We were told that it couldn't be done, but we were also told that before on other matters. And as before, we found a way to work out our plans. We successfully implemented our token-ring network security from the AS/400.
We ordered the token-ring hardware when we ordered our AS/400. We had a long range plan to utilize the network and we wanted to have the security handled on the AS/400. Our regular sign-on security for the AS/400 is handled by checking the user ID against our company employee master file. If a user is not a current active employee, he or she cannot sign on. We were able to keep this approach with the network along with a few more security checks.
We programmed the PC to connect to the network and check whether the AS/400 is available when it is turned on. The user must have authority to be using the network, which is checked based on our naming conventions. At this time the PC ignores the rest of the network logon, and we connect it to the AS/400 using PC Support, which brings up the AS/400 signon screen. On the AS/400 signon screen, the user can only key in his or her user ID and password. The AS/400 automatically checks the ID and password for validity. We also use the feature that varies off the terminal after three invalid signon attempts. If the user has a valid ID and password, the user ID is checked against the company employee file. The terminal is signed off if the user is not an active employee.
All active employees that sign on see an individually tailored menu. Within this menu program, we check to see what functions the user has authority to do, and we display menu options for only these functions. Two things are checked here for our network security: 1. Does the user have authority to use the network? 2. Is he or she using a network PC? If these two checks are not answered with a yes, the user will not have the menu option to log on to the network. So at this point, users must have a valid user ID and password, they must be an active employee, they must have authority to use the network, and they must be using a network PC.
When the user is signed on to his or her AS/400 menu and is ready to logon to the network, he or she simply selects option 8 to go to the network. Each network PC has a file transfer program on it (utilizing PC Support) that is used to download the network file, but this program is run from the AS/400. Let me walk through the network menu program (1) and explain this.
When the user is signed on to his or her AS/400 menu and is ready to logon to the network, he or she simply selects option 8 to go to the network. Each network PC has a file transfer program on it (utilizing PC Support) that is used to download the network file, but this program is run from the AS/400. Let me walk through the network menu program (Figure 1) and explain this.
The menu option program for the network first determines who the user is (line 500), and then allocates the file USER (line 800) which is used to download, and then monitors for the message CPF1002 (line 1000). This message indicates that the program is unable to allocate the file because someone else has already allocated it. Then the program copies the user's own network logon program (a PC program) into the download file USER (line 1200). Next, we make sure that the PC Organizer is running (line 1900), because we cannot run PC download commands from the AS/400 without it being active. If it is running, the monitor message (line 2100) will catch that fact. Line 2300 is a CL command that initiates the PC command which, in this program, runs the transfer program to download the file USER to the PC. Then we de-allocate the file for the next person to use. After this is done, the network logon program automatically runs, logging them on to the network. When the logon program is completed, the downloaded file is deleted (from the PC), and after a few more network programs are run, the user sees the network menu.
By using these procedures, we add more security to our network. We utilize the AS/400 feature to limit each user to being signed on to one terminal at a time, and the network allows only one logon per person. The users do not know what their network logon ID and password are (because they are logged on to the network automatically) so they cannot share them with anyone. (The network ID and password are different from their AS/400 ID and password). By being logged on automatically, they only have access to the data they are authorized to. By educating the users that their AS/400 user ID and password control the access and integrity of all of their data across both systems, they are less likely to share their ID and password with anyone.
We feel that in the future this is the way more companies will go when they set up their network security. If a user is not an employee of the company, he or she should not have access to data whether it is on a PC network, AS/400 or any other hardware setup. And again, with this implementation, the security is set up and maintained in one place - on the AS/400. This allows easier setup and maintenance of the security, and increased integrity.
Bruce Knoll Kentwood, Michigan
TechTalk: PC Network Security on the AS/400
Figure 1 Network menu program NETWSECCL
NETWSECCL: + PGM DCL VAR(&USER) TYPE(*CHAR) LEN(10) RTVJOBA USER(&USER) RETRY: + ALCOBJ OBJ((*LIBL/QTXTSRC *FILE *EXCLRD USER)) MONMSG MSGID(CPF1002) EXEC(GOTO CMDLBL(RETRY)) CPYF FROMFILE(*LIBL/QTXTSRC) TOFILE(*LIBL/QTXTSRC) + FROMMBR(&USER) TOMBR(USER) MBROPT(*REPLACE) FMTOPT(*NOCHK) MONMSG MSGID(CPF2817) EXEC(GOTO CMDLBL(END)) STRPCO PCTA(*NO) MONMSG MSGID(IWS4010) STRPCCMD PCCMD('RTOPCB C:START > NUL') PAUSE(*NO) DLCOBJ OBJ((*LIBL/QTXTSRC *FILE *EXCLRD USER)) ENDPGM