IBM AS/400e Computer Hardware User Manual


 
In Version 4 Release 2, the following level of support has been added with regard
to security of virtual devices:
v With a user-supplied exit program, you can audit the number of sign-on attempts
v You have the ability to deny connections
v You have the ability to allow bypassing of the sign-on screen
For more information on Telnet exit points and how to use them, see “TELNET Exit
Points” on page 541 in Appendix E. TCP/IP Application Exit Points and Programs.
Telnet and SNA 5250 Pass-Through Considerations for ASCII
Full-Screen Mode
The AS/400 system supports 5250 pass-through. 5250 pass-through is similar to
Telnet but runs on an SNA (Systems Network Architecture) protocol network rather
than a TCP/IP network. 5250 pass-through uses virtual displays to direct output to
the physical devices just as Telnet does. In 5250 pass-through, the AS/400 system
automatically creates virtual devices in the same way that it does for Telnet.
Therefore, the QAUTOVRT system value controls the number of automatically
configured virtual devices for both 5250 pass-through and Telnet. For more
information about 5250 pass-through, see the
Remote Work Station Support
book.
Step 3—ASCII—Setting the QLMTSECOFR Value
The OS/400 licensed program supports the limit security officer (QLMTSECOFR)
system value, which limits the devices the security officer can sign on to. If the
QLMTSECOFR value is greater than zero, the security officer must be authorized to
use the virtual device descriptions. However, when this value is 0, the system does
not limit the devices users with *ALLOBJ or *SERVICE special authority can sign on
to.
On AS/400 systems with a QSECURITY value of 30 or greater, a user with security
officer authority (*ALLOBJ) must be authorized to use devices before the system
allows the user to use those devices. For example, each display device that a
security officer wants to sign on to (local, remote, or virtual), must have had the
following authority specified with the Grant Object Authority (GRTOBJAUT)
command:
GRTOBJAUT OBJ(display_name) OBJTYPE(*DEVD)
AUT(*CHANGE) USER(QSECOFR)
This procedure is very important because Telnet automatically configures virtual
devices. If the QLMTSECOFR value is set to 0, all devices automatically configured
by Telnet can be used by the security officer. If you set the QLMTSECOFR value to
1, your security officer is not able to use the virtual devices created by Telnet unless
you grant object authority to the security officer for that virtual device. The automatic
configuration support can delete and re-create the virtual device. If this occurs,
authority must be granted to the security officer each time the virtual device is
created.
Step 4—ASCII—Working with Associated System Values
In addition to the QAUTOVRT and QLMTSECOFR, the following system values are
available for you to work with from the Configure TCP/IP Telnet (CFGTCPTELN)
menu:
v QINACTITV: Inactive job time-out
v QINACTMSGQ: Inactive job message queue
Chapter 6. Telnet Server 213
|
|
|
|
|
|
|