How to contact us Direct all inquiries to: Kisco Information Systems 89 Church Street Saranac Lake, New York 12983 Phone: (518) 897-5002 Fax: (518) 897-5003 SafeNet/400 Website: SafeNet/400 Support Website: Visit the SafeNet/400 Web Site at http://www.kisco.com/safenet http://www.kisco.com/safenet/support HTTP://WWW.KISCO.COM/SAFENET...
TABLE OF CONTENTS CHAPTER 1 - SETTING UP USERS... 1.1 ETTING THE OGGING ... 1.3 DMINISTRATOR UPER RUSTED ONTROL NTERING ECURITY NTERING UTHORITIES TO NTERING UTHORITIES TO NTERING UTHORITIES TO NTERING AMES OPYING AN XISTING SER TO OPYING AN XISTING SER TO EMOVING A SER FROM...
URGE UTOMATING THE LOG FILE PURGE UTOMATING THE UTOMATING AND UNNING THE AILY ACKUP ROCEDURE CHAPTER 9 - DE-ACTIVATING AND REMOVING SAFENET/400... 9.1 /400 ... 9.1 ACTIVATING /400 EMOVING FROM YOUR SYSTEM CHAPTER 10 - PROBLEM DETERMINATION ... 10.1 RROR...
You can perform each of the steps outlined in this chapter by using the corresponding option on the SafeNet/400 Main Menu. However, if you are setting up a new user, when you are finished with one screen you can use F9 to advance to the next without returning to the main menu. If you want to skip a step, you can cancel and return to the SafeNet/400 Main Menu.
Server Function logging level. To make sure you are logging transactions correctly, we recommend that when you initially set up SafeNet/400 you set the Server Functions to log ALL and set the User to Server logging levels to either ALL or REJECTIONS.
The WRKSNADM command can be executed by a user with *SECADM or *SECOFR authority. A user profile must be set up as a SafeNet/400 ‘Super Admin’ to perform the following: Activate or deactivate SafeNet/400 Change/copy/remove the IBM-supplied Q profiles settings in SafeNet/400 Use the WRKSRV, CHGSPCSET, CHGFTPSET commands A regular SafeNet/400 user or administrator does not have authority to the above functions.
SafeNet/400 security routines. Transactions from these users can bypass the traditional SafeNet/400 security routines; you can choose to simply log them or not log them. From the Special Jobs Menu select Option 4 – Maintain Super-Users in SafeNet.
To see a list of users already defined within SafeNet/400 type *ALLDFN. The Add New Object Authorization screen appears. If you would like to see the list of all users who have been defined within SafeNet/400, press F2. Note: If this user has already been set up in SafeNet/400, the Maintain Authorized Objects by User screen is displayed.
SQL Statements they may need. If you used F9 from the previous screen, skip to Step 4. If you are currently on the SafeNet/400 Main Menu, select Option 4 - Work with User to SQL Statement Security or use WRKUSRSQL command The Work User to SQL Statements screen is displayed.
If you would like to see the list of all users who have been defined within SafeNet/400, press F2. When finished making all your selections, ENTER. Press F9 to advance to the next step - setting up user authorities to FTP statements.
FTP Server or FTP Client to Level 4. If you used F9 from the previous screen, continue with Step 4. If you are on the SafeNet/400 Main Menu, select Option 5 - Work with User to FTP Statement Security or use WRKUSRFTP command The Work User to FTP Statements, Enter User ID screen is displayed.
If you would like to see the list of all users who have been defined within SafeNet/400, press F2. Press F4 to display the Maintain Special FTP Settings for Users screen Note: Special FTP settings for a user are allowed only when your system is at OS/400 V5R1 or higher.
CL commands they may need. If you used F9 from the previous screen, continue with Step 4. From the SafeNet/400 Main Menu, select Option 6 - Work with User to CL Command Security or use WRKUSRCMD command The Work User to CL Commands, Enter User ID screen is displayed.
To remove authorization to a command, FIELD EXIT through the line to blank it out. If you would like to see the list of all users who have been defined within SafeNet/400, press F2. When finished typing all the required CL commands for this user, press ENTER.
Entering Long Path Names The default SafeNet/400 setting is to use long path names. If you choose to not use long path name support, you must first change the SafeNet/400 default setting. Use the CHGSPCSET command to set the PATHL parameter to *SHORT.
Type the user profile you are copying from, then the new profile(s) to add. When finished entering all the new profiles, press ENTER. This will set up the new profile in SafeNet/400 and return you to the Special Jobs Menu. Removing a User from SafeNet/400 This option allows you to remove a user’s authorities and settings from SafeNet/400.
Maintain all Security for a User The WRKUSRSEC command, which is not found on any of the SafeNet/400 menus, gives you the ability to perform security maintenance for an individual user without entering several different commands. When you use the WRKUSRSEC command you will be presented with the Maintain All Security for a User screen.
Supplemental Group *PUBLIC SafeNet/400 checks until all the tests are passed or until an exclusion rule is encountered. Note: In Version 8, Time of Day controls are handled differently than in previous releases of SafeNet/400. With Version 8, TOD controls are activated at the server level. Use the WRKSRV command to turn on Time of Day checking on the appropriate servers.
To set up the Time of Day controls for a specific user, use Option 2 – Work with User to Server Security from the SafeNet/400 Main Menu or the WRKUSRSRV command. Type the user profile, ENTER and then press F10.
Chapter 2 - SETTING UP SERVERS The final step in configuring SafeNet/400 is to enter the Security Level settings for all the server functions. Important: If you do this step first and restrict access to the server functions prior to setting up user rights, you may disrupt network requests until the users’...
SafeNet/400 Server Function Security Levels Level 1: • IBM default • Unlimited access, all requests accepted • Requests can be logged, reporting available • Performance impact - none Level 2: • No access at all, all requests for server are rejected •...
Level 5: • This indicates that SafeNet/400 does not recognize a program assigned to the exit point or has detected a user-defined program assigned. (Use WRKREGINF command to review existing exit point programs.) • Not supported • Cannot be changed via SafeNet/400, use WRKREGINF command •...
Server Function logging level. To make sure you are logging transactions correctly, we recommend that when you initially set up SafeNet/400 you set the Server Functions to log ALL and set the individual user logging levels to either ALL or REJECTIONS.
Basic Server Security - Supported by all Servers Level 1 - IBM Default Level 2 - No access to server Intermediate Server Security - Supported by all Servers Level 3 Special Level 3 Advanced Server Security - Supported by Specific Servers Level 4 - The user must be authorized to the server, the objects requested, the FTP Op or SQL Op, CL commands or long path to be used.
Entering Server Function Security Levels From the SafeNet/400 Main Menu select Option 1 - Work with Server Security Settings or use WRKSRV command The Maintain Server Security screen is displayed. Enter the level of security and the logging level that is required for each server description in the Current columns.
Server Security screen gives you the ability to do so. SafeNet/400 will look to see if there is a customer-written program to call. If there is, it calls the program, passing two parameters, a one-byte status code, plus the rest of the data string from the client.
Controlling TELNET Access by IP Address Set the TELNET server to Level 3 using the WRKSRV command. From the SafeNet/400 Main Menu, select Option 7 – Work with TCP/IP Address Security or use the WRKTCPIPA command and enter *TELNET as the server to control Enter the IP address in dotted decimal format (i.e., 10.2.2.2)
Setting up TCP/IP Address Controls SafeNet/400 allows you to specify which client IP addresses are either accepted or rejected by the Telnet and the FTP Servers. Turning on TCP/IP Address Checking To set-up and turn on TCP/IP address checking for the FTP Server and Rexec Server...
Setting up TCP/IP Address Control Table Use SafeNet/400 Main Menu Option 7 or the WRKTCPIPA command In IP Addresses for Server enter *FTPSERVER, *FTPCLIENT or *TELNET for the proper control table. Type the addresses to accept or reject. A indicates Accept; R indicates Reject.
Logon Server to Level 3 and the FTP Server Validation to Level 4. Follow these steps for FTP: From the SafeNet/400 Main Menu select Option 10 - Go to Special Jobs Menu From the Special Jobs Menu select Option 3 - Change Special FTP Server Settings or use CHGFTPSET command along with F4 The Change SafeNet FTP Settings screen is displayed.
For security purposes, enter it here AND grant the user profile for anonymous logons object rights to this library or group of objects within this library from the SafeNet/400 Main Menu, Option 3. For the ANONYMOUS user profile under OS/400, make the ‘Current Library’...
FTP. In other words, a user would FTP to a System i5 FTP site running SafeNet/400, and that FTP site would prompt for a user name. The user keys ‘ANONYMOUS’ and the System i5 prompts for a password.
If you do this, no one can use this profile to sign on since the password is set to *NONE. pword Enter the password to be used with the profile in parameter AUSRPRF for Anonymous FTP. SafeNet/400 Reference Guide V8.50 - May 2008...
11. Grant the ANONYMOUS user profile authority to the FTP Logon and FTP Server Request Validation server points. 12. From the SafeNet/400 Main Menu, select Option 3 - Work with User to Object Level Security or use WRKUSROBJ command 13. Grant the ANONYMOUS user authority to the library entered in step 3 above (Current Library), and specifically to any objects within the library.
On the FTP Security Settings screen, set Allow normal user IDs to log on the FTP to *YES or use RLOGON (*YES) parameter Return to the SafeNet/400 Main Menu and select the following options: • Select Option 1 - Work with Server Security Settings or use WRKSRV command Locate the FTP Logon, FTP Client and/or FTP Server points.
Working with DHCP DHCP functions are performed from the DHCP Control and Reports Menu. From the SafeNet/400 Main Menu select Option 13 – Go To DHCP Menu The DHCP Control and Reports Menu appears. The DHCP functions provide the ability to maintain MAC addresses and device names, set IP addresses and ping IP addresses.
• Setup Reports provide information on server settings, user authorities to servers and to data, etc. • Analysis Reports provide data on SafeNet/400 usage - the who, what, where and when information you need to manage your system. Analysis reports have been enhanced to include the ability to select specific dates and/or users, including summaries by group profile.
Setup Reports These reports are accessed through the SafeNet/400 Main Menu, Option 11 – Go to Setup Reports Menu (GO SN3 command) Server Status Prints each Server Function and its security level setting User to Server Security Listing Lists users and the Server Functions they are authorized to...
Usage Reports These reports are accessed through the SafeNet/400 Main Menu, Option 12 – Go to Analysis Reports Menu (GO SN4 command). Menu SN4 options 2 through 7 also give you the ability to run auto-enrollment reports and perform the auto-enrollment process.
“what-if” tool to verify the effect your settings will have before you actually turn on access control. If you have been logging network requests with SafeNet/400 you can, at any time, run each historical record through the security checking routines and receive a result of ‘ACCEPTED’ or ‘REJECTED’...
This is the preferred method if you would like immediate feedback. 1. From the SafeNet/400 Main Menu select Option 10 - Go to Special Jobs/Setup Menu or use GO SN2 command) 2. Select Option 10 - On-Line Transaction Testing or use PCTESTR command The On-Line Transaction Testing screen will appear.
3. In the Security Levels to Check field: Type C (Current) to test transactions with your present SafeNet/400 Server Security Levels Type H (Historical) to review the actual status received when the transaction was logged; no new ‘re-testing’ is performed.
Security Level to check. Note: Use this tool to develop and test your initial security settings prior to putting them into production. You can go back and change the different SafeNet/400 parameters to see how they affect each transaction.
Set up your User to Server and User to Object, SQL, FTP, CL, etc. tables if you wish to go to Security Level 4. You can use several tools provided with SafeNet/400 to test your security settings. Use the Security Report by User or the on-line version, PCTESTR. These can be run to test the collected transactions against the current or future server settings.
PCREVIEW Use the PCREVIEW command or Option 9 - On-Line Transaction Review from the SafeNet/400 Special Jobs Menu to review each transaction logged by SafeNet/400. This displays the historical transactions only. No testing can be performed using this tool. Type PCREVIEW and press ENTER.
Chapter 8 - BACKUPS AND PURGES Log file Purge When SafeNet/400 is logging client requests, the information is kept in the TRAPOD file in library PCSECDTA. At times this file may grow to a considerable size. This function deletes the records in the TRAPOD file.
Automating and Running the Security Report and the Log File Purge Together Use this method to automate both the SafeNet/400 Security Report and the Log File Purge. For this example, the purge is being done on Mondays and Thursdays. You may use any schedule you wish;...
IPL-initiated OS/400 activities that may still be allocating SafeNet/400 objects and programs. This is not required if you do not need to de-allocate all the SafeNet/400 programs. Once you have been successful in isolating your network problem, you can re-activate SafeNet/400.
After performing these steps, end all subsystems then restart them to maintain security integrity. Try your network request again. If SafeNet/400 is active, and your request is not successful, review your request log and correct the problem based on the error code on the report.
Removing SafeNet/400 from your system If it becomes necessary to completely remove SafeNet/400 from your System i5, follow these steps. Sign on to the System i5 as QSECOFR or SAFENET. De-activate SafeNet/400. Follow the instructions on the previous pages to de-activate the program.
Chapter 10 - PROBLEM DETERMINATION If SafeNet/400 is not working properly, there are a few general things to check. Error Message Received on the System i5 Did you perform an IPL after the initial SafeNet/400 installation? It is necessary to IPL your System i5 after completing the installation steps. If you do not IPL your system, you will experience unpredictable results.
SafeNet/400 related. 1. Try the same request with a user ID that has rights to all servers and has all object and all folder authority. User profile QSECOFR is set up with all rights in SafeNet/400 by default. 2. Check the log file for the request and response.
If you are unsure that SafeNet/400 is the source of the problem 1. Reset the Security Level in SafeNet/400 by following these directions: • From the SafeNet/400 Main Menu select Option 1 – Work with Server Security Settings or use WRKSRV command •...
If you receive a message on the System i5 about a SafeNet/400 or PCSECLIB program, or you still cannot resolve a client error or client application error, check to see if the system was IPL'd since you: Initially installed SafeNet/400 Applied PTFs to SafeNet/400 If not, you must IPL your system for the changes to take effect.
Unauthorized path statement No authority to SQL statement Incoming commands *OFF No authority to Root Directory Unauthorized FTP Logon Unauthorized FTP Command Unauthorized REXEC Logon Unauthorized TFTP Logon Unauthorized IP Address Invalid Op-Specific Request SafeNet/400 Reference Guide V8.50 - May 2008 10.9...
Unauthorized CL command Error with Swap Profile Error during Profile Swap User/Server Reject Code (Specific *REJECT in WRKUSRSRV) Time of Day control Function requires SafeNet/400 regular Admin authority Function requires SafeNet/400 Super Admin authority SafeNet/400 Reference Guide V8.50 - May 2008...
As a network request is processed by SafeNet/400, a record is written to the TRAPOD file. The name of the SafeNet/400 program that processed the request is in position 1-10; the status of the request is in position 11 (1= Accepted, all others are rejections);...
SafeNet/400 functions. Resetting Level 5 within SafeNet/400 When an installation has a user exit program in place that SafeNet/400 does not recognize, the exit point will automatically be set to Level 5 (unsupported). To allow SafeNet/400 to support this server you must do the following: Remove your user exit program from the registration facility in OS/400.
Pre-Power Down Program Point You can create a power down CL program to be called whenever the PWRDWNSYS command is issued. SafeNet/400 will call this program and log the request whenever the command is processed. To use this feature, create a CL program called PWRDWNCL and place it in library QGPL.
Activating SafeNet/400 Alert Notification 1. From the SafeNet/400 Special Jobs Menu select Option 7 - Change Alert Notification Status or use the CHGNOTIFY command and press F4. 2. Type *ON for parameter ALERT to activate alert notification, then ENTER. 3. Enter *YES to receive summarized alerts or *NO for detailed alerts.
Journaling SafeNet/400 Security Files You may wish to journal all changes made to any of the SafeNet/400 security files for audit purposes. Three programs are provided to assist with the journaling process: Call PCSECLIB/STRSAFEJRN • Creates all required journals (SAFENET) in library PCSECLIB •...
Contains fixed IP client addresses (static addresses) IBMFLR File and IBMFLRL (Long paths to IBM folders) Contains all IBM supplied folder names. You may add additional folder names to this file for automatic READ and/or WRITE authority as required. MACNAMES...
Be sure to pay close attention to its size and establish a schedule to purge records. This file can also be used for additional user-developed reporting. See IBM OS/400 Servers and Administration for additional information and record layouts.
Change FTP special settings CHGNOTIFY Changes status of Alert Notification CHGSPCSET Change SafeNet/400 special settings CPYSNUSR Copy settings from one SafeNet/400 user to another ENDTRP Ends the transaction logging program PCREVIEW Starts the on-line transaction review process PCTESTR Starts the on-line transaction testing program...
Removes user’s authorities to server functions SETSAFENET OPTION(A) – Activates SafeNet/400 SETSAFENET OPTION(B) – Deactivates SafeNet/400 SETVER Used to change the license code level of SafeNet/400 STRALRT Starts Alert Notification monitoring STRPRG Starts purge of log file STRPRGARC Starts archive purge/security report of log file...
Commands are allowed only if specified from Special Jobs Menu, Option 2 (CHGSPCSET command). DDM commands, NOT file requests, can be stopped by saying “NO” to Allow DDM Commands parameter. The SafeNet/400 default is “YES” to allow commands. Review existing requirements prior to changing this setting. At Level 4, users must be authorized to commands.
For Version 4 of SafeNet/400, if *DDM is set to Level 4, you must authorize each user to the CL commands they may issue to the System i5. Most System i5 systems, by default, use the QUSER profile for the communications conversation.
- File transfer from within a RUMBA emulation session - Interactive and automatic file transfer functions - File transfer from within a RUMBA or PC5250* emulation session - Interactive and automatic file transfer functions (Levels 1,2) (Level 3) (Level 4) SafeNet/400 Reference Guide V8.50 - May 2008...
Original License Management Server Description: Original License Management Server - 100 The license management server ensures valid licenses are available for Client Access, IBM and non-IBM licensed applications when requested from a client. The license management server performs this process every time a Client Access client requests a license for an application, typically upon session initiation.
Optimized Servers This server support, provided by IBM with Client Access (now iSeries Access for Windows) beginning with OS/400 Version 3 Release 1, services optimized clients: Windows 3.1 (16 bit applications), Optimized OS/2 (32 bit applications) and Windows98, Windows 2000, Windows Additional servers are supplied by IBM for each new release of OS/400.
CREATE INDEX CREATE TABLE CREATE VIEW DELETE DROP COLLECTION DROP DATABASE DROP INDEX (Levels 1,2) (Level 3) (Level 4) SafeNet/400 Reference Guide V8.50 - May 2008 DROP PACKAGE DROP TABLE DROP VIEW GRANT INSERT LABEL ON LOCK TABLE REVOKE ROLLBACK...
Data authority requirements are determined by the authorized SQL statements for the user. 3. Due to a restriction within IBM's OS/400 for versions prior to V4R1, OS/400 delivers SQL requests to SafeNet/400 with a limit of 512 characters in length. Since most SQL statements are normally much less than this limit, this is not a concern for most users.
Does not differentiate between upper and lower case file names Does not support long file names. Names over 10 characters are truncated Allows setting of global authority to IBM supplied folders and file systems Authority is granted to a folder and all data that it contains.
At Level 4, to authorize a user for access to a non-IBM folder within the QDLS file system (shared folders), you must enter two records in the OBJECT/USER security file. Example 1: A user requires access to a folder called PERSONNEL within QDLS.
Entry #3 PAYROLL.LI SafeNet/400 will convert all requests to uppercase, then check the first ten characters in each directory name for a match. Note: When native libraries or objects are accessed via the file server, .LIB, .file, etc. are added to the end of the name.
Although Showcase uses SQL statements to access OS/400 data, SafeNet/400 does NOT verify the SQL statement authority. SafeNet/400 ONLY verifies the user to server and user to objects. The SQL Statement is NOT interrogated for authority. If the user issues a SELECT statement, the object authority required is *READ.
TFTP Server Request Validation Description: TFTP Server Request Validation Clients utilizing TFTP (Trivial File Transfer Protocol), such as the IBM Net Station use this server. Where used: IBM Net Station Boot Server Identifier: *TFTPSRVR Format name: VLRQ0100 Levels Supported: Basic...