W dniu 2018-09-12 o 11:50, Tom Mathias pisze:
Regarding the IOCP.txt import.
Prior to 2.14.0, your choices were USB or FTP to/from the SE itself. Starting
with 2.14.0, the SE will not directly connect to an FTP server but instead will
route thru an HMC.
The changes to route FTP (and SFTP and FTPS) thru an HMC apply to all SE-based operations and not
just the IOCP import task. Also, all tasks that supported "FTP" were enhanced to support
SFTP and FTPS. For example, the "Load from Removable Media or Server" task also now
supports SFTP/FTPS in addition to FTP and it also now routes its requests to the server via an HMC.
This means your 2.14.0 SE's do not have to have a direct path to the FTP server anymore.
As for user ids and Single Object Operations, there are two important things to know.
The first is that the set of user IDs and roles is separate between the SE and the
HMC(s). When you use Single Object Operations to connect to an SE, if the user ID you
used is found on the SE, then that one is used. So, if you are logged onto the HMC as
SYSPRG2 and there is a SYSPRG2 userid on the SE, then that is used. But, in the more
typical case, if there is no user ID that matches on the SE, then you will use the
default userid upon which your HMC userid is based. So, for example, if you are SYSPRG2
on the HMC and no SYSPRG2 userid exists on the SE, then you will use "SYSPROG"
on the SE.
Finally, I am not sure what you are trying to ask with regards to a hostile
HMC. Any HMC that is at a level equal to or higher than an SE and that can see
the SE can define it in. If you want to keep things more isolated, then as you
say, you can set up Domain Security and/or you can set up your network to limit
who can see your SE.
Tom Mathias
All my questions were related to HMC 2.14
I was trying to use FTP for IOCP and it failed with "host unreachable"
error. I simply assumed it still works as before, so I need connectivity
to internat (HMC-SE) network from my PC.
Actually I'm not sure about my network rules (my PC is behing some
router and/or firewall), so now I am simply unsure what is the reason of
ftp failure.
BTW: I entered on SE using Single Object Operations and initiated ftp
import using SE panels - maybe there are some new panels on HMC and I
should use those ones???
Regarding user database HMC and SE - now it seems logical - both have
separate user databases.
Further question: Let's assume we have SYSPRG2 on HMC with pasword ABCD
and SYSPRG on SE with password XYZ. In other words userids match, but
their password do not.
Will the HMC user SYSPRG2 be mapped to SYSPRG2 on SE?
Another observation: I have custom defined user which was defined from
scratch ("New based on" was not used) and this user have sum of
authorities of both SYSPROG and ACSADMIN. While it can be convenient on
HMC, it's tricky on SE, because this user was mapped to SooAcsadmin and
no SYSPROG tasks are visible for him.
Regarding hostile HMC - this is pure theoretical case. Let's assume I
have CPC (SE) connected to a HMC and domain security is NOT SET. And
someone come to server room (yes!) and bring another HMC and connect it
to the internal network. Then he logs on as ACSADMIN, adds new (mine)
CPC and he's able to manage this CPC. Tis "attack" require access to
server room or at leas internal network, which should be well protected.
However domain security will prevent even such attack.
Regards
--
Radoslaw Skorupka
Lodz, Poland
======================================================================
Jeśli nie jesteś adresatem tej wiadomości:
- powiadom nas o tym w mailu zwrotnym (dziękujemy!),
- usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś
na dysku).
Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać
tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza)
tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać
karze.
mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950
Warszawa,www.mBank.pl, e-mail: [email protected]. Sąd Rejonowy dla m. st.
Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 0000025237,
NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na
01.01.2018 r. wynosi 169.248.488 złotych.
If you are not the addressee of this message:
- let us know by replying to this e-mail (thank you!),
- delete this message permanently (including all the copies which you have
printed out or saved).
This message may contain legally protected information, which may be used
exclusively by the addressee.Please be reminded that anyone who disseminates
(copies, distributes) this message or takes any similar action, violates the
law and may be penalised.
mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950
Warszawa,www.mBank.pl, e-mail: [email protected]. District Court for the Capital
City of Warsaw, 12th Commercial Division of the National Court Register, KRS
0000025237, NIP: 526-021-50-88. Fully paid-up share capital amounting to PLN
169,248,488 as at 1 January 2018.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
