PowerTech Network Security Version 6. 0

nestmarkersNetworking and Communications

Nov 20, 2013 (3 years and 8 months ago)

503 views

PowerTech Network Security
Version 6. 0
Administrator’s Guide
6533 Flying Cloud Drive, Suite 200
Eden Prairie, MN 55344
Phone 253/872-7788
Fax 253/872-7904
www.powertech.com
Copyright 1999, 2010 The PowerTech Group.
COPYRIGHT
© Copyright 1999, 2010 The PowerTech Group
The following items in Network Security are protected by copyright law:


The User Guide.


All text and titles on the software’s entry and display panels including the look and feel of the interaction of the
panels along with the supporting menus, pop-up windows, and function key descriptions and layout.


Network Security utilities and commands.
Network Security is a trademark of The PowerTech Group.
Any individuals or corporations who violate these copyrights and trademarks will be prosecuted under both criminal and civil
laws and any resulting products will be required to be withdrawn from the marketplace.
The following are trademarks or registered trademarks of International Business Machines Corporation in the United States
and/or other countries.
AS/400

i5/OS
OS/400

iSeries
IBM

System i
Power Systems
Rev. 03/31/11 KK
table of contents
Page 3
Introduction
Why Do I Need PowerTech Network Security?

..............................................................................9
What is PowerTech Network Security?

.........................................................................................10
PowerTech Network Security Architecture....................................................................................11
Network Security Auditing & Reporting vs. Access Control

........................................................12
Terms and Definitions

....................................................................................................................13
Installation and Activation
Installing and Activating Network Security

...................................................................................15
Installation and Activation Introduction

..................................................................................15
Installation Prerequisites

................................................................................................................15
System Values

..........................................................................................................................15
Auditing

...................................................................................................................................16
System Requirements

...............................................................................................................16
Installation

......................................................................................................................................16
Licensing

........................................................................................................................................18
Network Security System Values

...................................................................................................19
Work with System Values Screen

............................................................................................19
Working with Network Security System Values

................................................................19
System Filter Rule Properties

............................................................................................21
Activating PowerTech Network Security

......................................................................................22
Work with Network Security Activation

.................................................................................22
Work with Activation

.........................................................................................................23
Network Security Exit Program Activation Options

.....................................................................24
Options and Function Keys

......................................................................................................24
Exit Program Activation Considerations

.......................................................................................30
After Activation

.............................................................................................................................30
Run a Comprehensive Report

..................................................................................................31
Viewing the Report

............................................................................................................32
PowerTech Work Management

......................................................................................................32
Changing the default wait time for PTWRKMGT class

..........................................................32
Administration
Administration Overview

...............................................................................................................34
Administration

.........................................................................................................................34
Reporting

............................................................................................................................34
Network Security Rules

.....................................................................................................34
Network Security Main Menu

.......................................................................................................35
Displaying the Network Security Main Menu

.........................................................................35
Main Menu Options

...........................................................................................................35
Network Security Configuration

....................................................................................................37
Configuration Menu Options

...................................................................................................37
NeTwork SecuriTy AdmiNiSTrATor’S Guide
Page 4
Servers and Functions
Managing Rules to Control Access ................................................................................................38
Work with Servers ..........................................................................................................................40
Work with Security by Server Screen ......................................................................................40
Work with Security by Server Field Descriptions .............................................................40
Work with Security by Server Options ..............................................................................41
Server Properties Window .......................................................................................................42
Work with Server Functions Screen.........................................................................................45
Options ...............................................................................................................................45
Location Rules
Default Location Rules ..................................................................................................................47
Server IDs ................................................................................................................................47
Parameters and Default Values ..........................................................................................48
Location Rules—Order of Evaluation ...........................................................................................48
Location Authority Rules ...............................................................................................................49
Working with Location Rules ..................................................................................................49
Location Authority Fields ..................................................................................................51
Adding Location Rules ..................................................................................................................53
Adding a Rule from the Work with Location Authorities Screen ............................................53
Adding a Rule from the Work with Security by Location Screen ...........................................55
Work with Network Security by Location .....................................................................................56
Copying Location Rules ..........................................................................................................57
Displaying Properties Detail ..............................................................................................57
Deleting Location Authorities ............................................................................................58
Global Location Rules ...................................................................................................................60
User Rules
Default User Rules .........................................................................................................................61
Server IDs ................................................................................................................................61
Parameters and Default Values ..........................................................................................62
User Rules—Order of Evaluation ..................................................................................................62
User Authority Rules......................................................................................................................63
Working with User Rules .........................................................................................................63
User Authority Fields .........................................................................................................65
Adding User Rules .........................................................................................................................67
Adding a Rule from the Work with Server User Authorities Screen .......................................67
Adding a Rule from the Work with Security by User Screen ..................................................69
Example —Adding User Rules .................................................................................................70
Work with Network Security by User ............................................................................................71
Copying User Authorities ........................................................................................................72
Displaying Properties Detail ..............................................................................................72
Deleting User Authorities ........................................................................................................73
Global User Rules ..........................................................................................................................75
TAble of coNTeNTS
Page 5
Object Rules
Object Rules ...................................................................................................................................76
Introduction ..............................................................................................................................76
Object Rules and Network Security .........................................................................................76
Object Rules—Order of Evaluation ...............................................................................................77
Working with Object Lists .............................................................................................................78
Work with Object Lists Options...............................................................................................79
Adding an Object List ........................................................................................................80
Changing an Object List ....................................................................................................81
Copying an Object List ......................................................................................................81
Deleting an Object List ......................................................................................................82
Renaming an Object List ...................................................................................................82
Working with Object List Entries ............................................................................................83
Adding Entries to a Type Q Object List .............................................................................84
Adding Entries to a Type I Object List ..............................................................................85
Sorting Object Lists and Object List Entries .....................................................................87
Creating Rules for Object Lists ......................................................................................................90
Specifying the Server/Functions for an Object Rule ...............................................................94
Working with Object Rules ............................................................................................................96
Using the CRTOBJRUL and CHGOBJRUL Commands ........................................................99
Deleting an Object Rule ...............................................................................................................101
Using the DLTOBJRUL Command .......................................................................................102
Work with Object Rules by User .................................................................................................104
IP Address Groups
Work with Object Rules by Location ...........................................................................................107
Working with IP Address Groups ................................................................................................110
IP Address Group Options .....................................................................................................110
Work with IP Address Groupings ................................................................................................112
Entering IP Address Groupings ..............................................................................................112
Work with IP Address Groupings Fields ..........................................................................113
Work with IP Address Groupings Options .......................................................................113
Switch Profiles
Network Security Switch Profiles ................................................................................................116
Specifying a Switch Profile ....................................................................................................116
Setting a Switch Profile for a Function ..................................................................................117
Creating a Switch Profile .......................................................................................................118
NeTwork SecuriTy AdmiNiSTrATor’S Guide
Page 6
Transaction Security
Introduction ..................................................................................................................................120
What is Transaction Security? ...............................................................................................120
Enabling Transaction Security ...............................................................................................120
Capturing Transactions ................................................................................................................121
Prerequisites to Capturing Transactions.................................................................................121
Capturing Transactions ..........................................................................................................121
About SUMCAPTRAN ...................................................................................................122
Working with Captured Transactions ...........................................................................................123
Work with Captured Transactions Fields ..............................................................................124
Work with Captured Transactions Options ............................................................................125
Sorting Captured Transactions .........................................................................................126
Deleting Captured Transactions ...................................................................................................128
Summarization Properties Fields ...........................................................................................129
Deleting Captured Transactions Manually .............................................................................130
Memorizing Transactions.............................................................................................................131
Memorizing a Transaction .....................................................................................................131
Memorize Captured Transactions Fields .........................................................................132
Working with Memorized Transactions .......................................................................................134
Work with Memorized Transactions Fields ...........................................................................135
Work with Memorized Transactions Options ........................................................................136
Sorting Memorized Transactions .....................................................................................138
Filter Rules Added with Memorized Transactions.......................................................................140
How Network Security Derives Authority Values for Rules .......................................................142
Considerations When Using Memorized Transactions ................................................................143
Performance Considerations ..................................................................................................144
Example 1: Reject All Transactions Except a Specific Transaction ............................................145
Example 2: Edit Transactions to Make Them Generic ................................................................147
Example 3: Add a Memorized Transaction for a Group ..............................................................148
Reports
Working with Reports ..................................................................................................................149
Granting Reporting Authority ................................................................................................151
Report Output Options .................................................................................................................152
Reporting Access Attempts by User ID .......................................................................................154
Reporting Access Attempts by Location ......................................................................................156
Reporting Access Attempts by Server / Function ........................................................................158
Reporting Transactions ................................................................................................................160
Reporting Access Attempts by Groups of Users ..........................................................................162
Using the LPWRRPT Command .................................................................................................164
Working with IFS File Output .....................................................................................................165
Displaying an IFS File .................................................................................................................166
Printing Rules by User ID ............................................................................................................169
Printing Rules by Location ..........................................................................................................170
TAble of coNTeNTS
Page 7
Printing Object Lists ....................................................................................................................171
Printing Object Rules ...................................................................................................................173
Working with Reporting Groups ..................................................................................................175
Work with Reporting Groups Options ...................................................................................175
Work with Report Group Members .............................................................................................176
Entering Reporting Group Members .....................................................................................176
Work with Network Security Group Members Fields .....................................................177
Work with Network Security Group Members Options ..................................................177
Utilities
Work with Utilities .......................................................................................................................179
What is PowerTech Secure Screen? .......................................................................................179
Displaying the Work with Utilities Menu ..............................................................................179
Working with PowerTech Secure Screen .....................................................................................180
Working with Secure Screen Filters.......................................................................................182
Adding A Filter ................................................................................................................182
Changing A Filter .............................................................................................................184
Copying A Filter ...............................................................................................................185
Deleting a Filter ...............................................................................................................185
Displaying a Filter ............................................................................................................185
Appendix A: Network Security Commands ...............................................................................186
Appendix B: Servers and Functions ...........................................................................................189
Understanding Servers ...........................................................................................................189
The CLI Server ............................................................................................................................192
The Transfer Function Server ......................................................................................................192
The Remote SQL Server ..............................................................................................................193
The Database Server ....................................................................................................................193
The Distributed Data Management Server ..................................................................................195
The File Server .............................................................................................................................196
The Virtual Print Server ...............................................................................................................196
The Network Print Server ............................................................................................................197
The Original Data Queue Server ..................................................................................................197
The Optimized Data Queue Server ..............................................................................................198
The FTP Application Servers .......................................................................................................198
The Signon Server ........................................................................................................................199
The Message Function Server ......................................................................................................199
The DRDA Server ........................................................................................................................200
The License Management Server .................................................................................................200
The Central Server .......................................................................................................................200
The TELNET Server ....................................................................................................................201
NeTwork SecuriTy AdmiNiSTrATor’S Guide
Page 8
The Trivial FTP Server ................................................................................................................201
The FTP Logon Server .................................................................................................................202
The REXEC Logon Server ..........................................................................................................202
Appendix C: Network Security Generic Exit Point ....................................................................203
Required Parameter Group ....................................................................................................203
Usage Notes ...........................................................................................................................205
Work with Add-On Servers ..........................................................................................................206
Adding a New Add-On Server ...............................................................................................206
Changing an Add-On Server ..................................................................................................208
Deleting an Add-On Server ....................................................................................................208
Example of a Generic Exit Point Program ...................................................................................209
Appendix D: Backing Up Network Security ..............................................................................212
Appendix E: Telnet Validation ....................................................................................................213
Telnet Verification Levels Fields ............................................................................................214
Appendix F: Servers and Applications .......................................................................................215
GUI and Programming Interfaces ..........................................................................................216
Appendix G: Network Security and IPv6 ...................................................................................218
Network Security and IPv6 tolerance ....................................................................................218
Troubleshooting Network Security ..............................................................................................219
Index ............................................................................................................................................220
iNTroducTioN
Page 9
why do i Need PowerTech Network Security?
PowerTech Network Security™ is a comprehensive software solution to help you understand and
control network access to your Power Systems™ running IBM i (System i, AS/400) data and services.
Today, your network can include System i servers, PCs, mainframes, and multiple UNIX and Linux
systems. In this networked environment, tools like FTP, Client Access Express Data Transfer, Remote
SQL, DDM, and others allow easy access to your System i data and services. These alternative access
methods bypass the traditional menu-based security used by many System i installations. In today’s
networked environment, even attaching one PC to your System i introduces a new set of security
challenges that you need to consider and deal with effectively.
The System i security architecture is very robust, and has received the Department of Defense C2
security rating for “Trusted Systems”—when it is properly configured. The security exposures intro-
duced by network data access tools like FTP and ODBC do not indicate a failure on the part of System i
security. Instead, the data access level you provide to a user using System i security for green screen
access through menus and screens is not the same level of access you want to allow using network tools
like ODBC.
For example, the System i authority that allows a user to view the contents of a Payroll file is the same
authority needed to download the file to a PC and post it on the Internet. IBM recognized the potential
issues and introduced additional security features to manage the problem. PowerTech Network Security
leverages these additional features to provide a separately controlled level of network data access and
service access.
The following table provides an overview of the System i authorities and the capabilities of users to
access and manipulate data and other objects using three different access methods.
Authority
System i Green
Screen user
Pc user without
Network Security
Pc user with
Network Security
*USE Restricted by menu
security
View, download file Controlled by Network
Security
*CHANGE Restricted by menu
security
Add, change, delete
records
Controlled by Network
Security
*OBJMGT Restricted by menu
security
Clear or replace file Controlled by Network
Security
*ALL Restricted by menu
security
Delete file Controlled by Network
Security
System i Object Authorities
NeTwork SecuriTy AdmiNiSTrATor’S Guide
Page 10
For example, consider payroll supervisor Bob:
• Bob has *ALL authority to the payroll master file so he can make changes to pay rates and add new
employees through green screen menus.
• However, Bob is also familiar with programs like Microsoft Excel and Microsoft Access. Using
these PC-based programs, Bob’s *ALL authority allows him to add, change, and delete records
from the payroll master. In fact, he could delete all the records from the file, or even delete the file
altogether. Even a simple typing error on Bob’s part could wipe out the entire payroll file.
• By configuring PowerTech Network Security to control Bob’s network access authorities, you can
easily prevent any of these scenarios.
what is PowerTech Network Security?
PowerTech Network Security interfaces directly with System i network access points to control and
audit network access requests. The ability to audit and control network access allows Network Security
to provide Intrusion Detection, and to alert the system administrator when someone attempts unauthor-
ized access through the network.
Network Security lets the system administrator easily configure all network access rules, including what
users can perform what functions. For example, “Can Joan in Accounting download the Payroll Master
file?,” or more generically, “Can Joan use the file download function at all?”
Network Security also allows you to easily manage remote access by specifying which SNA device or IP
address, or range of IP addresses, can perform critical functions, such as FTP. Its Switch Profile feature
allows system administrators to customize levels of network access control for a user or a group of
users. Using native System i security, Network Security Switch Profiles lets the administrator decrease,
or even increase, a user’s authority to data or services.
Increasing a user’s authority is critical when the System i is configured to allow “Application Only”
access in which all data files are restricted from view by all users. Network Security does all this without
the need to change your existing System i security scheme, saving valuable time and effort.
Network Security uses a secure audit journal to log all unauthorized attempts to gain access to System i
data and services. This allows system administrators to receive alerts in real time when any unauthorized
access is attempted.
iNTroducTioN
Page 11
PowerTech Network Security Architecture
The System i provides full support to many TCP/IP applications including FTP, TELNET, DDM,
ODBC, database serving, print serving, and many others. The following figure illustrates how the
unprotected System i is available to any networked client tool. Under this scenario, System i object-level
authorities are in force.
However, there are two main problems with this approach:
1) There is no record of who did what! The System i server programs do not record who is accessing
your system, nor do they record the activity that is performed. For example, a user might use FTP to
download the payroll file to their PC, but you have no way of knowing that this has occurred.
2) You are relying solely on your System i object authorization scheme to control access to sensitive
data files and other objects. If your authorization schemes are too liberal, you are allowing access to
restricted data. If your authorization schemes are too rigid, you close off access to the data that users
need to perform their jobs.
Network Access to System i Servers
In the following figure, Network Security acts as your software firewall between networked clients and
your System i servers. Network Security eliminates the problems you’d see in the previous scenario:

1) Network Security provides a secured audit and reporting capability so you can easily see who is
doing what. It also provides real-time alerts when a user tries to circumvent the access rules you’ve
specified.
2) Network Security allows you to configure network access rules to control who can do what. For
example, using Network Security you can enforce network rules that say “Bob is allowed to down-
load the payroll file, but cannot upload the file, or modify it in any way.”
NeTwork SecuriTy AdmiNiSTrATor’S Guide
Page 12
Network Access controlled by PowerTech Network Security
Network Security integrates with the System i network server programs at the exit point level. When
you activate Network Security, several exit point programs are installed in the System i registration
facility. You can view the names of these exit-point programs using the System i WRKREGINF (Work
with Registration Information) command.

The PowerTech Network Security exit point programs are called when someone makes a network
request to the associated server. For example, when a user requests an FTP logon, the System i FTP
server passes control to the Network Security exit point program to allow Network Security to validate
the request. Network Security may tell the FTP server to accept or reject the FTP logon request, or to
perform some other action, such as sending an alert message that an intruder has tried to penetrate the
system.
For a complete overview of the System i servers and their functions, see Appendix A: Servers and Func-
tions. You’ll find useful information to help you define your Network Security access rules.
Network Security Auditing & reporting vs. Access control
PowerTech Network Security is actually two different products in one package. It includes an auditing
and reporting option in addition to a network access control option.
Auditing and Reporting
Network Security’s auditing and reporting option allows you to collect audit information and to print
reports about who is doing what on your system through the network interfaces. Network Security can
report on all network accesses, so you can easily see potential security exposures initiated by tools such
as FTP, ODBC, data transfer, and so on.

iNTroducTioN
Page 13
Controlling Network Access
If you want to use Network Security to control network access to your System i, you must have a valid
license code. Network Security does not allow you to specify network access rules unless you have
license code. When you purchase a license for Network Security, you receive a permanent license code.
A 30-day trial code also is available.

If you do not have a valid license code, contact your PowerTech Regional Sales Manager.
Terms and Definitions
The following terms are used throughout this Guide.
Term Definition
Product Administrator A user, usually the System Administrator who has the full authority to configure
and setup rules in PowerTech Network Security.
System User A user profile.
Switch Profile A user profile to which a system user can switch for the purposes of changing
their current job user and authority.
Event Security-related issues that occur on System i servers. Possible event types
include audit journal entries, system messages, and history log entries.
Transaction An event or action initiated by a remote system. Transactions typically attempt to
retrieve data, send data, or execute commands.
Captured Transaction The full text of a transaction that is captured in a database file and preserved for
later review and action. Captured transactions can be converted into Memorized
transactions by a system administrator.
Memorized Transaction A captured transaction that is saved and defined as a rule to allow a specific,
known to be acceptable, transaction.
Rule A rule establishes the action to be taken when a transaction is submitted to a
particular server, or server/function. Rules can accept, reject, or modify the
behavior of the transaction.
Location Either an IP address or an SNA device name (Remote Location) from which
transactions might be sent. A location also can be a generic IP address or SNA
Remote Location name.
Server A never-ending job that receives requests (transactions) from a remote location
and processes the request for data or action.
Function Each server has one or several functions. A function is a specific request type,
such as Send Data or Receive Data. For example, the *FTPSERVER has ten
functions it can execute, including SENDFILE, RECVFILE, and DELETEFILE.
User A user or group profile known to the System i.
Exit Point A specific point in a server job where control can be passed to one or more
specific exit programs.
NeTwork SecuriTy AdmiNiSTrATor’S Guide
Page 14
Term Definition
Exit Program A program to which control is passed from an exit point. Server processing is
interrupted while the exit program executes, and then resumes when the exit
program passes control back to the server. An exit program can be used to
record transactions and to implement access control rules.
Message Property When defining rules in Network Security, the message property entry determines
if Network Security should send a message to the specified message queue.
Audit Property When defining rules in Network Security, the audit property entry determines if
Network Security should log a request in the system Security Audit Journal.
Accept To allow a transaction. The exit program checks the rules that are in place and
determines that the transaction should be allowed to proceed.
Reject To not allow, or not accept, a transaction. The exit program checks the rules that
are in place and determines that the transaction should be blocked.
IP Address Groups A list of valid IP addresses associated with a generic group name for securing
and reporting in PowerTech Network Security.
PowerTech Groups A list of valid profiles associated with a generic group name for reporting in
Network Security. You cannot use PowerTech Group names in rule definitions.
Object A named unit that exists (occupies space) in storage on the System i and on
which operations are performed by the operating system.
Installat
I
on and act
I
vat
I
on
Page 15
Installing and
a
ctivating
n
etwork
s
ecurity
Before installing Network Security, check the PowerTech Web site at http://www.powertech.com for any
additional information, such as Release Notes.
Installation and
a
ctivation Introduction
Network Security installation and activation are two separate processes. The first process, Installation,
installs Network Security on your System i. The second process, Activation, activates the Network
Security exit programs. If you install the software, but do not complete the activation process, Network
Security protection and auditing are not active. However, when you complete both processes, Network
Security can actively audit and secure your network traffic. You can install Network Security at any
time, but activation requires planning and scheduling.
Note: PowerTech Network Security makes two changes to your network attributes during exit program
activation. These modifications are necessary so the operating system is aware of the exit programs that
have been assigned to the IBM exit points.
During exit program activation, Network Security modifies the values of the following parameters:
Parameter
d
escription Before
a
fter
DDMACC DDM request access *OBJAUT PTNS0107
PCSACC Client request access *OBJAUT *REGFAC
Installation Prerequisites
s
ystem
v
alues
It is PowerTech’s goal not to change system values on customer systems because we recognize that
security-conscious organizations have rigorous change control processes in place for even small changes
to system values. Therefore, we ask you to make any system value changes that are needed. However,
the Network Security installation process could change a system value to allow the install to proceed
if a system value is not set as specified below. If the Installation Wizard changes a system value during
install, it changes it back to its original value when the install completes.
To install PowerTech Network Security on your system, the following system values that control object
restores must be configured as shown.


Set QALWOBJRST to *ALWPGMADP (at a minimum) to allow the system to restore programs
that adopt authority. Many PowerTech Network Security programs adopt the authority of the product
owner, rather than forcing you to give authority directly to administrators and end users.

Note: The install will work if QALWOBJRST is set to *ALL, but PowerTech does not recommend
using this value.
Network Security Admi
N
i
S
tr
A
tor’
S
Guide
Page 16
• QALWUSRDMN

controls

which

libraries

on

the

system

can

contain

certain

types

of

user

domain

objects.

You

should

set

the

system

value

to

*ALL

or

include

the

name

of

the

Network

Security

prod-
uct

library

(PTNSLIB

and

QTEMP

as

a

minimum)

for

the

product

to

function

properly.
• Set

QVFYOBJRST

to

1,

2,

or

3.

This

allows

Network

Security

to

restore

all

objects

regardless

of

their

signature.

(Note:

If

you

normally

check

signatures,

remember

to

check

this

system

value

after

the

Network

Security

install

process

completes.)
• Set

QFRCCVNRST

(Force

conversion

on

restore)

to

0,

Do

not

convert

anything.

• Set

QALWJOBITP

(Allow

jobs

to

be

interrupted)

to

1.

This

allows

job

to

be

interrupted

to

run

user-
defined

exit

programs.

All

new

jobs

that

become

active

will

default

to

be

uninterruptible.
Auditing
Before

installing

Network

Security,

you

should

set

up

a

journal

to

record

Network

Security’s

transaction

auditing

data.

System
r
equirements
Network

Security

requires

the

following:
• i5/OS

(OS/400)

version

V5R4

or

higher
• 256

MB

of

disk

space

• Current

IBM-supported

PTF

level
i
nstallation
You

install

Network

Security

6

directly

from

the

PowerTech

Web

site.

The

installation

process

is


completely

automated.

Do

the

following

to

perform

the

installation:
1. Download

the

Network

Security

6.0

Installer

to

your

PC.
2. Double-click

the

.exe

file

to

start

the

installation

Wizard.

When

prompted,

enter

the

name

of

the


system

on

which

you

want

to

install

Network

Security,

a

user

ID,

and

password.

Note:

Make

sure

the

user

profile

is

a

member

of

the

user

class

*SECOFR

and

has

at

least

the


following

special

authorities:

*ALLOBJ,

*SECADM,

*JOBCTL,

*IOSYSCFG,

and

*AUDIT.

The

user

profile

should

have

Limit

capabilities

set

to

*NO.
3. The

Wizard

installs

Network

Security

6.0

on

your

System

i

and

places

a

copy

of

the

User

Guide

on

your

PC

desktop.

When

the

installation

completes,

click

Finish

to

remove

the

Wizard

from

your

PC.
iNS
t
A
ll
A
tio
N

AN
d
A
ctiv
A
tio
N
Page 17
Network

Security

installs

the

following

product

libraries,

profiles,

authorization

lists,

commands,


objects,

and

exit

points

on

your

system.

i
nstalled on System
d
escription
2 Libraries Product Libraries: PTNSLIB and PTWRKMGT
3 Profiles PTNSOWN, which has special authorities *ALLOBJ, *SECADM, *JOBCTL, •

*AUDIT, and *IOSYSCFG
PTNSADM, which has no special authorities•

PTWRKMGTOW, which has no special authorities•

(All these profiles are set to Password *NONE so that they can’t be used to
sign on to the system.)
Authorization Lists PTNSADM—PowerTech Network Security Administrators•

PTNSDTA—PowerTech Network Security Data Objects•

PTNSPGM—PowerTech Network Security Programs•

PTNSRPT—PowerTech Network Security Reports•

Commands WRKPTNS•

POWERLOCK•

PLNSREPORT•

Note: The Network Security installation program places these commands in
the PTNSLIB library. They are copied to QGPL when you activate Network
Security.
PowerTech-created Exit Points POWERLOCK_SECURESCN•

POWERLOCK_WRKMGT•

POWERLOCK_NS•

NeTwork SecuriTy AdmiNiSTrATor’S Guide
Page 18
Network Security License Setup
licensing
When you purchase Network Security, you must enter your permanent license code before you can start
using the product.
To enter your license code, select option 81, Configuration Menu, from the Network Security Main
Menu. Then, select option 2, License Setup, to display the License Setup screen.
The License Setup screen displays in Entry Mode 1, which allows you to enter your license code
manually. Press function key 11 to display the screen in Entry Mode 2, which lets you cut and paste the
license code directly from the e-mail you received from PowerTech into the License Code field.
Note: If you have a temporary license code, the license code expiration date displays at the bottom of
the screen.
You can display the PowerTech Network Security End User License Agreement from the License Setup
screen by pressing function key 8 .
When you enter a permanent license code that is not the same as the current license code, the End User
License Agreement displays automatically. You need to accept the terms of the license. If you choose not
to accept the terms of the agreement, a message displays on your screen and the new license code is not
put in place. The existing license code, is not altered unless you accept the license agreement.
Installat
I
on and act
I
vat
I
on
Page 19
Work with System Values screen with system filter rule properties
n
etwork
s
ecurity
s
ystem
v
alues
After you’ve installed Network Security, use the Work with System Values screen to set the initial
system values for Network Security.
Note: You cannot change the Product Owner, Product Library, and Product Administrator system values.
However, you can modify the system values for Log Journal Name, Log Journal Library, Log Message
Queue Name, and Log Message Queue Library at any time.
Work with
s
ystem
v
alues
s
creen
From the Network Security Main Menu, select option 81, Configuration Menu. Select option 1, Work
with System Values, to display the Work with System Values screen. Use the Work with System Values
screen to set and maintain your system values.
To change default system values, enter your changes and press Enter to save them. A confirmation
message, Network Security System values successfully updated, displays at the bottom of the screen.

Working with
n
etwork
s
ecurity
s
ystem
v
alues
The following describes the parameters and allowable values for each field on the Work with System
Values screen.

Product Owner
The user profile, PTNSOWN, that owns data objects and exit programs in Network Security. You
cannot change this value.
Product Library
The library, PTNSLIB, that contains all Network Security objects. You cannot change this value.
n
et
W
ork
s
ecur
I
ty
a
dm
I
n
I
strator’s Gu
I
de
Page 20
Product Administrator
The name of the user profile, PTNSADM, that owns the administrative program objects in Network
Security. This profile has authority to update Network Security files and to run Network Security
programs. We recommend granting administrators *USE authority to the PTNSADM authorization
list using the following command, where myuser is the administrator profile to add.
addautle

autl
(P
tnsadm
)
user
(
myuser
)
aut
(*
use
)

Note: To access reporting functions, administrators must be authorized to the PTNSRPT authoriza-
tion list.

For more information, see Granting Reporting Authority, later in this User Guide.

Once authorized to the PTNSADM and PTNSRPT authorization lists, the administrator has all
the authorities needed to administer PowerTech Network Security. Product administrators have
*CHANGE authority to Network Security data and *USE authority to Network Security programs.
Log Journal Name and Log Journal Library
The Log Journal Name is the name of the journal where Network Security logs information.
Network Security ships with the log journal name set to the IBM system audit journal, QAUDJRN in
QSYS. For better performance, we recommend you specify your own journal. You should
create the journal receiver and journal and enter the journal name and library on the System Values
screen. You can control the level of detail recorded when you specify location and user authorities.

The Log Journal Library specifies the library where the log journal is located.

Notes:
1.

You also can specify *NONE in the Log Journal Name field. However, if a journal name of
*NONE is found in the Network Security system values, network transactions are not journaled.
2.

Some versions of PowerTech Compliance Monitor expect Network Security audit entries to be
written to QSYS/QAUDJRN. Contact PowerTech technical support if you need further informa-
tion concerning log journal entries.
Log Message Queue Name and Log Message Queue Library
The Log Message Queue Name is the name of the message queue where Network Security sends
messages if specified on location and user authority records. These messages include Intrusions
detected, and certain other failed transactions. The default is the IBM system operator message
queue, QSYSOPR in QSYS. We recommend that you create your own message queue for Network
Security messages. If you don’t want to log intrusions and other network failure activity to a mes-
sage queue, enter *NONE in the Log Message Queue Name field and blank out the library name.

The Log Message Queue Library is the library where the log message queue is located.
iNSTAllATioN ANd AcTiVATioN
Page 21
System filter rule Properties
The Work with System Values screen also allows you to specify system filter rule properties.
Authority
The authority assigned if no other authority is found for a server or function. Possible values are:
*OS400 Network Security allows the transaction without taking any action
*REJECT Network Security rejects requests for the transaction
*SWITCH Network Security switches the job to run as the user profile specified in the
Switch Profile field
Audit All Server Requests
Controls the type of requests Network Security will log. Network Security uses this value if no other
value is entered for a server or function. Possible values are:
Y Log All requests
N Only log authority failures
Send Immediate Message
Determines if Network Security sends a message to the log message queue. Network Security uses
this value if no other value is entered for a server or function. Possible values are:
Y A message is sent to the specified queue
N No message is sent
Capture Transactions
Capture transactions for Memorized Transaction Request (MTR). Network Security uses this value if
no other value is entered for a server or function. Possible values are:
Y Capture transactions
N Do not capture transactions
Switch Profile
The name of a Switch Profile. If you enter a profile name, processing is switched to run as the speci-
fied profile and under this profile’s authority. Network Security uses this value if no other value is
entered for a server or function. Possible values are:
*NONE No switch profile is used.
switch-profile The switch profile to process under. The profile you specify must be an active
profile on the System i.
Last Change User/Date/Time
The user profile that changed the Network Security system values and the date and time the changes
were made.
NeTwork SecuriTy AdmiNiSTrATor’S Guide
Page 22
Activating PowerTech Network Security
Network Security uses several exit programs that interact with the various servers on the System i. For
the servers to use the exit programs, the exit programs must be registered. The Network Security
activation process uses the Add Exit Program (ADDEXITPGM) command to add the exit programs to
the system registry. (You can use the Work with Registration Info [WRKREGINF] command to see a list
of registered exit programs.)
You can select from either of two methods to register the exit programs:
• The Silent method (performed during an IPL)
• The Interactive method
Warning: The Interactive method stops and starts some processes and servers. If you want to use the
interactive method on a production system, you should plan it at a time when it will not interfere with
your critical business processes.
work with Network Security Activation
Network Security provides several activation/deactivation options and information on your activation/
deactivation setup.
From the Network Security Main Menu, select option 81, Configuration Menu. On the Configuration
Menu, select option 3, Work with Activation, to display the Work with Activation screen.

Use the Work with Activation screen to specify the exit points protected by Network Security. You can
activate, deactivate, remove pending changes, initiate Silent activation, and delete activation requests.
Work with Activation
iNSTAllATioN ANd AcTiVATioN
Page 23
work with Activation
The following describes the parameters and allowable values for each field on the Work with Activation
screen.
Server
The name of the Server.
Pending Change
The pending change shows the action that Network Security will take on the exit point when an
activation is run. Different exit points can have different pending changes.
Current program
The program currently registered to the exit point. A valid exit program is any program that isn’t a
Network Security program. If an exit point is activated with the Retain supplemental option, the exit
program will be made supplemental to the PowerTech Network Security exit program at activation
time.
Current supplemental
*YES in this field indicates the exit program currently is registered to the exit point as supplemental
to Network Security’s exit program. However, a PowerTech Network Security exit program can-
not be supplemental to itself. This shows the program currently set up within PowerTech Network
Security as the supplemental exit program for that exit point. If an exit point is deactivated with the
Reinstate supplemental option, the supplemental program will be registered as the exit program at
activation time. *NONE indicates there is no supplemental exit program for the exit point.
NeTwork SecuriTy AdmiNiSTrATor’S Guide
Page 24
Network Security exit Program Activation options
You can set an exit point for activation and specify that the existing exit program runs as supplemental to
Network Security. Use the Work with Activation screen to activate or deactivate the exit points you want
to protect with Network Security.
The Work with Activation screen also allows you to select either interactive or silent activation.

Note: You must have sufficient authority to change activation requests, run manual requests, or set silent
activations. You should have *ALLOBJ, *SECADM, *JOBCTL, and *IOSYSCFG special authorities
(or be part of a group or supplemental profile with these authorities), or make sure your user profile is on
the PTNSADM authorization list. If you don’t have sufficient authority, you can only display the current
activation setup.

options and function keys
To select an option on the Work with Activation screen, enter the option number in the Opt column, next
to the server(s) you want to work with.
Work with Activation Options and Function Keys
iNSTAllATioN ANd AcTiVATioN
Page 25
Select the servers to Activate
You can select from the following options on the Work with Activation screen:
1=Set to Activate
You can specify option 1 (Set to Activate) for one or more exit points. Enter a 1 next to a server to
mark it for activation. When you press Enter, *ACTIVATE, displays in the Pending Change column
on the Work with Activation screen.
After you set the Pending Change field to *ACTIVATE, you must run the activation request to apply
the Network Security exit program to each selected exit point. You can select to run an Interactive
activation request (function key 20, Run activation) or a Silent activation request (function key 18,
Add silent activation).
Notes:
• To activate all exit points, press function key 13 (Set all to Activate).
• The *DDM and *DRDA servers are physically the same server and are activated (or deactivated)
together. If you choose to activate one, both are activated. They appear as separate servers in the
list so that you can define different rules for each, and are interpreted as different servers at run
time. However, the activation process activates them together.
2=Set to Deactivate
Select option 2 to flag a server so that the Network Security exit program is removed from the exit
point when you run deactivation. You can select one or more exit points for deactivation. When you
press Enter, *DEACTIVATE displays in the Pending Change column.
Note: To deactivate all exit points, press function key 14 (Set all to Deactivate).
NeTwork SecuriTy AdmiNiSTrATor’S Guide
Page 26
3=Remove pending change
Select option 3 to remove a pending change from a server so that no changes are made to the server
when you run activation. Use this option if you’ve already set an exit point to activate (or deacti-
vate), and want to remove the pending change for the exit point.
11=Set to Activate/retain supplemental
Select option 11 to flag the exit point for activation and retain the existing exit program, making it
supplemental to the Network Security exit program.
12=Set to Deactivate/reinstate supplemental
Select option 12 to flag the exit point for deactivation (remove the Network Security exit program)
and reinstate the supplemental program as the exit program.

Use the following function keys to activate the selected exit points:
F13=Set all to Activate
Press function key 13 to set all servers to *ACTIVATE.
F14=Set all to Deactivate
Press function key 14 to set all servers to *DEACTIVATE.
F15=Reset all
Press function key 15 to reset all fields to default settings of *NONE.
Pending Activate request
iNSTAllATioN ANd AcTiVATioN
Page 27
F18=Add silent activation
Press function key 18 to specify a silent activation. Use this if you plan to schedule an IPL during
evening hours or on a weekend. When you select silent activation, you accept the activation setup
so it is ready to be applied at the next system IPL. A message displays at the bottom of the screen
confirming the silent activation request.
Note: A silent activation runs with PTNSOWN authority even if the user initiating the activation
lacks the proper authority.
Using Silent Activation
For Network Security to activate itself at the next IPL, it changes the QSTRUPPGM system value to
LNUR004, which is a Network Security-supplied program. This program does the following at IPL,
or when the controlling subsystem next starts:
1. Registers all Network Security exit programs to the associated exit point.
2. Retrieves the name of your original startup program from the data area QGPL/LNUA010.
3. Resets the QSTRUPPGM system value to the original value.
4. Deletes the Network Security startup data area QGPL/LNUA010.
5. Calls your original Startup program, which should begin your normal system startup routine.
Notes:
• If you decide you don’t want to use Silent Activation, display the Work with Activation screen
and press function key 19, Remove silent activation.
Do not delete the Network Security product library after selecting Silent Activation without
canceling the activation.
• Network Security activation recognizes the presence of an existing exit program and gives you
the option to register it as a supplemental exit program. You do not need to do this, but should
be aware of the consequences if the current exit programs are being used for other processes on
your system.
• A PowerTech Network Security exit program cannot be made supplemental to itself.
NeTwork SecuriTy AdmiNiSTrATor’S Guide
Page 28
Press Enter to confirm the Network Security activation or press F19 to submit the activation to batch.
If you don’t want to accept the current activation setup, press F12 to return to the Work with Activation
screen.
If the activation request finds active server jobs, the Server Jobs to End screen displays with a list of the
jobs. We recommend that you end all active server jobs to complete the activation. Follow the instruc-
tions on the screen to end the jobs.
Confirm Activation
F19=Remove silent activation
Press function key 19 to remove a silent activation request. The confirmation message, Silent activa-
tion canceled, displays at the bottom of the Work with Activation screen.

Note: If you enabled silent activation on your system, you must select this option before deleting
Network Security from your system to ensure it is removed properly.
F20=Run activation
For an Interactive activation, press function key 20 to run the activation request.You can run the
activation after you’ve set one or more exit points to activate (by selecting option 1, Set to Activate,
F13, Set all to Activate, or option 11, Set to Activate/retain supplemental). The Confirm Activation
screen displays when you press F20.
Installat
I
on and act
I
vat
I
on
Page 29
Product Activation confirmation message
When the activation completes, a confirmation message displays at the bottom of the Work with
Activation screen.
Note: If the operating system NetServer was active prior to adding the Network Security exit programs
to the IBM exit points, it should restart after activation. To check if the NetServer is active, enter the
following command:
wrkactjob sbs(qserver) job (qzlsserver)
If the QZLSSERVER job is not active, you must restart the NetServer. Use the following command to
start the NetServer:
strtcpsvr *netsvr
NeTwork SecuriTy AdmiNiSTrATor’S Guide
Page 30
exit Program Activation considerations
If exit programs already have been assigned to the exit points Network Security uses, you can retain
them as supplemental exit programs by selecting the server for activation using option 11, Set to
Activate/retain supplemental. When you run the activation process, the operating system registration
facility is updated to reflect that Network Security is the new exit program, and the Network Security
internal tables are updated to show that your exit program is now a supplemental exit program.
Supplemental exit programs are called from the Network Security exit program after the Network
Security exit program runs successfully. If you choose not to have Network Security make your existing
exit programs supplemental exit programs, they no longer are called. You should consider the implica-
tions if existing exit programs are being used for other processes on your system. However, Network
Security creates a file named LNSSEP in QGPL and stores the names of your original exit programs.
Activation of Network Security exit programs requires that the subsystems QCMN and QSERVER, as
well as server jobs, are ended and restarted. If you select to perform an interactive activation, current
user sessions may be terminated.
The QCMN subsystem is typically used to support SNA communications traffic. If you have an alternate
subsystem that supports SNA traffic, you must manually end and restart that subsystem to activate the
exit program that handle SNA traffic.
Most System i installations use the QCTL controlling subsystem. However, if you use QBASE as your
controlling subsystem, then SNA traffic typically runs under QBASE. In this case, you need to end and
restart QBASE to install Network Security support for SNA traffic. Ending QBASE brings your system
into restricted state. If you use QBASE, you should not perform an Interactive activation, but select
Silent activation to activate Network Security at the next IPL.
After Activation
After you have activated Network Security, you should run a report to determine what kind of network
transactions are being processed by your system. In some cases, you might have a huge number of trans-
actions being generated by one or two application packages. This can occur for heavy users of ODBC,
such as JDE OneWorld, SAP, Bytware Messenger Plus, and Quadrant FastFax.
We recommend that you run a comprehensive report soon after activating Network Security, and then
every 12 hours until you can determine if you have some of these heavy volume applications.
iNSTAllATioN ANd AcTiVATioN
Page 31
run a comprehensive report
From the Network Security Main Menu, select options 80, Reports Menu, then select option 3, Server/
Function Report Menu, to display the Server Function Report Menu.

From the Server Function Report Menu, select option 1, All Transactions, to run a comprehensive report.
Server Function Report Menu
All Servers All Functions - All Transactions
Press Enter to display the All Servers All Functions - All Transactions screen. Enter your specifications
and press Enter to run the report.
NeTwork SecuriTy AdmiNiSTrATor’S Guide
Page 32
Viewing the report
To view the report, and determine the types of network transactions being processed by your system,
enter the following command from a command line:
wrkSPlf
If you find that you have an application that’s generating a huge number of transactions, you should
determine the user of the application (usually one person) who is sending the transactions. Then create a
user record setting the audit and message flags to NO for that user only.
Network Security is ready to begin protecting your System i. Network activity that has occurred since
you activated Network Security exit programs are logged and can be monitored using Network Security
reporting to expose potential security breaches.
PowerTech work management
PowerTech installs a work management subsystem called PTWRKMGT with Network Security. This is
so that the PowerTech products can submit long-running batch jobs without interfering with customer
job queues. The job SUMCAPTRAN runs in PTWRKMGT specifically for Network Security to summa-
rize captured transactions for further display.
The PTWRKMGT library installed with Network Security consists of a subsystem description and a
class description.
PTWRKMGT is first activated when a product needs to use it, for example, when the summary job for
captured transactions starts. All jobs currently intended for PTWRKMGT are submitted jobs; there are
no prestart or auto-start jobs. The work management subsystem also is used by other PowerTech prod-
ucts. If you already have another PowerTech product installed on your system, PTWRKMGT will not be
installed again.
changing the default wait time for PTwrkmGT class
Each monitor has a 30-second delay allowed (by default) for reporting back that it is ending. You can
raise the delay time if any of the following conditions apply to your system(s):
• The system is slow
• The system has a large number of entries
• The system leaves monitors running for an extended period or has environments that generate
excessive job logs
iNSTAllATioN ANd AcTiVATioN
Page 33
To change the default wait time, enter the following command and press F4:
cHGclS PTwrkmGT/PTwrkmGT
When the Change Class screen displays, you can customize the default wait time. (You also can access
this screen by using the WRKCLS PTWRKMGT/PTWRKMGT command.)
Note: Changes to attributes of the work management class will be reflected the next time a job starts in
PTWRKMGT.
Change Class command
NeTwork SecuriTy AdmiNiSTrATor’S Guide
Page 34
Administration overview
Administration
Network Security administration is designed to be intuitive and easy to use. You can work from the
Network Security menus, or use Network Security commands. The commands provide additional
flexibility and control when you include them in your programs.

reporting
Network Security includes a comprehensive set of reports that can help you identify your network
access exposures. For example, you can see information on all network access attempts when you run a
report for All users at All locations. This provides the detail you need to determine who is connecting to
your system and what functions are being performed. You also can limit the report to a particular user or
location.
Transaction reports allow you to see who is sending remote commands to your system, or manipulating
data files through network interfaces like FTP or ODBC. Network Security allows you to customize your
reports so you can see only the information you need. See the Network Security Reports section, later in
this User Guide for complete information.
Network Security rules
The real power of Network Security is its ability to control network access according to the rules you
specify.
A Network Security administrator can easily configure all network access rules, including specifying
which users can perform what functions. Network Security also allows you to regulate remote access
by specifying which SNA device or IP address, or range of IP addresses, can perform critical functions,
such as FTP. Network Security also offers a unique Switch Profile technology that allows you to custom-
ize levels of network access control for a user or for a group of users. Using native System i security, the
Switch Profiles function allows you to decrease or increase a user’s authority to data or services.
Network security admi
N
istratio
N
Page 35
Network
s
ecurity
m
ain
m
enu
Use the Network Security Main Menu to work with Network Security servers, rules, reports, transac-
tions, configuration, and utilities.
d
isplaying the Network
s
ecurity
m
ain
m
enu
To display the Main Menu, enter the following command on a System i command line:
wrk
P
t
N
s
Note: The Network Security install process places the WRKPTNS command in library PTNSLIB.
Network Security activation copies the command to QGPL. If PTNSLIB or QGPL are not in your
library list, enter the command as
P
t
N
s
L
i
B/
wrk
P
t
N
s
or
QGPL/
wrk
P
t
N
s
.
Network Security Main Menu
m
ain
m
enu
o
ptions
You can select from the following Main Menu options:
1. Work with Security by Server
Select option 1 to work with Network Security servers. A list of servers displays allowing you to
work with server functions and edit server location and server user authorities. See Working with
Servers, later in this User Guide, for complete information.
2. Work with Security by User
Select option 2 to work with authorities by user. See Working with User Rules for complete
information.
3. Work with Security by Location
Select option 3 to work with authorities by location. See Working with Location Rules.
NeTwork SecuriTy AdmiNiSTrATor’S Guide
Page 36
4. Work with Security by Object
Select option 4 to work with object security. For more information, see Working with Object
Security.
5. Work with IP Address Groups
Select option 5 to work with IP Address Groups. For more information, see Working with IP Address
Groups.
10. Work with Captured Transactions
Select option 10 to work with captured transactions. For more information, see Working with
Captured Transactions.

11. Work with Memorized Transactions
Select option 11 to work with memorized transactions. For more information, see Working with
Memorized Transactions.

80. Reports Menu
Select option 80 to work with Network Security reports. For more information, see Network Security
Reports, later in this User Guide.

81. Configuration Menu
Select option 81 to work with Network Security system values, license information, and activation.
For more information, see Network Security Configuration.

82. Work with Utilities
Select option 82 to work with PowerTech Secure Screen. For more information, see Network
Security Utilities.
NeTwork SecuriTy AdmiNiSTrATioN
Page 37
Network Security Configuration
Use the Configuration Menu to set and maintain Network Security system values, enter your license
code, and activate or deactivate Network Security exit programs.
To display the Configuration Menu, select option 81 from the Main Menu.
Network Security Configuration Menu
Configuration Menu Options
You can select from the following options:
1. Work with System Values
Select option 1 to enter your Network Security system values settings. See Network Security System
Values, earlier in this User Guide, for more information.

2. License Setup
Select option 2 to enter your product license code. For more information, see Licensing, earlier in
this User Guide.
3. Work with Activation
Select option 3 to work with Network Security activation and deactivation. For more information,
see Activating PowerTech Network Security, earlier in this User Guide.
NeTwork SecuriTy AdmiNiSTrATor’S Guide
Page 38
managing rules to control Access
This section explains the process of setting and maintaining the security rules that control network
access to your system. It describes setting rules by client location, user ID, and object, as well as the
process of creating PowerTech Network Security switch profiles.
Note: Many of the examples shown throughout this section use *FTPSERVER. The process of setting
up other servers is similar, although you will see different functions. In addition, some types of rules
may not apply to all servers.
Network Security allows you to set rules for controlling the action of each of the System i network
servers and server functions. You can set these rules for locations (SNA device names, IP addresses, or
range of IP addresses). You also can set rules for a user ID, by user profile, Group profile, or Supple-
mental Group profile. Additionally, Network Security lets you set object rules that are configured at the
object level, for a specific user or location, for a specific object, and for a specific type of access.

For example, create a location rule to direct the System i FTP server to reject any FTP request coming
from outside your local network. Or, create a rule by user ID that directs the FTP server to reject any
upload attempt from users who are members of a particular group profile. Creating an object rule allows
you to specify who can access your System i payroll database.
Rules establish the action to be taken when a particular server or server function is accessed. You can
specify the following actions:
• Allow the request using the user’s normal System i authorities as if Network Security were not
installed
• Reject the request
• Allow the request after switching the request to run under the authority of a different user profile—
the switch profile
• Use the rules specified in a previously memorized transaction
Switch user profiles provide flexible network access control using standard security.
The switch profile action is the key to providing flexible security for your network users. This action
lets you specify an alternate user profile, called a switch profile, that network access requests run under.
This allows you to use standard System i security commands to establish the authorities to objects on
your system for a user when they access the system through the network servers.
Network Security always searches for location access rules first.
User access rules are considered only if a location access rule is found with an action that indicates that
user access rules should be used.
mANAGiNG ruleS
Page 39
Active Rule and Rule Derivation
When working with Server Properties, and User and Location rules, you can press function key 19 to see
server or rule detail screens that provide Active Rule and Rule Derivation information.

Network Security has a hierarchy of rules that when displayed on a server or rule Detail screen shows
what the current active rule is. For most rules, you can set most of the values that determine what the
rule does to * (or *DEFAULT).

The Rule Derivation section of the Rule Detail screen lets you see the following: 1) For a given rule,
which values are set to the default and 2) from which setting did that value come.

For example, suppose there is a rule for user KIKI and the audit, capture, and message values are all
set to *. If that rule is invoked, those asterisks each must resolve to either Y or N. If all properties are
set as shown in the following table, then the Active Rule for user KIKI is Audit = Y, Message = Y, and
Capture = N.
if Audit msg cap
System (set in System Values) Y Y Y
Server * N N
Function * Y *
KIKI * * *
Then, the Active Rule is Y Y N
The following screen shows the rule detail. The asterisks in the Audit, Msg, and Cap fields in the Rule
Derivation section for KIKI take the values from the levels above. The Active Rule is the rule that
results from the Rule Derivation values.
User Rule Detail showing Active Rule and Rule Derivation
NeTwork SecuriTy AdmiNiSTrATor’S Guide
Page 40
work with Servers
The first step in creating location or user authority rules is to select the server or servers for which you
want to create authority rules. From the Network Security Main Menu, select option 1 to display the
Work with Security by Server screen. (You also can display the screen by entering the LWRKSRV
command on a command line.)
work with Security by Server Screen
The Work with Security by Server screen displays a list of servers and allows you to work with a server
by entering an option in the Opt column.
Work with Security by Server
work with Security by Server field descriptions
The following describes the fields on the Work with Security by Server screen.
Server
The name of the IBM server.
Server Description
A description of the IBM server.
Rules Active
Indicates whether Network Security will enforce rules for the server. Possible values are:
Y Network Security will enforce rules for this server
N Network Security will not enforce rules for this server
Page 41
SerVer ruleS
Exit Pgm Enrolled
Indicates whether a Network Security exit program is configured (activated or deactivated) for this
server. Possible values are:
Y Network Security exit program is configured for the server.
N A Network Security exit program is not configured for the server
work with Security by Server options
You can select from the following options on the Work with Security by Server screen. Press function
key 23 to see additional options. Note: You can enter an option next to more than one server at a time.
This allows you to perform more than one task at a time.
FN=Work with Functions
Enter FN (Work with Functions) next to a server to display the Work with Server Functions screen.
Use the Work with Server Functions screen to see a list of functions for a server, and to edit function
location authorities and function user authorities.
LA=Edit Location Authority and UA=Edit User Authority
To create or maintain Location and User authority rules, enter either LA (Edit Location Authority) or
UA (Edit User Authority) next to a server. Option LA displays the Work with Location Authorities
screen; option UA displays the Work with Server User Authorities screen. For complete information
on creating or maintaining rules, see Location Authority Rules and User Authority Rules, later in this
User Guide.

CT=Captured Trans and MT=Memorized Trans
To work with Captured transactions or Memorized transactions, enter either CT (Captured Trans)
or MT (Memorized Trans) next to a server. Option CT displays the Work with Captured Transactions
screen; option MT displays the Work with Memorized Transactions screen. For complete
information on captured and memorized transactions, see Capturing Transactions and Memorized
Transactions, later in this User Guide.

SP=Server Properties
Enter SP (Server Properties) next to a server to display the Server Properties window. Use the
window to maintain and edit server properties.
NeTwork SecuriTy AdmiNiSTrATor’S Guide
Page 42
Server Properties window
Server Properties window
The Server Properties window allows you to change one or more of the properties for a selected server.
To change a server property, type over the existing value and press Enter. Server properties provide
processing control to PowerTech’s exit programs and also act as defaults for server function values.
You can enter the following values in the Server Properties window. The server name and description
display at the top of the window and cannot be changed.
Network Security rules enforced?
The PowerTech rules defined for this server are enforced. Possible values are:

Y Enter Y to enforce the PowerTech rules defined for this server.
N Enter N if you don’t want to enforce the PowerTech rules for this server.
Authority
The authority assigned to the server. The value you enter is used when *SERVER authority is placed
on a server function. Possible values are:

*SYSTEM Use the authority defined for the system.
*OS400 Allow the transaction without taking any action.
*REJECT Reject all requests for the transaction.
*SWITCH Switch the job to run as the user profile specified in the switch profile field. A
switch profile entry is required.
*MEMOS400 Check Memorized Transactions (MTR) for authority. If no MTR authority is
found, allow the transaction.
Page 43
SerVer ruleS
*MEMREJECT Check Memorized Transactions (MTR) for authority. If no MTR authority is
found, reject requests for the server.
*MEMSWITCH Check Memorized Transactions (MTR) for authority. If no MTR authority is
found, use the authority of the switch profile for the server. A switch profile
entry is required.
*MEMOBJ Check Memorized Transactions (MTR) for authority. If no MTR authority is
found, check the transaction against the object rules.
Audit
Controls the type of requests Network Security will log. Possible values are:
Y Log all requests to the server.
N Log only authority failures for the server.
* Use the default system value for the system.
Send message on rejected request