keeping tabs on the health and status of your system--including security related events. IBM i Navigator can monitor messages and logs for specific events and notify an administrator when a particular condition occurs. Depending on your needs, you may want to supplement the IBM i monitoring tools to provide additional features, such as problem escalation, or scheduling of specific types of alerts to different groups of people.



• IBM i EAL4+ CAPP certified
• Integrated audit capabilities (monitoring users and access to data objects)
• DB2 Row and Column Access Control
• Authority Collection - securing your sensitive data files

Data and information

• Cryptographic capabilities integrated in the base OS
• Support for backup encryption
• Support for disk level encryption
• IBM Hardware Cryptographic Coprocessor

People and identity

• Enterprise identify mapping to enable single sign-on
• Integrated User, Group and authority management
• Support for long passwords and Pass Phrase

Applications and processes

• Integrity features to ensure separation between the system, users and applications


• System integrity controls (HW storage protection)
• Digitally signed Firmware, Licensed internal code, operating system, PTFs and program products (the entire software stack)
• Integrated Intrusion Detection and Prevension support


• Integrated Secure Sockets Layer
• Integrated Virtual Private Network support
• Integrated IP filtering support
• Integrated IPv4 and IPv6 support
• Network Authentication Services: Kerberos and Secure Shell


Authority Collection — Authority collection is a capability that is provided as part of the IBM i 7.3 base operating system. Authority collection captures data that is associated with the run-time authority checking that is built into the IBM i system. This data is logged to a repository provided by the system and interfaces are available to display and analyze the authority data. The intent of this support is to assist the security administrator and application provider in securing the objects within the application with the lowest level of authority that is required to allow the application to run successfully. See Chapter 10 of the Security Reference .pdf in the knowledge center for details.

Cryptography — The cryptographic hardware adds highly secure cryptographic processing capability to your server. It also includes encryption and digital signatures.

Database Row and Column Access Control — Row and column access control (RCAC) provide a data-centric alternative to achieve data security. RCAC places access control at the table level around the data itself. SQL rules that are created on rows and columns are the basis of the implementation of this capability.

Digital certificate manager — Use digital certificates and the Secure Sockets Layer (SSL) to enable secure communications for many applications. With Digital Certificate Manager, a feature for IBM i™, you can manage digital certificates for your network.

Enterprise Identity Mapping — Enterprise Identity Mapping (EIM) is a technology for mapping identities within an enterprise. You can use EIM to create one-to-one mappings between individual user identities or for creating many-to-one mappings between a group of user identities in one user registry and a single user identity in another user registry.

Intrusion detection — Intrusion detection involves gathering information about unauthorized access attempts and attacks coming in over the TCP/IP network. Security administrators can analyze the auditing records that intrusion detection provides to secure the IBM i network from these types of attacks.

IP filtering and network address translation — Included here is information that you need to use the packet rules function to control and monitor TCP/IP traffic into and out of your server. Also, use NAT to hide private IP addresses behind a registered, public IP address.

Network authentication service — With network authentication service, you can configure your server to participate in a Kerberos network. Also when network authentication is used with Enterprise Identity Mapping (EIM), it provides administrators with a way to enable a single sign-on environment in their networks.

Object signing and signature verification — IBM i object signing and signature verification security capabilities gives you the ability to ensure the integrity of objects. Learn how to use one of several methods for creating digital signatures on objects to identify the source of the object and provide a means for detecting changes to the object.

Plan and set up security — Plan and set up for the IBM i platform provides you with detailed information about planning, setting up, and using your system security.

Secure sockets layer — Configure secure sockets layer (SSL) to secure communications for many popular applications, such as IBM i Access, Telnet, IBM® HTTP Server for i, and others.

Service tools user ID's and passwords — Service tools user ID's and password allows you to control access to dedicated service tools (DST) or system service tools (SST). Service tools user IDs are required to access DST, SST, and to use the Navigator for i functions for logical partition (LPAR) management and disk unit management.

Single sign-on — Single sign-on uses network authentication service for authentication and Enterprise Identity Mapping (EIM) to map from one user identity to another user identity; for example, you can map from an authenticated Windows user identity to an appropriate IBM i user profile for authorization purposes.

Virtual private networking — Find information about how to set up a virtual private network (VPN), which allows your company to securely extend its private intranet over a public network, such as the Internet.

Business Partner security solutions

IBM i has many business partners that provide additional solutions to augment the native security that is built into the IBM i operating system. These partners specialize in encryption solutions, network security solutions as well as solutions to manage and report on the security configuration of your IBM i server. Here is the list of business partners that specialize in IBM i security.

* All links with an asterisk reside outside of

IBM i Knowledge Center

Find detailed answers to your IBM i security questions

Data encryption

Data encryption within the drive itself

Lab services

Let us address the unique aspects and requirements of your security concerns