IBM Support

Navigator for i - Security



Learn about the many security considerations and options for securing IBM Navigator for i.


​You are in: IBM i Technology Updates  > Navigator for i > Security
In today's world, security is a key focus for everyone.  Security entails running applications that are secure and free of vulnerabilities, encrypted communications from point to point, and ensuring that unauthorized users are not allowed to manage and access information and features on the IBM i.   The IBM Navigator was created from the ground up with focus on all security areas at the center of the design and implementation. 

User Access
When a user connects to Navigator, an IBM i user profile and password is required.  This sign-in authorization is the first line of security for authority and authorization. Navigator is then running as that user; and can only access and manage those areas that the profile is authorized to do.   As Navigator is intended to be a client where you can point to and manage many IBM i endpoint nodes, each endpoint also requires a specific user and password for access.  There are multiple ways that you can configure Navigator for each user to provide that endpoint user and password. Details on these options can be found at:
Function Usage
Navigator runs on each endpoint node as the user that was provided for that specific IBM i. Navigator will ensure that a user is not allowed to access or manage more than they are authorized too. This is good.  But in addition, some administrators find the need to add extra restrictions for various functional areas. Additional restrictions can be easily handled with Function Usage IDs.  A user profile may need to be added to a specific function usage ID to access that functional area.  By not adding a user profile to a function usage ID, that profile is restricted from that functional area.  In previous version of Navigator, this interface was called Application Administration; but behind the scenes it was built on the function usage ID support.  Today with the new Navigator we are simply naming it Function Usage.
Note: Today there exist 72 function usage IDs that were created to restrict and control various features and functions within the Old Windows Navigator Client, Management Central support, original web Navigator, and Access client solutions.  After discussions with industry security experts, we created a new simplified set of IDs instead of trying to determine a remapping of these function usage IDs into the functions for the new Navigator. Details on these new function usage IDs can be found at: 
Encryption support
There are multiple connection points in Navigator to consider.  Each can (and should) be encrypted to ensure the highest levels of security. Users connect to IBM Navigator by using a web browser on the PC or mobile device of their choice. By default, Navigator ships non-encrypted. It is recommended that users enable encryption by leveraging their own companies certificate.
Additionally, users can then connect from this initial IBM i to many other IBM i endpoint nodes. The user can enable encryption between each of these endpoints.  For details on how to configure encryption by using TLS, see: 

Cryptographic Services

The IBM Navigator for i GUI interface and the IBM Db2 Mirror GUI interface have a requirement for strong encryption. Users can store user profile passwords for authentication to IBM i endpoint nodes encrypted in a user preference resource file.  For users that are connecting from the GUI interface to the IBM i endpoint nodes by using a secure connection (TLS encryption), the certificates are stored in the Web Truststore, and they are also encrypted.  
IBM i Cryptographic services are leveraged for encryption key management in both the Navigator for i and Db2 Mirror GUI interfaces.
MasterKey 1 is being used to secure keys and must be loaded and set correctly.

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CH1AAM","label":"IBM Navigator for i"}],"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3.0;7.4.0;and future releases"}]

Document Information

Modified date:
09 June 2022