> -----Original Message-----
> From: IBM Mainframe Discussion List
> [mailto:[EMAIL PROTECTED] On Behalf Of Support, DUNNIT
> SYSTEMS LTD.
> Sent: Thursday, December 06, 2007 7:28 AM
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: Forcing a userid and password prompt on session connect
>
>
> Hi,
>
> Running z/OS 1.8 from ADCD on a FlexEs box.
>
> We are about to enable remote external access to our z/OS
> system. Security
> is lousy as it is. The network router does port forwarding
> for Telnet to our
> z/OS system. That brings up the ADCD default login screen,
> which on its own
> offers no security. For example, by ADCD install default, you
> can logon
> straight into CICS without any signon.
>
> Is there some simple VTAM session application readily
> available with ADCD that
> can be automatically started for a terminal session when a
> connection is made
> and force prompting for a valid RACF ID and password?
>
> Are there any other security holes that need to be plugged
> under this scenario
> of router port forwarding to our FlexEs z/OS system?
>
> TIA,
> Jerry
I assume that your users are using TN3270 to connect to the z/OS system.
If so, then you can the RESTRICTAPPL section of the BEGINVTAM section
on the TN3270 server parms for the ports to be secured. We have a port,
2323, dedicated to SMCS consoles. An example:
BEGINVTAM PORT 2323
DEFAULTLUS
LIH1SM01..LIH1SM09..FFFFFFFB
ENDDEFAULTLUS
DEFAULTAPPL SMCSH1 DEFONLY
RESTRICTAPPL SMCSH1
USER *
ENDVTAM
What this does is cause the TN3270 server on z/OS to ask for a user's
RACF id and password before connecting them to the application
specified.
Note that this stuff is "in the clear", so you could still have somebody
steal userids and passwords with a "sniffer". I greatly suggest that you
implement the SSH daemon on the UNIX host. Give your users UNIX userids
and passwords. Make them use an SSH client to connect to the FlexES host
UNIX system, then use something like x3270, running on the FlexES host,
to connect to the z/OS system.
--
John McKown
Senior Systems Programmer
HealthMarkets
Keeping the Promise of Affordable Coverage
Administrative Services Group
Information Technology
The information contained in this e-mail message may be privileged
and/or confidential. It is for intended addressee(s) only. If you are
not the intended recipient, you are hereby notified that any disclosure,
reproduction, distribution or other use of this communication is
strictly prohibited and could, in certain circumstances, be a criminal
offense. If you have received this e-mail in error, please notify the
sender by reply and delete this message without copying or disclosing
it.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
