Learn about the many security considerations and options for securing IBM Navigator for i.
Security
In today's world, security is a key focus for everyone. Security entails running applications that are secure and free of vulnerabilities, encrypted communications from point to point, and ensuring that unauthorized users are not allowed to manage and access information and features on the IBM i. The IBM Navigator was created from the ground up with focus on all security areas at the center of the design and implementation.
User Access
When a user connects to Navigator, an IBM i user profile and password is required. This sign-in authorization is the first line of security for authority and authorization. Navigator is then running as that user; and can only access and manage those areas that the profile is authorized to do. As Navigator is intended to be a client where you can point to and manage many IBM i endpoint nodes, each endpoint also requires a specific user and password for access. There are multiple ways that you can configure Navigator for each user to provide that endpoint user and password. Details on these options can be found at:
Function Usage
Navigator runs on each endpoint node as the user that was provided for that specific IBM i. Navigator will ensure that a user is not allowed to access or manage more than they are authorized too. This is good. But in addition, some administrators find the need to add extra restrictions for various functional areas. Additional restrictions can be easily handled with Function Usage IDs. A user profile may need to be added to a specific function usage ID to access that functional area. By not adding a user profile to a function usage ID, that profile is restricted from that functional area. In previous version of Navigator, this interface was called Application Administration; but behind the scenes it was built on the function usage ID support. Today with the new Navigator we are simply naming it Function Usage.
Note: Today there exist 72 function usage IDs that were created to restrict and control various features and functions within the Old Windows Navigator Client, Management Central support, original web Navigator, and Access client solutions. After discussions with industry security experts, we created a new simplified set of IDs instead of trying to determine a remapping of these function usage IDs into the functions for the new Navigator. Details on these new function usage IDs can be found at:
Encryption support
There are multiple connection points in Navigator to consider. Each can (and should) be encrypted to ensure the highest levels of security. Users connect to IBM Navigator by using a web browser on the PC or mobile device of their choice. By default, Navigator ships non-encrypted. It is recommended that users enable encryption by leveraging their own companies certificate.
Additionally, users can then connect from this initial IBM i to many other IBM i endpoint nodes. The user can enable encryption between each of these endpoints. For details on how to configure encryption by using TLS, see:
Cryptographic Services
The IBM Navigator for i GUI interface and the IBM Db2 Mirror GUI interface have a requirement for strong encryption. Users can store user profile passwords for authentication to IBM i endpoint nodes encrypted in a user preference resource file. For users that are connecting from the GUI interface to the IBM i endpoint nodes by using a secure connection (TLS encryption), the certificates are stored in the Web Truststore, and they are also encrypted.
IBM i Cryptographic services are leveraged for encryption key management in both the Navigator for i and Db2 Mirror GUI interfaces.
MasterKey 1 is being used to secure keys and must be loaded and set correctly.
Manage Master Key
- The GUI is leveraging encryption to secure passwords when needed. The encryption keys and the key to the Web trust store are being protected by IBM Cryptographic Services for i.
- Master key 1 must be loaded and set for the GUI to save and encrypt user credentials - if that choice is made for a user Authentication preference.
- Users with *ALLOBJ and *SECADM special authorities are allowed to load and set Master key 1 within IBM Cryptographic Services for i or using IBM Navigator :
- Click on Serviceability, Connection Properties, then the Cryptographic Services tab to load and set master key 1.
- Manage Master Keys can be found through Navigator at Security > Cryptographic Key Services Management > Manage Master Keys
- Any data (password and CA certificates) in the trust store are encrypted.
If you use Authentication method #3 where we save the user and password information in an encrypted file you will see warnings if Master Key 1 is not set.
Prompt for login information and store it for future use
The GUI will save the user and password information in an encrypted file. This provides a convenient way for users to work with and manage many nodes, but is not suitable for secure environments.
Load and Set Cryptographic Services Master Key 1
IBM Cryptographic Services for i is used to protect the encryption keys in Navigator. Master key 1 must be loaded and set. Currently, it is not available on the GUI node. Without the support, the passwords and accepted CA certificates will not be stored and you need to input passwords and accept CA certificates for TLS enabled nodes again for every sign in until master key 1 is set and the passwords and the Web trust store can be properly encrypted and stored for future access.
The load master key operation takes a passphrase as input. It is hashed and then loaded into the new version. To activate the new master key value, the set operation is required. The user must have *ALLOBJ and *SECADM special authorities to load and set a master key. Note, you should write down the passphrase for the master key and store them securely. Load and Set a master key impacts all products using this master key.
If you continue and do not set it, you will get this warning:
Master key not loaded:
The GUI is leveraging encryption to secure passwords. The encryption keys and key to Web trust store are being protected by IBM Cryptographic Services for i. Master key 1 must be loaded and set and is not currently set on the GUI node. Users with *ALLOBJ and *SECADM special authority are allowed to load and set Master key 1 within Navigator > Serviceability > Connection Properties > Cryptographic Services. If you continue Canceling this request, CA certificates for TLS connections and user passwords can not be saved. Users will be prompted for these values every time until the files can be correctly encrypted. Click 'Yes' to cancel.
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CH1AAM","label":"IBM Navigator for i"}],"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3.0;7.4.0;and future releases"}]
