========================================= SEARCH400.COM ADMINISTRATOR TIP September 5, 2001 More administrator tips at http://search400.techtarget.com/tipsIndex/0,289482,sid3_tax2f8,00.html ========================================== SPONSORED BY: FORMation mg ========================================== Where Do You Want Your Reports And Forms To Go Right Now? FORMation mg's e-document integration software ensures the proper distribution of business information to any group within your organization, anytime! Automatically convert Reports, Invoices, P.O.'s, Checks into e-documents FOR e- mail, laser printer and fax delivery. Save time, labor and inventory costs! Free evaluation of Award-Winning software http://ad.doubleclick.net/clk;3298134;5058249;o?http://www.as400email.com ========================================== V5R1's new way of locking down FTP By Joe Hertvik OS/400 FTP has always been both a blessing and a curse on the iSeries. It's a blessing because it enables you to easily move files between OS/400 and other operating systems, such as Microsoft Windows, Unix and Linux. It's a curse because -- in the wrong hands (i.e., hackers or irresponsible people who sign on with OS/400 administrative authority) -- FTP can also allow users to delete file members or libraries and to launch commands on your iSeries or AS/400 box. With OS/400 V5R1 and Client Access Express for Windows V5R1, IBM has provided new Operations Navigator-based FTP application settings that help fill those holes. These settings work by creating lists to allow or deny FTP access for specific OS/400 users or groups. You can find these new settings inside the Application Administration dialogue in the OpsNav program that comes with Express client V5R1. Here's how to use it to lock down V5R1 FTP users. 1. Open OpsNav V5R1 and right-click on the icon representing your OS/400 V5R1 machine. On the pop-up menu that appears, select the Application Administration option. (You must be signed on as a user with *IOSYSCFG authority to alter application settings.) 2. On the Application administration dialogue that displays, click on the Host Applications tab. This displays several OS/400 V5R1 functions that you can limit or allow users to access, including an option for controlling certain features of the AS/400 TCP/IP utilities. 3. Open the AS/400 TCP/IP Utilities node, and you'll see that IBM has added a sub-tree of options for the File Transfer Protocol (FTP). Access these options by opening the FTP Client or FTP Server nodes. 4. For OS/400 FTP client sessions, you can allow or restrict signed-on users from doing the following: initiating an FTP session with an FTP server (initiate session); using the Local Change Directory (LCD) subcommand to change the default FTP directory location; running CL commands using the System Command (SYSCMD) sub-command; receiving files to your iSeries by using the FTP GET and MGET sub-commands; or sending OS/400 files to another host by using the FTP PUT, MPUT, or APPEND sub-commands. By default, those options are enabled for Default Users (those whose user authorities are not explicitly covered under another setting) and for users with all object system privileges. However, you can customize your list by highlighting one of the FTP capabilities you want to change on the Application Administration dialogue and pressing the Customize button. 5. Pressing the Customize button brings up a Customize Access screen for that particular OS/400 function. On this screen, you can add specific user profiles or user groups to an Access Allowed list or an Access Denied list and save your changes. OS/400 will then consult those lists when a user requests the specified function and allow or deny access based on the settings you entered. The functions on this screen are fairly self-explanatory, but there is a catch. User access validation is modified if you have checked the 'Users with all system privilege' check box in the dialogue. This check box enables user profiles with All Object (*ALLOBJ) authority to continue using the function -- even if an OS/400 system administrator has explicitly added them to the Access Denied list. In other words, *ALLOBJ authority trumps individual settings in controlling FTP capabilities. Also, if you haven't explicitly listed a user in the Access Allowed or Access Denied list, they will still be able to use a specific FTP function if the Default Access checkbox is checked on this screen. So check those two settings in addition to your Access Allowed or Access Denied lists for an FTP function. 6. Once you save your settings for an FTP function, OS/400 immediately starts using your lists to verify FTP capabilities by user profile or user group. 7. In addition to setting capabilities for FTP client functions (where an OS/400 user or program initiates an FTP session with another machine, i.e., your iSeries is the FTP client), the Application Administration dialogue allows you to limit what outside FTP client users can do when they initiate an FTP session using your OS/400 machine as an FTP server. OS/400 FTP server capabilities can also be limited through the Application Administration and Customize Access dialogues. And you can restrict the following capabilities: logging on to an iSeries as an FTP server (logon server); using the Change Working Directory (CWD or CD) sub-command to transfer files out of OS/400 directories other than the default directory; enabling or disabling the Remote Command (RCMD) sub-command to launch OS/400 commands on your server; creating or deleting directories or libraries (the MKDIR and RMDIR sub-commands); and deleting, listing, receiving, renaming, or sending files through various FTP commands. So if you're on OS/400 V5R1 and you're using Express client V5R1, IBM has given you an easy way to further lock down your OS/400 FTP capabilities. ------------------------------------- About the author: Joe Hertvik is an IT consultant and freelance writer who specializes in middleware, network infrastructure, and iSeries and AS/400 issues. Joe can be reached at mailto:[EMAIL PROTECTED]. ======================== MORE INFORMATION ======================== OS/400 Discussion Forum: Post your questions, and get answers from other iSeries users as well as search400 experts http://search400.discussions.techtarget.com/WebX?50@@.ee84638 V5R1: Ready to upgrade? Check out these resources to help you plan your upgrade http://www.search400.com/featuredTopic/0,290042,sid3_gci764293,00.html Best Web Links on V5R1 http://search400.techtarget.com/bestWebLinks/0,289521,sid3_tax286865,00.html ================================ SEARCH400 DAILY NEWS E-MAIL ================================ "IBM has recalled 10K RPM xSeries disks" "IBM withdraws V5R1 cumulative PTF release" Did you see these headlines yesterday? You would have if you received search400's Daily News e-mail. Not only do we give you the latest IBM and iSeries news, but we also link you to choice articles and Web sites specific to the iSeries in our Daily Best Web Links. Sign up to receive search400's free news e-mail at http://search400.techtarget.com/register/1,,sid3,00.html ================================================= QUESTION OF THE DAY -- Startup Program for IPL ================================================= "I am configuring a new AS400. I notice that it shipped with system value QCTLSBSD = QBASE. The startup program, QSTRUP, contains a branch that checks the system value QCTLSBSD for the subsystem QCTL. If QCTL is not the controlling subsystem, the program branches to a "DONE" tag that skips starting the subsystems QBATCH, QINTER & QCMN. The questions are: 1. Why is QBASE shipped as the controlling subsystem when the startup program expects QCTL? 2. What are the consequences of changing the controlling subsystem from QBASE to QCTL?" If you have any advice for this search400 member, you may post it here http://search400.discussions.techtarget.com/WebX?[EMAIL PROTECTED]^0@.ee84638/437 --------------------------- FEATURED BOOK --------------------------- Title: The AS/400 Programmer's Handbook, Volume II: More Tool-Box Examples for Every As/400 Programmer Author: Mark McCall Description: From system APIs to SQL, the material presented in this book encompasses the most useful and powerful features of the AS/400. Far more valuable than just code samples, each example is accompanied by a thorough line-by- line explanation of the techniques employed. http://www.digitalguru.com/DigitalGuru/product_detail.asp?catalog_name=Books&category_name=&product_id=1583470123&partner_id=55 ============================================================ If you would like to sponsor this or any TechTarget newsletter, please contact Gabrielle DeRussy at mailto:[EMAIL PROTECTED]. ============================================================ If you no longer wish to receive this newsletter simply reply to this message with "REMOVE" in the subject line. Or, visit http://search400.techtarget.com/register and adjust your subscriptions accordingly. If you choose to unsubscribe using our automated processing, you must send the "REMOVE" request from the email account to which this newsletter was delivered. Please allow 24 hours for your "REMOVE" request to be processed.