× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. March 2006

5250 SSO ( was RE: Tying in biometric scanning to 5250 sign on )

midrange-l-request@xxxxxxxxxxxx wrote:

>   7. RE: RE: Tying in biometric scanning to 5250 sign on (Chris Bipes)
>
>I see you are right again.  It's the application that performs the 5250
>data stream manipulation.  Now how can I use SSO with a twinax terminal!
>;-) But is there a 5250 terminal that supports biometrics?  Ok we are
>moving away from them so I really don't need any.  Also we have removed
>90% of our twinax and have been using Ethernet thin clients with 5250
>emulation.  Now those could be updated to support biometrics and SSO I
>suppose.

Chris:

I haven't specifically looked at twin-ax as a player within SSO, so I'll need 
to dig to see what shows up (_if_ anything; I work here but not much w/SSO). 
However, this is a possible example of how secondary interactive subsystems and 
named devices (or relevant exit points) can come into play.

A direct-attach twin-ax terminal isn't quite so vulnerable to password sniffing 
via network hacking. It can be isolated into a subsystem that still displays 
profile/password entry fields. This might be done via appropriate ADDWSE 
commands.

And bypass-signon isn't exclusively tied to Kerberos/SSO. Technically, with the 
"right" exit programming, it could use any means that _can_ be programmed 
including not requiring nor relying on the entered profile/password at all 
which can obviously bring serious security risks.

In general, there are three options that can help within "bypass-signon":

1. Telnet/TN5250x over SSL with encrypted connection,
2. TN5250E with password encryption, and
3. Telnet/TN5250x within a SSO framework where "password" isn't sent as part of 
the connection.

(...where TN5250x can be just about any telnet that works; for SSO, it gets 
limited. Note that OS/400's TELNET command parameters support TN5250E outbound 
nowadays.)

Various combinations of subsystem definition, exit programs, routing programs 
and configuration elements such as SSO enablement can be used to make any or 
all of those work concurrently.

>From your perspective, it ought to be clear which elements you should use and 
>how each should be used. But it likely isn't clear. Any significant security 
>endeavor will be more complex than we would like.

We can mostly all get by with databases that are less than ideally defined. We 
can get by (and prosper) with programs that haven't been written to the highest 
standards and maintained with strictly controlled change-management and 
compiled with all of the appropriate settings and optimized to the best 
possible level. We can get by fine without system cleanup functions that 
automatically remove every unneeded object and reclaim each stray byte.

But security... If a system is network accessible and it is holding or can 
access critical company assets, those in charge of the security better be 
better than anybody else who has access to the same network and they better 
_implement_ accordingly.

In short, security just _can't_ be relegated to "it works good enough" status. 
It isn't trivial nor easily mastered, especially when there are important 
elements that aren't widely publicized if published at all (aside perhaps from 
possible 'Integrity problem' PTFs once in a while).

For AS/400s, iSeries or i5s in a Windows network, the issue mushrooms 
dramatically. (Not to mention bits of the UNIX world that have been touched 
here and there.)

<vendor plug - you knew there had to be one>

If you haven't already, contact an iSeries/i5 SSO solutions vendor. At the 
least, get a dialog going and see if there are tools that can help to examine 
your system and network to find out something of the scope that needs to be 
addressed. ( http://www.powertech.com ) Sales guys can be an irritant, but they 
can also be a resource when they're hungry.

</vendor plug>

Tom Liotta

>-----Original Message-----
>
>5250 can be run in a compliant way. 5250 itself need not be compliant;
>only the usage needs to be compliant for SSO.
>
>For example, if your interactive subsystem(s) throw up a signon panel
>that has no input fields but only text saying that entry without prior
>verification is forbidden, the Kerberos/SSO solution becomes more easily
>enforced. Or TN5250e with encrypted password perhaps. Or however you
>choose to configure things.
>
>(You could have a secondary interactive subsystem that could be used
>when needed and that allowed terminal signon panels.)
>
>In short, _you_ choose whether or not a given technique is used. SSO can
>work fine with 5250.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.