The following series of screens demonstrates how you can setup and control network security on your IBM i server (Power/i, iSeries, AS/400) using SafeNet/i. After installing the product, the following main menu will be displayed on your system:
Menu option #1 allows you to review and change Server Security Settings. When you choose this option from the Main Menu, the following screen is displayed:
This screen lists all of the server functions that are available on your IBM i system. The exact number of server functions displayed will vary depending on which release of IBM's i/OS your system is running and what PTF level your system has installed. From this screen, you can activate different levels of SafeNet/i security features. We recommend that you start your installation by leaving the servers available for unlimited access (level 1) with logging all information (log setting A'). This will allow you to accumulate information about how the server functions are being used on your system. Once your baseline use is established, you can then return to this display and begin the process of tightening up server security on your system.
When you choose to specify user security, you can then modify SafeNet/i to control which users are allowed to use the various server functions on your system. Once this feature is activated, you can select a menu option on the user setup menu. For those exit points that support IP address controls, you can also activate those when you are ready. This will limit access to your system to only those device addresses that you approve in advance.
When you do, you can specify which user profile rule set you want to work with and then the following screen will be displayed:
If you want to define additional servers for this user to access, the following screen will then be displayed:
From here, you can make changes to limit the selected user so that they can only use the server functions that you want them to have access to. You can also specify the logging level for this user's accesses to various servers and control the priority for this user when attached to various servers.
Once user server security is set up, you can also control specific object access by selecting another menu option:
From here, you can limit access to specific libraries on your system and even specific objects or groups of objects within each library.
When you want to add access controls by user profile for SQL functions, you can select another option:
The above list of SQL statements will be displayed. From here, you can implement controls for the selected user on the specific SQL statements that you want them to be able to use.
SafeNet/i also lets you control remote FTP access to your system. Another option on the user setup menu gives you access to the FTP settings. Once you have selected the user profile to contol, the following screen will be displayed:
Using this display, you can grant permission for the user to use the indicated FTP functions on your system. If the user is not granted specific permission, then their FTP requests will be refused.
SafeNet/i gives you control over the CL commands that can be issued by each network user on your system. Use another menu option on the user setup menu and the following screen is shown after you select the user you want to set up:
Using this screen, you can authorize a network user to have access to *ALL CL commands or just specific CL commands that you place in the list.
Another feature of SafeNet/i lets you control which TCP/IP Addresses can gain access to your system via Telnet. The following screen is an example of a setup screen for Telnet:
Using this screen, you can list known IP addresses that you want to grant access to. Once this is activated, Telnet requests from all other IP addresses are denied. This screen also enables automatic signon, providing protection for your user profiles from snoopers on the Internet.
You can also control what source IP addresses can access your system when using a specific user profile to sign on:
In this example, the user profile specified is allowed to use the FTP and Remote Execution server functions to log in to the system from only the indicated source IP address.