IBM Safenet-400 User Manual

SAFENET/400

REFERENCE GUIDE

Version 8.50

 2008 MP Associates of Westchester, Inc.



How to contact us

Direct all inquiries to:

Kisco Information Systems 89 Church Street Saranac Lake, New York 12983

Phone: (518) 897-5002 Fax: (518) 897-5003

SafeNet/400 Website: http://www.kisco.com/safenet

SafeNet/400 Support Website: http://www.kisco.com/safenet/support

Visit the SafeNet/400 Web Site at HTTP://WWW.KISCO.COM/SAFENET

TABLE OF CONTENTS

CHAPTER 1 - SETTING UP USERS..................................................................................... 1.1

SETTING THE USER LOGGING LEVELS ......................................................................................... 1.2

SAFENET ADMINISTRATOR.......................................................................................................... 1.3

SUPER TRUSTED USER CONTROL................................................................................................ 1.4

ENTERING USER SECURITY LEVELS............................................................................................. 1.5

ENTERING USER AUTHORITIES TO OBJECTS ................................................................................ 1.7

ENTERING USER AUTHORITIES TO SQL STATEMENTS ................................................................ 1.12

ENTERING USER AUTHORITIES TO FTP STATEMENTS ................................................................ 1.14

NTERING LONG PATH NAMES ................................................................................................. 1.19

E C

OPYING AN EXISTING USER TO SET UP A NEW USER IN SAFENET/400...................................... 1.21

COPYING AN EXISTING USER TO SET UP A NEW USER IN SAFENET/400...................................... 1.21

REMOVING A USER FROM SAFENET/400................................................................................... 1.21

MAINTAIN ALL SECURITY FOR A USER........................................................................................ 1.22

SETTING UP TIME OF DAY CONTROLS ....................................................................................... 1.23

CHAPTER 2 - SETTING UP SERVERS................................................................................2.1

RECOMMENDED SERVER SETTINGS ............................................................................................. 2.6

ENTERING SERVER FUNCTION SECURITY LEVELS......................................................................... 2.9

CUSTOMER EXIT PROGRAMS..................................................................................................... 2.11

CHAPTER 3 - TELNET, TCP/IP ADDRESS CONTROLS................................................. 3.1

SETTING UP TELNET................................................................................................................. 3.1

SETTING UP TCP/IP ADDRESS CONTROLS .................................................................................. 3.6

CHAPTER 4 - SETTING UP FTP........................................................................................ 4.1

SETTING UP FOR ANONYMOUS FTP........................................................................................ 4.5

ETTING UP FOR NORMAL USER IDS AND FTP SERVERS.............................................................. 4.7

CHAPTER 5 - DHCP CONTROLS AND REPORTING......................................................5.1

CURRENT DHCP ACTIVITY ........................................................................................................ 5.3

AINTAINING MAC ADDRESSES.................................................................................................5.5

FIXED IP ADDRESSES................................................................................................................. 5.6

URGING EXPIRED DHCP LEASE INFORMATION ........................................................................ 5.7

P P

ING CHECKER.......................................................................................................................... 5.8

CHAPTER 6 - REPORTS......................................................................................................... 6.1

SETUP REPORTS......................................................................................................................... 6.2

SAGE REPORTS ........................................................................................................................ 6.3

CHAPTER 7 - TESTING YOUR SECURITY SETTINGS .................................................. 7.1

TESTING SAFENET/400 SETTINGS BASED ON YOUR HISTORICAL DATA WITH THE ON-LINE

TRANSACTION TESTER

................................................................................................................. 7.2

BATCH TRANSACTION TEST REVIEW/REPORT – SECURITY REPORT BY USER ................................. 7.6

RECOMMENDED APPROACH TO TESTING...................................................................................... 7.9

PCREVIEW............................................................................................................................ 7.10

CHAPTER 8 - BACKUPS AND PURGES.............................................................................. 8.1

LOG FILE PURGE........................................................................................................................ 8.1

AUTOMATING THE LOG FILE PURGE ............................................................................................ 8.4

AUTOMATING THE ONE STEP SECURITY REPORT ......................................................................... 8.4

AUTOMATING AND RUNNING THE SECURITY REPORT AND THE LOG FILE PURGE TOGETHER......... 8.5

DAILY BACKUP PROCEDURE....................................................................................................... 8.7

CHAPTER 9 - DE-ACTIVATING AND REMOVING SAFENET/400............................... 9.1

DE-ACTIVATING SAFENET/400 ................................................................................................... 9.1

REMOVING SAFENET/400 FROM YOUR SYSTEM............................................................................ 9.3

CHAPTER 10 - PROBLEM DETERMINATION............................................................... 10.1

ERROR MESSAGE RECEIVED ON THE SYSTEM I5......................................................................... 10.1

ERROR MESSAGE RECEIVED ON THE CLIENT.............................................................................10.3

EXAMPLES OF CLIENT ERROR MESSAGES.................................................................................. 10.7

ERROR CODES WHICH APPEAR IN THE LOG...............................................................................10.9

ADDITIONAL TROUBLESHOOTING TIPS .................................................................................... 10.11

CHAPTER 11 - SPECIAL SAFENET/400 CONSIDERATIONS ...................................... 11.1

RESETTING LEVEL 5 WITHIN SAFENET/400 ............................................................................... 11.1

RE-POWER DOWN PROGRAM POINT ....................................................................................... 11.3

USING AUTOMATIC ALERT NOTIFICATION ................................................................................. 11.4

PROFILE SWAPPING ................................................................................................................. 11.6

OURNALING SAFENET/400 SECURITY FILES ............................................................................ 11.8

FILES CONTAINED IN SAFENET/400.......................................................................................... 11.9

SAFENET/400 COMMANDS.....................................................................................................11.11

CHAPTER 12 - SERVER FUNCTION DESCRIPTIONS..................................................12.1

ORIGINAL SERVERS .................................................................................................................. 12.2

OPTIMIZED SERVERS .............................................................................................................. 12.13

SafeNet/400

Reference Guide

Chapter 1 - SETTING UP USERS

Navigating through the screens

You can perform each of the steps outlined in this chapter by using the corresponding option on the SafeNet/400 Main Menu. However, if you are setting up a new user, when you are finished with one screen you can use F9 to advance to the next without returning to the main menu. If you want to skip a step, you can cancel and return to the SafeNet/400 Main Menu

Group Profiles

If you have an unlimited user license for SafeNet/400, Group Profiles are available. If so, you may use F7 to toggle between the group profile settings and the user profile settings.

F8 will display all the user profiles within the group.

SafeNet/400 Reference Guide

1.1

Setting the User Logging Levels

The valid logging levels are:

Logging Level A Log all transactions

Logging Level R Log only rejected requests

Logging Level N No logging

As you set up your user logging levels, please keep in mind the following:

 If you set the logging level on the Server Function (WRKSRV) to NO LOGGING or

REJECTIONS, the Server Function (WRKSRV) setting will override the individual user

logging level.

 If you set the logging level on the Server Function to ALL, the individual user logging level

will override the Server Function logging level.

To make sure you are logging transactions correctly, we recommend that when you initially set up SafeNet/400 you set the Server Functions to log ALL and set the User to Server logging levels to either ALL or REJECTIONS.

Then, after you have had some experience with checking the logs and interpreting the results, you may want to make changes for specific user and server combinations.

An example of this might include certain "trusted" user profiles. If you trust the user in question and are concerned about the size and amount of logging activity, you might choose to only record rejected transactions for that user.

Another example might be a known client server application that is clearly defined and does not need to be monitored. For these applications you might choose to stop logging altogether. We have found several fax applications that fall into this category. They generate a large number of entries that are really not needed for your purposes in controlling access security.

SafeNet/400 Reference Guide

1.2

V8.50 - May 2008

SafeNet Administrator

You can set up a SafeNet/400 Administrator, or ‘Super Admin’ from the SafeNet/400 Special Jobs Menu or by using the WRKSNADM command. This can also be found on the Special Jobs Menu, Option 5 – Maintain SafeNet Administrators.

The WRKSNADM command can be executed by a user with *SECADM or *SECOFR authority.

A user profile must be set up as a SafeNet/400 ‘Super Admin’ to perform the following:

Activate or deactivate SafeNet/400 Change/copy/remove the IBM-supplied Q profiles settings in SafeNet/400 Use the WRKSRV, CHGSPCSET, CHGFTPSET commands

A regular SafeNet/400 user or administrator does not have authority to the above functions.

Unless specifically changed, QSECOFR is ALWAYS a SafeNet/400 Super Admin. User profile SAFENET is a Super Admin; this status can be changed or removed to suit your purposes.

SafeNet/400 Reference Guide

1.3

Super Trusted User Control

Under special circumstances it may be necessary to have a user that should not be checked through all the SafeNet/400 security routines. Transactions from these users can bypass the traditional SafeNet/400 security routines; you can choose to simply log them or not log them.

From the Special Jobs Menu select Option 4 – Maintain Super-Users in SafeNet.

You can turn logging on or off for Super Trusted Users by using the CHGSPCSET command and changing the LOGUSER parameter to *YES or *NO.

Note: This should only be used under conditions when you want NONE of the specified users transactions to be checked through SafeNet/400 security routines.

SafeNet/400 Reference Guide

1.4

V8.50 - May 2008

Entering User Security Levels

If you plan on setting any of the Server Functions to Level 3 or Level 4, and anticipate doing anything other than simply logging all requests, the first step in configuring SafeNet/400 is to give the users authority to any Server Functions they require.

1. From the SafeNet/400 Main Menu select Option 2 - Work with User to Server Security or use WRKUSRSRV command

The Work User to Server Security Enter User Profile screen appears.

2. Type the user profile you will be setting up, or *PUBLIC, then ENTER.

If you would like a list of all user profiles on the system, press F4 or type *ALL.

To see a list of users already defined within SafeNet/400 type *ALLDFN.

The Maintain User to Server Security screen appears.

A list of all the servers is displayed.

3. If you would like to see the list of all users who have been defined within SafeNet/400, press F2.

SafeNet/400 Reference Guide

1.5

Type 1 in the Option column in front of each server this user will have access to.

If they will have access to all the server functions, select

*ALL ACTIVE SERVERS

To remove access to a particular server, remove the ‘1’ and leave the Option column blank for that server.

4. Enter the Logging Level for each server.

A = All R = Rejections only N = No logging

When you have finished setting up servers for this user, press ENTER.

5. Enter the Job Run Priority for each server. Do this if you choose to override OS/400 job priority defaults.

The job priority will be set when the user accesses this server. Valid job priorities are 00 (the default) through 99. A value of 00 indicates no change to the default job priority.

6. Press F9 to continue to the next step - setting up user authorities to objects.

SafeNet/400 Reference Guide

1.6

V8.50 - May 2008

Entering User Authorities to Objects

Once you have given the user access to the servers, the next step is to enter the level of authority the user has to objects on the System i5 if you plan on setting any of the servers to Level 4.

1. If you used F9 from the previous screen, skip to Step 4.

2. If you are currently on the SafeNet/400 Main Menu

, select Option 3 - Work with User

to Object Level Security or use WRKUSROBJ command

The Work User to Object Security screen is displayed.

3. Type the user profile name, the Group or *PUBLIC, then ENTER.

To list all of the user profiles on the system, press F4 or type *ALL.

To see a list of users already defined within SafeNet/400 type *ALLDFN.

The Add New Object Authorization screen appears.

If you would like to see the list of all users who have been defined within SafeNet/400, press F2.

Note: If this user has already been set up in SafeNet/400, the Maintain Authorized

Objects by User screen is displayed. Press F6 to add new objects and authorities

for this user.

SafeNet/400 Reference Guide

1.7

4. In the Library or Folder column, enter the name of the library or folder, then TAB to the Object or Sub-Flr column and type in the name of the object or sub-folder.

Note: Allowed entries for Library or Folder

 *ALLLIB  *ALLFLR  Specific library name

When setting up a library, you must enter the complete library name. Generic library names are not allowed.

Allowed entries for Object

 *ALL  Specific object  Generic data/program or System i5 object name followed by * (FIL*)

NOT ALLOWED for object

 Long file or folder names - 10 position maximum (names over 10 are

truncated)

 Generic sub-folder names (FOLD*)  Generic folder content names

NOT ALLOWED for library

 Long folder names  Generic folder names  Generic library names  *ALL

If granting rights to multiple objects in one library, you must list the library name multiple times or use a generic object name. For example:

LIBRARY OBJECT

QUSRSYS PAY1 QUSRSYS PROJECT QUSRSYS PRT*

SafeNet/400 Reference Guide

1.8

V8.50 - May 2008

5. For Data Rights, type an X under the appropriate level of authority. Place an X for each data right that applies.

6. For Existence Rights, type an X if this user will be able to create, delete or move an object.

To assign EXCLUSIONS to objects and/or libraries, give the user no rights by leaving the Data Rights and Existence Rights columns blank.

7. Repeat these steps for each object or group of objects for this user profile.

PageDown to the next screen if you need more lines.

ENTER when you have finished keying in all necessary objects and rights.

The Maintain Authorized Objects by User screen is refreshed and all the information you

just entered is displayed.

Press F9 to continue to the next step - setting up user authorities to SQL statements.

Reminder:

If you have already entered objects for a particular user, and you are updating their user to object level security, a list of existing object authorities will be displayed. To add more, press F6. To delete an existing entry, type 4 in the Option column, then ENTER.

SafeNet/400 Reference Guide

1.9

Exclusions

To give all users read access to all objects in all libraries, but exclude them from any objects in the PAYROLL library, give *PUBLIC READ authority to the library and exclude *PUBLIC from the PAYROLL library.

SafeNet/400 Reference Guide

1.10

V8.50 - May 2008

If the PAYDEPT profile needs to use objects in the PAYROLL library, grant user profile PAYDEPT READ authority to the PAYROLL library.

This individual authority overrides the *PUBLIC authority.

SafeNet/400 Reference Guide

1.11

Entering User Authorities to SQL Statements

If you are going to set the SQL servers to Level 4 only, the next step is to authorize users to the SQL Statements they may need.

1. If you used F9 from the previous screen, skip to Step 4.

2. If you are currently on the SafeNet/400 Main Menu

, select Option 4 - Work with User

to SQL Statement Security or use WRKUSRSQL command

The Work User to SQL Statements screen is displayed.

3. Type the user profile, the Group or *PUBLIC, then ENTER.

If you would like a list of all user profiles on the system, press F4 or type *ALL.

To see a list of users already defined within SafeNet/400 type *ALLDFN.

The Maintain Authorized SQL Statements screen appears.

4. Type 1 in front of each SQL statement that this user is permitted to use.

Selecting *ALL Statements authorizes the use to all SQL statements

To remove authorization to a selection, remove the 1.

SafeNet/400 Reference Guide

1.12

V8.50 - May 2008

If you would like to see the list of all users who have been defined within SafeNet/400, press F2.

5. When finished making all your selections, ENTER.

6. Press F9 to advance to the next step - setting up user authorities to FTP statements.

SafeNet/400 Reference Guide

1.13

Entering User Authorities to FTP Statements

Next you must authorize users to the FTP Statements they may need if you are going to set the FTP Server or FTP Client to Level 4.

1. If you used F9 from the previous screen, continue with Step 4.

2. If you are on the SafeNet/400 Main Menu, select Option 5 - Work with User to FTP Statement Security or use WRKUSRFTP command

The Work User to FTP Statements, Enter User ID screen is displayed.

3. Type the user profile or *PUBLIC then ENTER.

If you would like a list of all user profiles on the system, press F4 or type *ALL.

To see a list of users already defined within SafeNet/400 type *ALLDFN.

The Work with Authorized FTP Statements screen appears.

4. Type 1 in front of each FTP statement that this user is permitted to use.

To remove authorization to a statement, remove the 1.

SafeNet/400 Reference Guide

1.14

V8.50 - May 2008

If you would like to see the list of all users who have been defined within SafeNet/400, press F2.

5. Press F4 to display the Maintain Special FTP Settings for Users screen

Note: Special FTP settings for a user are allowed only when your system is at OS/400

V5R1 or higher. If you are at a previous operating system level, these settings have no effect.

For this user, the initial Name Format and List Format will override the s ettings established by the OS/400 Change FTP Server Attributes command (CHGFTPA).

Select the parameters as follows:

Encrypted

 For SSL connections this should be set to 0 or 2  For regular or non-SSL connections, leave this set to 0 or 1

PATH

This field is in effect only when Name Format is set to *UNIX. The field should point to an actual IFS directory on the System i5.

SafeNet/400 Reference Guide

1.15

Name Format

 *LIB indicates that the user sees standard Library/Object OS/400 style names  *PATH displays PC or *UNIX style file and directory names.

List Format

 *DFT user sees standard OS/400 CHGFTPA server settings  *UNIX user sees UNIX style directory listings

6. When finished making all your selections, ENTER.

7. Press F9 to continue to the next step - setting up user authorities to CL commands.

Important Note:

When the FTP Client point is set to Level 4, only the GET and PUT FTP sub-commands are required. The other commands, when using the FTP Client, are for the TARGET SYSTEM ONLY (sent to/run on the target system).

When authorizing users to the GET/PUT sub-commands, the assumed object authority is reversed from authorities required for the FTP Server point and the same objects.

See the following examples.

Using FTP Client:

 Sending an object to a remote system

An FTP PUT of object ABC in an FTP Client session requires *READ authority to object ABC on the local machine.

 Get an object from a remote system

An FTP GET of object ABC in an FTP Client session requires *OBJMGT authority to the object ABC on the local machine.

Using FTP Server:

 Send an object to local system

An FTP PUT of object ABC in an FTP Server session requires *OBJMGT authority to the object ABC on the LOCAL machine.

 Get an object from the local system

An FTP GET of object ABC in an FTP Server session requires *READ authority to the object ABC on the LOCAL machine.

SafeNet/400 Reference Guide

1.16

V8.50 - May 2008

Entering User Authorities to CL Commands

Next, if you plan on setting the FTP, DDM or Remote Command Servers to Level 4, you must authorize users to the CL commands they may need.

1. If you used F9 from the previous screen, continue with Step 4.

2. From the SafeNet/400 Main Menu

, select Option 6 - Work with User to CL Command

Security or use WRKUSRCMD command

The Work User to CL Commands, Enter User ID screen is displayed.

3. Type the user profile or *PUBLIC then ENTER.

If you would like a list of all user profiles on the system, press F4 or type *ALL.

To see a list of users already defined within SafeNet/400 type *ALLDFN.

The Maintain Authorized CL Commands screen appears.

4. Type each CL command that this user is permitted to use.

If you want the user to have access to all CL commands, type *ALL in the first available space.

SafeNet/400 Reference Guide

1.17

To remove authorization to a command, FIELD EXIT through the line to blank it out.

If you would like to see the list of all users who have been defined within SafeNet/400, press F2.

5. When finished typing all the required CL commands for this user, press ENTER.

6. Press F9 to continue with setting up path names.

SafeNet/400 Reference Guide

1.18

V8.50 - May 2008

Entering Long Path Names

The default SafeNet/400 setting is to use long path names.

If you choose to not use long path name support, you must first change the SafeNet/400 default setting. Use the CHGSPCSET command to set the PATHL parameter to *SHORT.

Follow these steps to authorize the user to the paths.

1. If you used F9 from the previous screen, continue with Step 4.

2. From the SafeNet/400 Main Menu, select Option 7 - Work with User to Long Path Names or use WRKUSRPTH command

The Work with User to Path Names, Enter User ID screen is displayed.

3. Type the user profile or *PUBLIC then ENTER.

If you would like a list of all user profiles on the system, press F4 or type *ALL.

To see a list of users already defined within SafeNet/400 type *ALLDFN.

The Maintain Path Names screen appears.

If you would like to see the list of all users who have been defined within SafeNet/400, press F2.

SafeNet/400 Reference Guide

1.19

4. Enter the paths that the user is authorized to.

Paths can be entered up to 256 positions in length, although only the first 60 positions are shown on the display. To enter and/or view a path over 60 positions long, enter 2 in the option column.

Use /* to give authority to all folders/paths

End the path with * to allow access to all items in subfolders.

5. When finished typing all the paths for this user, press ENTER.

SafeNet/400 Reference Guide

1.20

V8.50 - May 2008

Copying an Existing User to Set Up a New User in SafeNet/400

This will allow you to copy the authorities and settings from one user to another within SafeNet/400. The new user profile must already exist in OS/400.

1. From the Special Jobs Menu, select Option 13 – Copy a User Setup to Another User or use the CPYSNUSR command.

The Copy SafeNet User/Authorities screen is displayed.

2. Type the user profile you are copying from, then the new profile(s) to add.

3. When finished entering all the new profiles, press ENTER.

This will set up the new profile in SafeNet/400 and return you to the Special Jobs Menu.

Removing a User from SafeNet/400

This option allows you to remove a user’s authorities and settings from SafeNet/400.

1. From the Special Jobs Menu select Option 14 – Remove a User Enrollment from SafeNet or use the RMVSNUSR command

The Remove Users from SafeNet screen appears.

2. Type the user profile(s) to remove, then press ENTER.

This will remove the user from SafeNet/400 and return you to the Special Jobs Menu.

SafeNet/400 Reference Guide

1.21

Maintain all Security for a User

The WRKUSRSEC command, which is not found on any of the SafeNet/400 menus, gives you the ability to perform security maintenance for an individual user without entering several different commands.

When you use the WRKUSRSEC command you will be presented with the Maintain All Security for a User screen.

From this screen you can select which of the control files you wish to update for this particular user, without entering any additional commands or returning to the SafeNet/400 Main Menu

Within each of the applications, you can use F9 to advance to the next maintenance screen.

SafeNet/400 Reference Guide

1.22

V8.50 - May 2008

Setting up Time of Day Controls

If you want to exclude users from server functions based on the day of the week or the time of day, use Time of Day controls.

SafeNet/400 checks authority in the following sequence:

Is the authorized to at this time?

User Specific Server

*ALL Servers

Group Specific Server

*ALL Servers

Supplemental Group Specific Server

*ALL Servers

*PUBLIC *Specific Server

*ALL Servers

SafeNet/400 checks until all the tests are passed or until an exclusion rule is encountered.

Note: In Version 8, Time of Day controls are handled differently than in previous releases of

SafeNet/400. With Version 8, TOD controls are activated at the server level. Use the WRKSRV command to turn on Time of Day checking on the appropriate servers.

SafeNet/400 Reference Guide

1.23

To set up the Time of Day controls for a specific user, use Option 2 – Work with User to

Server Security from the SafeNet/400 Main Menu or the WRKUSRSRV command.

Type the user profile, ENTER and then press F10.

The User Time-of-Day Maintenance screen appears.

To exclude the user from all servers during the same days of the week and time of day, type 2 – Change in front of *ALL.

To select individual servers, type 2 in front of the servers you want to change

SafeNet/400 Reference Guide

1.24

V8.50 - May 2008

You can define up to three time ranges and can select which days to exclude by typing X in front of the day.

You can also define holidays that will be used to control Time of Day access.

Press F9 to display the Time of Day Holiday Maintenance screen.

Type the dates and descriptions of your holidays.

Press ENTER.

SafeNet/400 Reference Guide

1.25

SafeNet/400 Reference Guide

1.26

V8.50 - May 2008

+ 142 hidden pages

IBM Safenet-400 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual