|
Read Chapter 2, Section Security Level 40, subsection "Changing to security level 40" of "iSeries Security Reference - SC41-5302" http://publib.boulder.ibm.com/infocenter/iseries/v5r3/topic/books/sc415302.pdf See also section "Security Sevel 50", subsection "Changing to security level 50" Changing to Security Level 40 Make sure that all your applications run successfully at security level 30 before migrating to level 40. Security level 30 gives you the opportunity to test resource security for all your applications. Use the following procedure to migrate to security level 40: 1. Activate the security auditing function, if you have not already done so. The topic “Setting up Security Auditing” on page 249 gives complete instructions for setting up the auditing function. 2. Make sure the QAUDLVL system value includes *AUTFAIL and *PGMFAIL. *PGMFAIL logs journal entries for any access attempts that violate the integrity protection at security level 40. 3. Monitor the audit journal for *AUTFAIL and *PGMFAIL entries while running all your applications at security level 30. Pay particular attention to the following reason codes in AF type entries: B Restriction (blocked) instruction violation C Object validation failure D Unsupported interface (domain) violation J Job-description and user-profile authorization failure R Attempt to access protected area of disk (enhanced hardware storage protection) S Default sign-on attempt These codes indicate the presence of integrity exposures in your applications. At security level 40, these programs fail. 4. If you have any programs that were created before Version 1 Release 3, use the CHGPGM command with the FRCCRT parameter to create validation values for those programs. At security level 40, the system translates any program that is restored without a validation value. This can add considerable time to the restore process. See the topic “Validation of Programs Being Restored” on page 14 for more information about program validation. Note: Restore program libraries as part of your application test. Check the audit journal for validation failures. 5. Based on the entries in the audit journal, take steps to correct your applications and prevent program failures. 6. Change the QSECURITY system value to 40 and perform an IPL. Changing to Security Level 50: If you are currently running your system at security level 30, complete the steps described in “Changing to Security Level 40” on page 15 to prepare for changing to security level 50. If you are currently running your system at security level 30 or 40, do the following to prepare for security level 50: Evaluate setting the QALWUSRDMN system value. Controlling user domain objects is important to system integrity. See “Restricting User Domain Objects” on page 16. Recompile any COBOL programs that assign the device in the SELECT clause to WORKSTATION if the COBOL programs were compiled using a pre-V2R3 compiler. Recompile any S/36 environment COBOL programs that were compiled using a pre-V2R3 compiler. Recompile any RPG/400* or System/38™ environment RPG* programs that use display files if they were compiled using a pre-V2R2 compiler. Rob Berendt
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
