SecureMyi.com Security and Systems Management Newsletter for the IBM i                 June 26, 2013 - Vol 3, Issue 31
Live Online Workshops - from The 400 School

Security Study

Security? See how SKYVIEW PARTNERS can help!

Feature Article

5 Ways to Control Access using Application Administration

By Carol Woodbury   Skyview Partners, Inc.

Never heard of Application Administration? Don’t be surprised. Although it’s full of function, it’s one of little-known features of IBM i. Application Administration (or App Admin as it’s commonly called) has been around for a while but the additional features provided in the latest releases as well as recent Technology Releases makes this a feature worth exploring again.

Tip #1 explains how to configure Application Administration access controls. Tip #4 explains the most recently added features, including the ability to control network access (ftp, ODBC, etc) and Tip #5 explains how you can use App Admin with your own applications.

Application Administration

Application Administration is a function of i Navigator. It allows you to configure who can see certain functions or perform certain tasks. IBM created App Admin because there are times when you need to control access to something, but that something is a function or task and there is no object to restrict access to. For example, when you want to restrict access to a database file, you set *PUBLIC authority to *EXCLUDE, and no one can access the file. But if you want to control who can perform service traces, for example, there is no corresponding object to grant *EXCLUDE authority to. Therefore, App Admin was created to provide a facility for controlling functions.

To launch App Admin, right click on the system name in i Navigator and choose Application Administration. If you haven’t already signed on to the system, you’ll be presented with a sign on dialog.

Note: To configure most aspects of App Admin, you’ll need to sign on with a profile that has at least *SECADM special authority.

Read More

In This Issue


Featured Article - Application Administration

Security Shorts - About UserID & Password

Industry News and Calendar

Security Resources

Quick Links


Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Need Access to an IBM i? Visit RZKH.de

Our Newsletter Sponsors


Platinum Sponsor

    The 400 School, Inc


Gold Sponsor

    The PowerTech Group

    Skyview Partners, Inc

Sponsor

    Cilasoft Security Solutions

IBM i Security Resources

John Earl Memorial Tribute

IBM i Security Videos from SecureMyi.com

SecureMyi Newsletter Home and Archives

Search Security Site for IBM i and i5/OS

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

QAUDJRN Audit Types By AUDLVL 6.1

QAUDJRN Entry Type Record Layout 6.1

RedBook - Security Guide for IBM i 6.1


Open Security Foundation - DataLoss DB

PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification


Follow SecureMyi on Twitter

Follow SecureMyi on YouTube






Security study

IBM i Security Calendar of Events


Live Security Related Webcasts and Training for IBM i

5 Must-Control Access Points for Optimum IBM i Security and Compliance
with Guy Marmorat - President Cilasoft

Live Webcast - Presented by Cilasoft Security Solutions
Thursday, June 27 Noon CDT
More Information and Register to Attend

An Auditor's View: Assessing IBM i Security Vulnerabilities
Live Webcast - Presented by PowerTech
Thursday, June 27 1:00pm CDT
More Information and Register to Attend

Live Hands-On - QAUDJRN Auditing and Forensic Analysis Workshop for IBM i
with Dan Riehl

Full Length Training Workshop - July 10-11
Dan Riehl presents this 2-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - IBM i Security and Vulnerability Assessment Workshop for IBM i
with Dan Riehl

Full Length Training Workshop - July 15-18
Dan Riehl presents this 3.5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Get your FTP Server into Compliance
Live Webcast - Presented by Linoma Software
Thursday, July 18 Noon CDT
More Information and Register to Attend

Live Hands-On - Expanded Security Workshop for IBM i
with Dan Riehl

Full Length Training Workshop - July 23-26
Dan Riehl presents this 4-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - Expanded Control Language Programming Workshop
with Dan Riehl

Full Length Training Workshop - August 19-23
Dan Riehl, Co-Author of the textbook Control Language Programming for the IBM i
presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - IBM i System Administration and Control Workshop
with Dan Riehl

Full Length Training Workshop - September 9-13
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

COMMON 2013 Fall Conference and Expo
Three Day Conference and Expo - September 9-11
Renaissance Grand St. Louis • St. Louis, Missouri
More Information and Register to Attend


Security? See how SKYVIEW PARTNERS can help!





Security? See how SKYVIEW PARTNERS can help!
Live Online Workshops - from The 400 School

Security Shorts -

Yes, I have a Numeric UserID and Password. And You?

By Dan Riehl

My UserID is 77 and My Password is 123456

The Object Naming rules for IBM i state that an object name must begin with an alphabetic character including A-Z, #, $, @, and that the remaining characters (up to 10 in total) can contain A-Z, 0-9, #, $, @, _ ,and a .(period). The object names in the QSYS file system are not case sensitive.

However, when it comes to User Profile names and Passwords, an interesting phenomenon comes into play.

When we create a user profile, we specify a User Profile name and, optionally, we specify a Password, as in the following example. (For these examples, we assume a Password Level (System Value QPWDLVL) of 0 or 1, limiting a password to a maximum length of 10 characters.)

CRTUSRPRF   USRPRF(BOBSMITH)   PASSWORD(PASS1WORD5)

Now, when the user needs to log on, his user ID is BOBSMITH, and his password is PASS1WORD5. Simple and straightforward.

But consider this next example:

CRTUSRPRF   USRPRF(Q12345)   PASSWORD(Q11111)

When a user profile is created using this command, the user can actually log on using two different user IDs and two different passwords. It's a bit weird, but let's look at it in more detail.

  • The user can log on with UserID Q12345 with a Password Q11111.
  • The user can log on with UserID Q12345 with an all-numeric Password 11111.
  • The user can log on with an all-numeric UserID 12345 with a Password Q11111.
  • The user can log-on with an all-numeric UserID 12345 with an all-numeric Password 11111.

The secret to this seemingly strange support lies in the first character of the UserID and/or Password being the specific letter Q, followed only by digits. When this is the case, the letter Q becomes an optional part of the UserID and/or Password during the Logon process.

You can view more about this Q digit support by reviewing the F1=Help text of the CRTUSRPRF(Create User Profile) command.

As the system administrator, you can enforce policy to disallow the creation of a Q digits User Profile, but a user can change his or her password to a Q digits password using the Change Password (CHGPWD) command and/or Change Password API.

In order to restrict users from setting their passwords to Q digits (e.g., Q11111), you can either set the system value QPWDLMTAJC to the value 1 or include the value *DGTLMTAJC in the system value QPWDRULES. Either of these settings prohibit the use of adjacent digits in a password when changed by the user.

Oh, Yes, One more thing. Make sure that your password Minimum Length is at least 3. (I hope it's more like 6,7 or 8). Minimum length is set by the system value QPWDMINLEN, or in the QPWDRULES system value using the value *MINLENnnn, where nnn is a number from 1-10, or 1-128, depending upon the value of your QPWDLVL system value.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert IBM i Security Consulting
IT Security and Compliance Group. LLC


In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming


Live Training from The 400 School, Inc


Customized IBM i (AS/400) Training -
    Presented Live at your offices


Live Online Hands-On Workshops

ILE RPG IV Programming
ILE COBOL Programming
Interactive Programming Workshops
System Operations Workshops
System Administration and Control
Security and Auditing Workshops
Control Language Programming
IBM i Concepts and Facilities
Query Workshop



Live Online Workshops - from The 400 School


Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2013 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017