Security on the Internet
Question: I know that security is needed for the AS/400 when it is serving as a host on the Internet. But I was wondering if there were any risks if the AS/400 was just used as a client, to FTP files to a server, and then immediately logged off. Would this lead to a back door for a hacker to access the AS/400?
Answer: Anytime you put any computer on the Internet, you should take precautionary measures. The answer designed to scare the beans out of you is that Internet access places your computer in a network with every other Internet-enabled computer on the planet. But the realistic answer is that there are a number of effective security measures that you can deploy to mitigate the risk.
To begin with, before you expose any portion of your internal network (AS/400 or otherwise) to the outside world, you should have a firewall in place. A firewall protects your internal networks from unwanted traffic on the external (Internet) network. A good firewall will use technologies such as proxy servers, IP filtering, and Network Address Translation (NAT) to shield the internal configuration of your network from the outside world. Remember that, if a hacker were to penetrate your internal network, he would be more likely to attack systems that he is familiar with and have widely publicized security problems, such as an NT network, than to attack your AS/400. A firewall can help protect against this happening.
In your particular case, your AS/400 is acting as an FTP client rather than as an FTP server, so the majority of the risk is being borne by the system you are connected to. The user profile and password you send (in clear text) are keys to the server system, not to your AS/400. If someone were to intercept your traffic, they may acquire the keys to the remote system, but not to yours.
Your concerns in this exchange are twofold. First, while your AS/400 is connected to the Internet, any TCP/IP service that your AS/400 has active is subject to attack. Even though you are acting as an FTP client, if you have started the FTP server, someone could attempt to use it. Your firewall, exit programs, intrusion detection system, and strong password policies can all protect you against this eventuality.
Your second concern is for the security of that remote system. Spend some time to get familiar with the people from whom you will be receiving data. If their system can easily be compromised, the data that you seek could easily be altered or disclosed without
your or the remote systems knowledge. The relative importance of the data (to your organization) will help you determine how big a problem these types of security compromises are.
Looking Up User Passwords
Question: Is it possible to look up an AS/400 users password within the system?
Answer: For the longest time, everyone thought that the answer was no. But in June of this year, an enterprising programmer posted a 17-line RPG program in an Internet forum that would allow viewing of the data space associated with the QDSIGNON screen. This program would give an unscrupulous programmer the ability to view, in clear text, the user name and password of the last user that signed on to the system. IBM quickly released PTFs that would fix this problem for all supported (and several nonsupported) releases. You are strongly urged to load these PTFs or their successors to your system. The PTFs and their releases are the following:
After you apply the PTFs, you will have to terminate and restart your interactive subsystem, so youll likely want to plan this for off hours. If youre concerned that your system may be compromised, you may also want to force users to reset their passwords.
At this writing, I am not aware of any plans to issue PTFs for any other release. If youre currently running any other release, this issue alone should be reason enough to move forward.
Verifying IBM Objects
Question: One of my customers has two AS/400s that are both at V4R3. There is a user profile called QSECADM on both boxes, which has security officer rights. The operator claims it is IBM-supplied, but none of my other customers has this user profile. Is QSECADM IBM-supplied?
Answer: You are right to be suspicious of this profile. If a shady character were to plant a Trojan horse on a system, hed likely name it Q-something and place it in library QSYS. Finding out if an object is IBM-supplied is really not that difficult, and you have a couple of different resources. User profiles are the easiest. IBM provides a list of all IBM-supplied user profiles in Appendix B of the OS/400 Security - Reference V4R3 (SC41-5302-02, CD-ROM QB3ALC02). A quick scan of that list shows no QSECADM profile.
Another source of information about the origin of an object is the Display Object Description (DSPOBJD) command. A DSPOBJD command shows a wealth of information including the object-creation date and time, the user who created the object, and the system name where the object was created. If you displayed the object descriptions for all of the objects in library QSYS, youd see that the overwhelming majority of objects were created by user *IBM on system 00000000a pretty strong indication these objects were created as part of the OS/400 release build. An object created on your own system by user MALLET would be a little more suspect.
A word of caution is in order. Just because an object was not created by user *IBM on system 00000000 does not prove conclusively that this object is not part of the operating system. Many times PTFed objects are created by other user profiles (typically QSECOFR) and bear the actual system name of the IBM system they were created on. If the user and the system are other than *IBM and 00000000, further investigation is warranted.
A quick check of your system can be done by displaying all of the objects in QSYS to an outfile and then querying the outfile for objects that were not created by a user (a field named ODCRTU) that is associated with IBM. I ran such a query on my V4R3 system and found that QSYS contained 14,060 objects, 13,756 of which were created by user *IBM, QSYS, or QLPINSTALL (the license-management installation profile). Once the list was whittled down, it was relatively easy to scan the remaining 304 objects and verify their authenticity.
Adopting Authority in the AS/400 IFS
Question: I have a file in my own directory in the AS/400 Integrated File System (AS/400 IFS) called DGH004. I own and have *ALL authority to this file. *PUBLIC has *EXCLUDE authority to the file. We have a Java program that adopts QSECOFR authority and reads file DGH004. When I run the program, it works fine. When the users run it, it fails with the message CPF8A75 - Not authorized to access folder RICK. What am I doing wrong?
Answer: What you are doing wrong is that you expect for authority in the AS/400 IFS to work like it does elsewhere in OS/400. Its a reasonable expectation, but facts do not support it. The AS/400 IFS does not support adopted authority, ostensibly because the AS/400 IFS is built to UNIX (POSIX) standards and UNIX does not support the concept of adopted authority. This is a point of some debate. While most variations of UNIX do support adopted authority through the use of something called the sticky bit, OS/400 implementations via the AS/400 IFS and QSHELL have not embraced this standard. One argument is that, if the AS/400 IFS supported adopted authority, it would not be POSIX- compliant. A counter argument is that POSIX compliance should be restricted to the QOPENSYS file system, as it is the only one that supports other POSIX standards, such as case sensitivity. While all this is being sorted out, youll need to find a work around to your problem.
Investigate the use of the swap profile APIs, QSYGETPH and QWTSETP. These two APIs work hand in hand and allow you to change the personalities of a job in midstream. The QSYGETPH API performs the validation step to ensure that access to the new profile is authorized. If it is, a 12-character temporary profile handle is generated. The QWTSETP API then takes that 12-character profile handle and uses it to change the identity of the job to a new user profile. You can use the swap profile APIs to change the current user of a job and thereby grant authority that was not already available.
REFERENCES AND RELATED MATERIALS
OS/400 Security Reference. (SC41-5302-03, QB3ALC03.BOO)