IBM Support

Navigator for i - Security

News


Abstract

Learn about the many security considerations and options for securing IBM Navigator for i.

Content

 
 
Security
In today's world, security is a key focus for everyone.  Security entails running applications that are secure and free of vulnerabilities, encrypted communications from point to point, and ensuring that unauthorized users are not allowed to manage and access information and features on the IBM i.   The IBM Navigator was created from the ground up with focus on all security areas at the center of the design and implementation. 
 
 
 
 
User Access
When a user connects to Navigator, an IBM i user profile and password is required.  This sign-in authorization is the first line of security for authority and authorization. Navigator is then running as that user; and can only access and manage those areas that the profile is authorized to do.   As Navigator is intended to be a client where you can point to and manage many IBM i endpoint nodes, each endpoint also requires a specific user and password for access.  There are multiple ways that you can configure Navigator for each user to provide that endpoint user and password. Details on these options can be found at:
 
 
 
 
Function Usage
Navigator runs on each endpoint node as the user that was provided for that specific IBM i. Navigator will ensure that a user is not allowed to access or manage more than they are authorized too. This is good.  But in addition, some administrators find the need to add extra restrictions for various functional areas. Additional restrictions can be easily handled with Function Usage IDs.  A user profile may need to be added to a specific function usage ID to access that functional area.  By not adding a user profile to a function usage ID, that profile is restricted from that functional area.  In previous version of Navigator, this interface was called Application Administration; but behind the scenes it was built on the function usage ID support.  Today with the new Navigator we are simply naming it Function Usage.
 
Note: Today there exist 72 function usage IDs that were created to restrict and control various features and functions within the Old Windows Navigator Client, Management Central support, original web Navigator, and Access client solutions.  After discussions with industry security experts, we created a new simplified set of IDs instead of trying to determine a remapping of these function usage IDs into the functions for the new Navigator. Details on these new function usage IDs can be found at: 
 
 
 
Encryption support
 
There are multiple connection points in Navigator to consider.  Each can (and should) be encrypted to ensure the highest levels of security. Users connect to IBM Navigator by using a web browser on the PC or mobile device of their choice. By default, Navigator ships non-encrypted. It is recommended that users enable encryption by leveraging their own companies certificate.
 
Additionally, users can then connect from this initial IBM i to many other IBM i endpoint nodes. The user can enable encryption between each of these endpoints.  For details on how to configure encryption by using TLS, see: 
 
 
 
 

Cryptographic Services

The IBM Navigator for i GUI interface and the IBM Db2 Mirror GUI interface have a requirement for strong encryption. Users can store user profile passwords for authentication to IBM i endpoint nodes encrypted in a user preference resource file.  For users that are connecting from the GUI interface to the IBM i endpoint nodes by using a secure connection (TLS encryption), the certificates are stored in the Web Truststore, and they are also encrypted.  
 
IBM i Cryptographic services are leveraged for encryption key management in both the Navigator for i and Db2 Mirror GUI interfaces.
 
MasterKey 1 is being used to secure keys and must be loaded and set correctly.
 

Cryptographic Services for Password Management in Navigator and Db2 Mirror

 
Manage Master Key

#ManageMasterKey

 
  • The GUI is leveraging encryption to secure passwords when needed. The encryption keys are being protected by IBM Cryptographic Services for i.
  • Master key 1 must be loaded and set for the GUI to save and encrypt user credentials - if that choice is made for a user Authentication preference ("Prompt for login information and store it for future use")
  • Users with *ALLOBJ and *SECADM special authorities are allowed to load and set Master key 1 within IBM Cryptographic Services for i or using IBM Navigator :
    • Click on Serviceability, Connection Properties, then the Cryptographic Services tab to load and set master key 1.
  • Manage Master Keys can be found through Navigator at Security > Cryptographic Key Services Management > Manage Master Keys
The places that Master Key 1 are currently used in Navigator and are required to be set are:
  • To save the user and password information in an encrypted file under Authentication method #3
  • To start the System Debugger > Debug Service,  Master Key must be set.  Also:
    • QSECOFR (or QSECOFR_NC on IBM i 7.6) cannot be disabled (and password not expired).  
    • The QDBGSRV user profile must be enabled
  • Cryptographic Services
  • To configure Open Authentication for SMTP.  Using SMTP > Properties (coming in Q2 2026).  CHGSMTPA requires this.  The Save/Restore master key must also be set.
  • Setting master key 1 is no longer used for Navigator encryption of the Web Truststore. 
 
Authentication Method #3
If you use Authentication method #3 where we save the user and password information in an encrypted file you will see warnings if Master Key 1 is not set.  

Note:  A user without ALLOBJ authority will not be able to use Authentication Method 3 (saving passwords in encrypted file with Master Key 1) when QSECOFR (QSECOFR_NC on IBM i 7.6) is disabled (or pw expired). This option will be unselected for a basic user when signed in.

Authentication

 

 

Prompt for login information and store it for future use

The GUI will save the user and password information in an encrypted file. This provides a convenient way for users to work with and manage many nodes, but is not suitable for secure environments.

Load and set master key 1

Load and Set Cryptographic Services Master Key 1

IBM Cryptographic Services for i is used to protect the encryption keys in Navigator. Master key 1 must be loaded and set. Currently, it is not available on the GUI node. Without the support, the passwords and accepted CA certificates will not be stored and you need to input passwords and accept CA certificates for TLS enabled nodes again for every sign in until master key 1 is set and the passwords and the Web trust store can be properly encrypted and stored for future access.

The load master key operation takes a passphrase as input. It is hashed and then loaded into the new version. To activate the new master key value, the set operation is required. The user must have *ALLOBJ and *SECADM special authorities to load and set a master key. Note, you should write down the passphrase for the master key and store them securely. Load and Set a master key impacts all products using this master key.

If you continue and do not set it, you will get this warning:
warning Master Key 1 required

Master key not loaded:

The GUI is leveraging encryption to secure passwords. The encryption keys are being protected by IBM Cryptographic Services for i. Master key 1 must be loaded and set and is not currently set on the GUI node. Users with *ALLOBJ and *SECADM special authority are allowed to load and set Master key 1 within Navigator > Serviceability > Connection Properties > Cryptographic Services. If you continue Canceling this request, CA certificates for TLS connections and user passwords can not be saved. Users will be prompted for these values every time until the files can be correctly encrypted. Click 'Yes' to cancel.

[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CH1AAM","label":"IBM Navigator for i"}],"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3.0;7.4.0;and future releases"}]

Document Information

Modified date:
30 March 2026

UID

ibm16486307

Page Feedback