24
Sun, Nov
1 New Articles
  1. You are here:  
  2. Home
  3. Security
  4. IBM i (OS/400, i5/OS)
  5. Security Patrol

Security Patrol

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Security on the Internet

Question: I know that security is needed for the AS/400 when it is serving as a host on the Internet. But I was wondering if there were any risks if the AS/400 was just used as a client, to FTP files to a server, and then immediately logged off. Would this lead to a back door for a hacker to access the AS/400?

Answer: Anytime you put any computer on the Internet, you should take precautionary measures. The answer designed to scare the beans out of you is that Internet access places your computer in a network with every other Internet-enabled computer on the planet. But the realistic answer is that there are a number of effective security measures that you can deploy to mitigate the risk.

To begin with, before you expose any portion of your internal network (AS/400 or otherwise) to the outside world, you should have a firewall in place. A firewall protects your internal networks from unwanted traffic on the external (Internet) network. A good firewall will use technologies such as proxy servers, IP filtering, and Network Address Translation (NAT) to shield the internal configuration of your network from the outside world. Remember that, if a hacker were to penetrate your internal network, he would be more likely to attack systems that he is familiar with and have widely publicized security problems, such as an NT network, than to attack your AS/400. A firewall can help protect against this happening.

In your particular case, your AS/400 is acting as an FTP client rather than as an FTP server, so the majority of the risk is being borne by the system you are connected to. The user profile and password you send (in clear text) are keys to the server system, not to your AS/400. If someone were to intercept your traffic, they may acquire the keys to the remote system, but not to yours.

Your concerns in this exchange are twofold. First, while your AS/400 is connected to the Internet, any TCP/IP service that your AS/400 has active is subject to attack. Even though you are acting as an FTP client, if you have started the FTP server, someone could attempt to use it. Your firewall, exit programs, intrusion detection system, and strong password policies can all protect you against this eventuality.

Your second concern is for the security of that remote system. Spend some time to get familiar with the people from whom you will be receiving data. If their system can easily be compromised, the data that you seek could easily be altered or disclosed without


your or the remote system’s knowledge. The relative importance of the data (to your organization) will help you determine how big a problem these types of security compromises are.

Looking Up User Passwords

Question: Is it possible to look up an AS/400 user’s password within the system?

Answer: For the longest time, everyone thought that the answer was no. But in June of this year, an enterprising programmer posted a 17-line RPG program in an Internet forum that would allow viewing of the data space associated with the QDSIGNON screen. This program would give an unscrupulous programmer the ability to view, in clear text, the user name and password of the last user that signed on to the system. IBM quickly released PTFs that would fix this problem for all supported (and several nonsupported) releases. You are strongly urged to load these PTFs or their successors to your system. The PTFs and their releases are the following:
V4R5M0—SF62896
V4R4M0—SF62895
V4R3M0—SF62894
V4R2M0—SF62946
V4R1M4—SF62945
V4R1M0—SF62944
V3R2M0—SF62947

After you apply the PTFs, you will have to terminate and restart your interactive subsystem, so you’ll likely want to plan this for off hours. If you’re concerned that your system may be compromised, you may also want to force users to reset their passwords.

At this writing, I am not aware of any plans to issue PTFs for any other release. If you’re currently running any other release, this issue alone should be reason enough to move forward.

Verifying IBM Objects

Question: One of my customers has two AS/400s that are both at V4R3. There is a user profile called QSECADM on both boxes, which has security officer rights. The operator claims it is IBM-supplied, but none of my other customers has this user profile. Is QSECADM IBM-supplied?

Answer: You are right to be suspicious of this profile. If a shady character were to plant a Trojan horse on a system, he’d likely name it Q-something and place it in library QSYS. Finding out if an object is IBM-supplied is really not that difficult, and you have a couple of different resources. User profiles are the easiest. IBM provides a list of all IBM-supplied user profiles in Appendix B of the OS/400 Security - Reference V4R3 (SC41-5302-02, CD-ROM QB3ALC02). A quick scan of that list shows no QSECADM profile.

Another source of information about the origin of an object is the Display Object Description (DSPOBJD) command. A DSPOBJD command shows a wealth of information including the object-creation date and time, the user who created the object, and the system name where the object was created. If you displayed the object descriptions for all of the objects in library QSYS, you’d see that the overwhelming majority of objects were created by user *IBM on system 00000000—a pretty strong indication these objects were created as part of the OS/400 release build. An object created on your own system by user MALLET would be a little more suspect.


A word of caution is in order. Just because an object was not created by user *IBM on system 00000000 does not prove conclusively that this object is not part of the operating system. Many times PTFed objects are created by other user profiles (typically QSECOFR) and bear the actual system name of the IBM system they were created on. If the user and the system are other than *IBM and 00000000, further investigation is warranted.

A quick check of your system can be done by displaying all of the objects in QSYS to an outfile and then querying the outfile for objects that were not created by a user (a field named ODCRTU) that is associated with IBM. I ran such a query on my V4R3 system and found that QSYS contained 14,060 objects, 13,756 of which were created by user *IBM, QSYS, or QLPINSTALL (the license-management installation profile). Once the list was whittled down, it was relatively easy to scan the remaining 304 objects and verify their authenticity.

Adopting Authority in the AS/400 IFS

Question: I have a file in my own directory in the AS/400 Integrated File System (AS/400 IFS) called DGH004. I own and have *ALL authority to this file. *PUBLIC has *EXCLUDE authority to the file. We have a Java program that adopts QSECOFR authority and reads file DGH004. When I run the program, it works fine. When the users run it, it fails with the message “CPF8A75 - Not authorized to access folder RICK.” What am I doing wrong?

Answer: What you are doing wrong is that you expect for authority in the AS/400 IFS to work like it does elsewhere in OS/400. It’s a reasonable expectation, but facts do not support it. The AS/400 IFS does not support adopted authority, ostensibly because the AS/400 IFS is built to UNIX (POSIX) standards and UNIX does not support the concept of adopted authority. This is a point of some debate. While most variations of UNIX do support adopted authority through the use of something called the “sticky bit,” OS/400 implementations via the AS/400 IFS and QSHELL have not embraced this standard. One argument is that, if the AS/400 IFS supported adopted authority, it would not be POSIX- compliant. A counter argument is that POSIX compliance should be restricted to the QOPENSYS file system, as it is the only one that supports other POSIX standards, such as case sensitivity. While all this is being sorted out, you’ll need to find a work around to your problem.

Investigate the use of the swap profile APIs, QSYGETPH and QWTSETP. These two APIs work hand in hand and allow you to change the personalities of a job in midstream. The QSYGETPH API performs the validation step to ensure that access to the new profile is authorized. If it is, a 12-character temporary profile handle is generated. The QWTSETP API then takes that 12-character profile handle and uses it to change the identity of the job to a new user profile. You can use the swap profile APIs to change the current user of a job and thereby grant authority that was not already available.

REFERENCES AND RELATED MATERIALS

• OS/400 Security Reference. (SC41-5302-03, QB3ALC03.BOO)


John Earl

John Earl is the founder and Director of Technology and Security for  The PowerTech Group.  a Seattle-area software company that specializes in System i security. He has over 25 years experience with IBM midrange systems and security, has published numerous articles and columns for industry magazines, and served as a Subject Matter Expert (SME) for Security for COMMON. A highly regarded speaker on OS/400 and i5/OS security, Mr. Earl has presented several hundred of iSeries security sessions at industry conferences and user groups all over the world. He is a three-time winner of COMMON's Speaker Excellence award and has also served on the board of directors of COMMON U.S.

 

He can be reached at 253.872.7788 or at This email address is being protected from spambots. You need JavaScript enabled to view it..

 

 

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: