IBM i Global

 View Only
Expand all | Collapse all

Verifying network security parameters

  • 1.  Verifying network security parameters

    Posted 2 days ago

    I must get the actual value of some network security parameters, therefore I need to know:

     1. How to view "Secure Loc" of remote locations without prompting on "DSPCFGL CFGL(QAPPNRMT)"

    2. How to view "ALWSSL" without prompting on "CHGTELNA" and pressing F4

    3. How to view "ALWSSL" without prompting on "CHGFTPA" and pressing F4

    I really need an answer similar to this one: https://www.ibm.com/support/pages/verifying-ddm-tcpip-attribute-lowest-authentication-method-password-required-current-setting

    Thank you in advance for your help



    ------------------------------
    bluehat MAR
    ------------------------------


  • 2.  RE: Verifying network security parameters

    Posted yesterday

    How about using this freeware tool named SECTCP at http://easy400.net/sectcp/html/start.htm



    ------------------------------
    Satid S
    ------------------------------



  • 3.  RE: Verifying network security parameters

    Posted yesterday
    Edited by support Me yesterday

    Thank you. Any other suggestion I would really appreciate too



  • 4.  RE: Verifying network security parameters

    Posted yesterday

    I had to check WRKCFGL on one of my lpars.  I was surprised to see I still had entries.  I thought I had cleared off all that sna stuff.



    ------------------------------
    support Me
    ------------------------------



  • 5.  RE: Verifying network security parameters

    Posted yesterday

    Some of those answers are at https://www.ibm.com/docs/en/i/7.5?topic=is-communication-services

    I had to check WRKCFGL on one of my lpars.  I was surprised to see I still had entries.  I thought I had cleared off all that sna stuff.



    ------------------------------
    Robert Berendt IBMChampion
    Business Systems Analyst, Lead
    Dekko
    Fort Wayne
    ------------------------------



  • 6.  RE: Verifying network security parameters

    Posted yesterday

    Hi thank you for your suggestions, I will check that link out.



    ------------------------------
    support Me
    ------------------------------



  • 7.  RE: Verifying network security parameters

    Posted yesterday

    Hi.

    Unfortunately, I have access to AS400 v7.4 and in this version there is no the view https://www.ibm.com/docs/en/ssw_ibm_i_75/rzajq/rzajqviewtelnetattr.htm  

    that only contains the telnet attributes, therefore none of those views that are listed on https://www.ibm.com/docs/en/i/7.4?topic=is-communication-services

    can help me. There is no a view for FTP attribute ALWSSL and the Secure Loc For Remote locations.

    Any other suggestions I would really appreciate



    ------------------------------
    support Me
    ------------------------------



  • 8.  RE: Verifying network security parameters

    Posted yesterday

    Mr. Me,

    You could try the APIs at https://www.ibm.com/docs/en/i/7.4?topic=category-communications-apis



    ------------------------------
    Robert Berendt IBMChampion
    Business Systems Analyst, Lead
    Dekko
    Fort Wayne
    ------------------------------



  • 9.  RE: Verifying network security parameters

    Posted yesterday

    Can you get to Navigator for i

    some of the info you want is there under TCP/IP Servers



    ------------------------------
    Rich Malloy
    Principal Systems Engineer - IBMi
    Cox Automotive
    Draper UT
    ------------------------------



  • 10.  RE: Verifying network security parameters

    Posted yesterday

    Hi Rich

    I need to get those actual values by command line some way because I would need them to process automation tasks, that's why with graphical interface is not useful for me.

    Any other suggestions I would really appreciate.



    ------------------------------
    support Me
    ------------------------------



  • 11.  RE: Verifying network security parameters

    Posted yesterday

    ok - this is a little convoluted but......this MAY work for you

    File QATMFTP in QUSRSYS contains the FTP configuration. Looks like line 11 is the value for Allowing SSL

    File QATMTELN in QURSYS contains the telnet configuration. Looks like Line 9 is the value for SSL . 

    I don't have an answer for the DSPCFGL   - hope the above helps some




    ------------------------------
    Rich Malloy
    Principal Systems Engineer - IBMi
    Cox Automotive
    Draper UT
    ------------------------------



  • 12.  RE: Verifying network security parameters

    Posted yesterday

    Regarding #1, do you really still use APPC/APPN based connections (if yes for sure based on a HPR/IP aka Enterprise Extender setup)?

    If yes, you can output the DSPCFGL command to a spool file, then display this spool file through SQL with https://www.ibm.com/docs/en/i/7.4?topic=services-spooled-file-data-table-function.

    If no, you can simply delete all configuration lists. And use https://www.ibm.com/docs/en/i/7.4?topic=services-object-statistics-table-function with a selection on *CFGL object type to output an empty list showing that there is no more any configurgation list.



    ------------------------------
    Marc Rauzier
    ------------------------------



  • 13.  RE: Verifying network security parameters

    Posted yesterday

    Hi Marc

    I am just trying to automate some tasks that I have to but I actually do not know if technicians are still using APPC/APPN connections. But they appear with the command DSPCFGL as you say. I understand what you say about spooled-file-data-table-function, however I was trying to find a query tha allow me to get the data more quickly and straightforward, like this example  https://www.ibm.com/support/pages/verifying-ddm-tcpip-attribute-lowest-authentication-method-password-required-current-setting



    ------------------------------
    support Me
    ------------------------------



  • 14.  RE: Verifying network security parameters

    Posted yesterday

    Try this (as an SQL only script);

    CALL QSYS2.QCMDEXC('DSPCFGL CFGL(QAPPNRMT) OUTPUT(*PRINT)');

    SELECT * FROM TABLE(SYSTOOLS.SPOOLED_FILE_DATA(JOB_NAME=>
    (SELECT QUALIFIED_JOB_NAME FROM TABLE(QSYS2.SPOOLED_FILE_INFO(USER_NAME => '*CURRENT')) 
    ORDER BY CREATION_TIMESTAMP DESC FETCH FIRST 1 ROWS ONLY),
    SPOOLED_FILE_NAME =>'thenameofspooledefileproducedbyDSPCFGLsuchasQSYSPRT'));

    The use of the embedded select over QSYS2.SPOOLED_FILE_INFO is required in case you run the script from iACS, as the spooled files are not owned by the current job but by a QPRTJOB named job with an unknown job number.

    Order by and fetch first are here to display only the very last spool file.

    But again, you may ask knowing people to review APPC/APPN setup and clean it if no longer used. Within a security/audit context, this is an healthy behavior just like not starting not needed IP services.



    ------------------------------
    Marc Rauzier
    ------------------------------



  • 15.  RE: Verifying network security parameters

    Posted yesterday

    SELECT * FROM TABLE(SYSTOOLS.SPOOLED_FILE_DATA(JOB_NAME=>(
        SELECT QUALIFIED_JOB_NAME FROM TABLE(QSYS2.SPOOLED_FILE_INFO(USER_NAME => '*CURRENT')) WHERE SPOOLED_FILE_NAME = 'thenameofspooledefileproducedbyDSPCFGLsuchasQSYSPRT' ORDER BY CREATION_TIMESTAMP DESC FETCH FIRST 1 ROWS ONLY), SPOOLED_FILE_NAME =>'thenameofspooledefileproducedbyDSPCFGLsuchasQSYSPRT')
                                                               );

    Adding a selection to spooled file name might be better to ensure you are retrieving the correct job.



    ------------------------------
    Marc Rauzier
    ------------------------------



  • 16.  RE: Verifying network security parameters

    Posted yesterday

    Thank you Marc !! I will test it and I will tell you that it helped me.



    ------------------------------
    support Me
    ------------------------------



  • 17.  RE: Verifying network security parameters

    Posted yesterday

    Hi Marc !!!

    Thank you so much for your suggestions !! However, I was trying to run it and there is a sintaxis error or something because I got "Creation_timestamp" doesn't exist, I was trying this query too but I have the same error with "ENDING_TIMESTAMP":

     SELECT QUALIFIED_JOB_NAME FROM TABLE(QSYS2.SPOOLED_FILE_INFO(
                USER_NAME => '*CURRENT',
                STATUS => '*READY *HELD'
              ))
              ORDER BY ENDING_TIMESTAMP DESC
              FETCH FIRST 1 ROW ONLY
    Thank you in advance for any ideas to solve the issue



    ------------------------------
    support Me
    ------------------------------



  • 18.  RE: Verifying network security parameters

    Posted 17 hours ago

    According to https://www.ibm.com/docs/en/i/7.4?topic=services-spooled-file-info-table-function:

    ENDING_TIMESTAMP is not a column which is provided by the table function, therefore you cannot use it in the ORDER BY clause.

    However, it should work with CREATION_TIMESTAMP, as this one is provided by the table function. So you may double check your syntax. To verify the column name, just try (with iACS), something like "SELECT * TABLE(QSYS2.SPOOLED_FILE_INFO(USER_NAME => '*CURRENT'));". This statement will show you all the available column names.



    ------------------------------
    Marc Rauzier
    ------------------------------