IBM AS/400e Computer Hardware User Manual


 
v Virtual device descriptions can be a name selected by the user. If a valid device
name is communicated to the Telnet server either via user exit or a Telnet client,
a device by that name will be created, if necessary, under virtual controller
QVIRCDnnnn.
The virtual controller descriptions (QPACTLnn) have the 5250 data stream
optimization switch (OPTDTASTR) set to *YES by default. There is no reason to
change this for use by 3270 Telnet.
Security Considerations for 3270 Full-Screen Mode:
The number of sign-on
attempts allowed increases if virtual devices are automatically configured. The
number of sign-on attempts is equal to the number of system sign-on attempts
allowed multiplied by the number of virtual devices that can be created. The number
of system sign-on attempts allowed is defined by the QMAXSIGN system value.
The number of virtual devices that can be created is defined by the QAUTOVRT
system value.
In Version 4 Release 2, the following level of support has been added with regard
to security of virtual devices:
v With a user-supplied exit program, you can audit the number of sign-on attempts
v You have the ability to deny connections
v You have the ability to allow bypassing of the sign-on screen
For more information on Telnet exit points and how to use them, see “TELNET Exit
Points” on page 541 in Appendix E. TCP/IP Application Exit Points and Programs.
Telnet and SNA 5250 Pass-Through Considerations for 3270 Full-Screen
Mode:
The AS/400 system supports 5250 pass-through. 5250 pass-through is
similar to Telnet but runs on an SNA (Systems Network Architecture) protocol
network rather than a TCP/IP network. 5250 pass-through uses virtual displays to
direct output to the physical devices just as Telnet does. In 5250 pass-through, the
AS/400 system automatically creates virtual devices in the same way that it does
for Telnet. Therefore, the QAUTOVRT system value controls the number of
automatically configured virtual devices for both 5250 pass-through and Telnet. For
more information about 5250 pass-through, see the
Remote Work Station Support
book.
Step 3—3270—Setting the QLMTSECOFR Value
The OS/400 licensed program supports the limit security officer (QLMTSECOFR)
system value, which limits the devices the security officer can sign on to. If the
QLMTSECOFR value is greater than zero, the security officer must be authorized to
use the virtual device descriptions. However, when this value is 0, the system does
not limit the devices users with *ALLOBJ or *SERVICE special authority can sign on
to.
On AS/400 systems with a QSECURITY value of 30 or greater, a user with security
officer authority (*ALLOBJ) must be authorized to use devices before the system
allows the user to use those devices. For example, each display device that a
security officer wants to sign on to (local, remote, or virtual), must have had the
following authority specified with the Grant Object Authority (GRTOBJAUT)
command:
GRTOBJAUT OBJ(display_name) OBJTYPE(*DEVD)
AUT(*CHANGE) USER(QSECOFR)
Chapter 6. Telnet Server 189