|
Obviously good points. I guess I see the beauty of the security in the Java solution. It takes commands only from an iSeries data queue which, Ibelieve, can be locked down fairly securely. Locked down as in it's possible to restrict who can send a DQE and perhaps even restrict theapplication(s) that can do it.
I don't understand what you're saying here. You need a userid/password in order to even begin to know WHO you're locking it down to. You can't lock something down to a user unless you've established that a user really is that user.
And that's what passwords do. (Granted, there are other means of doing so, Kerberos tickets, SSL Certificates, etc.)
And that's why a userid/password must be sent for it to be secure. The fact that one solution uses a data queue really has no impact on the security question at all.
In fact, if you're using a TCP/IP network, then there are IP datagrams that the data is carried in. It doesn't matter if you use a data queue. (It doesn't matter if you use a green widget with olive oil dressing, for that matter) If it's travelling over TCP/IP, then someone else can create and send the same TCP/IP packets and gain access to the command server.
Please someone tell me if I'm wrong on that.
You're wrong if you think that data queues make it more secure.The possibility exists that the Java one that you've fouind is more secure for some other reason, though. (I wouldn't know.)
On the rexec side of the security equation, it seems less clear to me. I know I've seen warnings about this in the past, but I've never pursued it much prior to yesterday.
STRPCCMD solves the userid/password problem because it's part of an existing 5250 connection that the user has already authenticated by (a) Having access to start a program on the Windows box in the first place, and (b) having successfully logged in to the iSeries.
So, in a way, it greatly simplifies the security situation.On the other hand, the user has to trust the iSeries that he's connected to. You'd certainly never want to connect to a web page and allow that web server to run arbitrary commands on your PC, why is it different with 5250 and STRPCCMD? And the main reason that it's different is that users typically know and trust the people who run their iSeries, but don't know and trust the people who run a web server.
RUNRMTCMD/rexec does not make that same assumption that you trust the server you're connected to. Instead, it asks for the userid and password. So -- you could look at it both ways. In one way, STRPCCMD is more secure, in another, RUNRMTCMD is more secure.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
