× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. November 2002

RE: CA remote command server port

It's been a comedy.  First they told me:

-RPC/DPC (remote/distribued program call) is used by
-several Client Access funtions such as:
-
-ODBC (database access)
-Retrieve lists
-Create/Delete/Modify objects
-Management Central
-
-Evidently some of your clients do not use ODBC and/or
-Operations Navigator functions.

The phrases "several... such as", and "evidently some" are not terribly
credible coming from a support center.  I was kind of hoping for documented
expertise rather than conjecture.  Later in the PMR they say:

-My research indicates
-that once the client is able to acquire the info it needs
-from the AS/400-iSeries, it will probably not try to
-access the rmtcmd server for a while, but it is safe to
-say that sooner or later, it will request usage
-information again via the remote command server and will
-again require port 8475.

"My research indicates ... it will probably..." ???!!!
"sooner or later" !!!???

Gee, can they really afford to get THAT technical?

The fact remains that I had one client that was able to connect reliably
over several days of logging in, disconnecting, rebooting, and even an IPL.
The other clients hit the remote command server every time they connected.
If I opened the port, allowed connections, and closed the port the clients
would fail the very next time.  The behavior is not consistent with this
guy's "research".

This mention of "usage information" suggests that Vern is right about remote
command calls being used for licensing, not authentication.

There's a way to do it, but they either the support center won't tell me or
they aren't willing to ask someone how CA Express really works.

Client Access has always been bloatware.  I had thought that CA Express
thinned things out.  It looks like they've got a long way to go.  I think
that software developers should have to work in customer sites for a year at
a time, implementing their products in the real world context of a full IS
Audit.  These Client Access folks have been in the lab too long.

Waah again.

-Jim


-----Original Message-----
From: John Earl [mailto:john.earl@powertechgroup.com]
Sent: Friday, November 22, 2002 2:50 PM
To: midrange-l@midrange.com
Subject: RE: CA remote command server port


>I've asked, "How do I prevent PC5250 from using remote command
>server?" and "Under what circumstances does a PC5250 session connect
>without making a remote command server request?"  I've requested that
they >explain the difference between the sessions and explain the
circumstances >that would require a remote command server call.

Good luck!   I'm not sure there is anyone at IBM who can, (or wants to)
tell you.  This is really a cluster.

I don't have a problem with the fact that a user has to be
authenticated, my beef is with the idea that in order to use Client
Access a user has to be authorized to execute remote commands.  If all
of the OS commands were locked down from *PUBLIC, this might not be
important, but because *PUBLIC can use a couple thousand commands,
having Client Access and OpsNav use remote commands is a big mess.

If only someone could send you the details on what causes their remote
command to get fired off.

<sigh>

jte



John Earl - john.earl@powertechgroup.com
The PowerTech Group - Seattle, WA
+1-253-872-7788 - www.powertech.com

-----Original Message-----
From: midrange-l-admin@midrange.com
[mailto:midrange-l-admin@midrange.com] On Behalf Of Jim Damato
Sent: Thursday, November 21, 2002 1:15 PM
To: 'midrange-l@midrange.com'
Subject: RE: CA remote command server port

Thanks John.  You've confirmed what I've suspected.  I've used web
support
to log a problem on the matter, and now I'm involved in a
headache-inducing
exchange with support.  I've reported that some clients are able to
connect
just fine and I've asked, "How do I prevent PC5250 from using remote
command
server?" and "Under what circumstances does a PC5250 session connect
without
making a remote command server request?"  I've requested that they
explain
the difference between the sessions and explain the circumstances that
would
require a remote command server call.  All I'm getting back is "we know
what
your problem is -- you need to enable port 8475 and remote command
server
and this is how you do it."

I can't believe that presenting an emulated terminal requires
authentication
in the first place, let alone internally executed remote command calls.
I
can launch Windows telnet and get to a sign on screen without all this
crap.
It's even more bizarre that it's not predictable.

Waah.

-Jim

-----Original Message-----
From: John Earl [mailto:john.earl@powertechgroup.com]
Sent: Thursday, November 21, 2002 1:18 PM
To: midrange-l@midrange.com
Subject: RE: CA remote command server port


Jim,

I think what you are referring to is that the Client Access Central
Server and/or Signon Server uses Remote Command (in certain cases) to
complete the Signon process.

This is a wrong-headed implementation by the Client Access team that
requires that you allow all of your users to use the remote command
server in order to use Client Access - and of course the remote command
server allows those same users to run other commands on your iSeries.
It now is much more difficult (but not impossible) for you to limit
which commands and programs can be used by the remote users.  You're
going to have to query those inbound transactions and determine what
resources they are trying to access.   Port blocking and similar
firewall restrictions will only give you all or nothing control over the
use of the remote command server.  You're going to have to get more
granular in order to get any real security.

jte




John Earl - john.earl@powertechgroup.com
The PowerTech Group - Seattle, WA
+1-253-872-7788 - www.powertech.com

-----Original Message-----
From: midrange-l-admin@midrange.com
[mailto:midrange-l-admin@midrange.com] On Behalf Of Jim Damato
Sent: Wednesday, November 20, 2002 9:05 AM
To: midrange-l@midrange.com
Subject: CA remote command server port

I need some help understanding how Client Access Express uses remote
command
server (PC to AS/400).  Remote command supposedly uses port 8475, which
we
have turned off from certain network entry points.  Some of our CA
Express
users can get in, but others fail as they login to the initial prompt
before
PC5250.  I can't figure out what's making certain PC client
configurations
think they need port 8475 for remote command, and I can't figure out how
to
remove the requirement from their CA configuration.

There's nothing I can find in CA Express administration that explicitly
mentions remote command functions, or where it might be selected and
used.

Does anyone have any experience with this?  Much thanks...

-Jim

James P. Damato
Manager - Technical Administration
Dollar General Corporation
<mailto:jdamato@dollargeneral.com>

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.