RES: RES: i5/OS external entitlement definition -- MIDRANGE-L

Neither do I, that's why we need a clear document...

Today that's my problem, but tomorrow it would be a problem to anyone who
wants an user based box, so I'm extremely boring guy posting here to make
some noise and get definitive answers to everyone.

Going deeper: What is "authentication"? What is "access i5/OS operating
system"?

As I know to "access i5/OS operating system" you need an USRPRF as the
platform is object oriented... Each object has a single owner (USRPRF) wich
can be shared (or not) with other USRPRFs (or USRPRF Groups)... If there's
another way to "access i5/OS operating system" without USRPRFs, then there's
a terrible security exposure...

Another point, if MS doesn't charge for that, but IBM does, and that causes
dramatic impact on the overall cost, would it still sell any 515 for simple
web applications on SMBs?

And finally, someone said to take external entitlement off and run the
webserver on a Linux partition... Come on, those servers are on the same
box, depending on the place they are I'm charged or not? That's nonsense,
maybe even they don't know exactly what external entitlement means ;)

Thanks

-----Mensagem original-----
De: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] Em nome de rob@xxxxxxxxx
Enviada em: quinta-feira, 30 de agosto de 2007 10:38
Para: Midrange Systems Technical Discussion
Assunto: Re: RES: i5/OS external entitlement definition

I am not sure if that is correct. The way it was explained
to me was that if the person authenticated at all (via any
combination of things commonly used on the web that do not
involve *USRPRF objects) then they were to be considered a user.

Rob Berendt
--
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

"Rubens" <rubens@xxxxxxxxxxxxx>
Sent by: midrange-l-bounces@xxxxxxxxxxxx
08/30/2007 09:34 AM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>

To
"'Midrange Systems Technical Discussion'" <midrange-l@xxxxxxxxxxxx>
cc

Fax to

Subject
RES: i5/OS external entitlement definition

Rob,

I've found it, but still is not perfectly clear to me:
http://www-306.ibm.com/common/ssi/rep_ca/9/877/ENUSZP07-0189/E
NUSZP07-0189.P

DF

My understanding is that if my website "visitors" (external)
loads dynamic
pages automatically or not given, an ID or not (but not an
USRPRF), they
are
just "visitors", never "users".

If my "visitors" signs using USRPRFs to reach i5/OS they are "users".

Not employees, wich don't exist to us, are "external users". External
employees, wich we have some, are just "users" but they're
already charged
on total users (5 + n5).

So we don't need "external entitlement" because there aren't "external
users" (not employees).

I'm reading exactly how MS does, if a "visitor" signs using his Active
Directory "profile" you need a CAL (or maybe unlimited CALs),
if not, you
don't need it.

Thanks,

Rubens

-----Mensagem original-----
De: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] Em nome de rob@xxxxxxxxx
Enviada em: quinta-feira, 30 de agosto de 2007 10:01
Para: Midrange Systems Technical Discussion
Assunto: RE: i5/OS external entitlement definition

At that same website below they encourage you to search for a
particular announcement letter. If any of you can find it by
using the link provided let me know.

Rob Berendt
--
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

rob@xxxxxxxxx
Sent by: midrange-l-bounces@xxxxxxxxxxxx
08/30/2007 08:51 AM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>

To
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
cc

Fax to

Subject
RE: i5/OS external entitlement definition

I think what was recently changed was IBM stated that they

have to be

"concurrent" users. Meaning that if you put 10 users on the
system but a
maximum of three are on the system at any one time, then

you pay for

three. You'll see some change markers (the double greater
than and double

less than signs) at:
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/rz
am8/rzam8userentitlements.htm

Rob Berendt
--
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

"DeLong, Eric" <EDeLong@xxxxxxxxxxxxxxx>
Sent by: midrange-l-bounces@xxxxxxxxxxxx
08/29/2007 06:15 PM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>

To
"Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
cc

Fax to

Subject
RE: i5/OS external entitlement definition

As I recall, there were several LONG and involved threads
about two months

ago that discussed the user entitlements. As I recall, IBM

initially

counted users by counting USRPRF objects, but later changed
this.... I
can't remember quite what the final word was on that. There
is also the
bit ($$$) that allows for unlimited "external" access, which
would be used

for web-based users who are NOT employed by your company.

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx]On Behalf Of Rubens
Sent: Wednesday, August 29, 2007 1:32 PM
To: 'Midrange Systems Technical Discussion'
Subject: RES: i5/OS external entitlement definition

Kirk,

Thanks for your kind answer.

You see, that's exactly my problem... You defined based on your own
understanding, there's not a clear document stating all

those points.

Mine point of view differs from yours and maybe both differs
from others
on
this list, my legal department sure would have yet another
opinion, wich
one
is right?

As IBM quoted external entitlement for us, my question is
based on what,
as
documents found are unclear, they can't sell anything wich is
undefined
can
they?

I've posted here exactly to know how others are dealing with that.

Thanks

-----Mensagem original-----
De: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] Em nome de Kirk Goins
Enviada em: quarta-feira, 29 de agosto de 2007 15:01
Para: Midrange Systems Technical Discussion
Assunto: Re: i5/OS external entitlement definition

If access say Apache in the i5 to browse a file, say a list
of available inventory that ANYONE can see and I Do Not give
a ID and Password then I am not authenticated and do not need
a license. On the other hand if I give and ID and password or
in some other way identify myself specifically I need a license.

Let's say I login to a Intel based server and that server
accesses data on the i5 on my behalf then I need a license

If say I login to an application running on an i5, like Lotus
Notes, but never directly login to the i5, I still need a license.

External Users vs Internal Users
Internal User is someone you are paying. Either a real
employee or even a consultant working on the system.

External Users aren't on the payroll, Like Visitors your
website. If you ask then to login for whatever reason and the
i5 is in the mix then they need a license. If they can browse
and even place an order but do login then no license is required.

It is my understanding that if I have a 50 user license and
I'm using 25 of those concurrently for internal users and
that I could handle 25 external users without buying more

licenses.

Rubens wrote:

Hi,

I'm trying to configure a new 515, but can't find a clear

definiton

about external entitlement, to know if we really need it or not.

An i5/OS user is a person who accesses the i5/OS

operating system

through one or more connections. The user exchanges

credentials (user

identifications) either directly with the operating system or
indirectly through application or middleware software that is
supported by the operating system.

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=

/rzam8
/rzam8userentitlements.htm

What's exactly operating system? Just 5250, Ops Navigator

and similar

ways to reach "commands"? Are applications included?

Suppose I have a website (hosted on i5), as my

"visitor" types a

string it gets pages generated by a query - true he's

indirectly

getting results from DB2, but I hope he should never reach our
operating system - is that a "visitor" or an "user"?

Since all my "visitors" indirectly exchanges identification

on Apache,

they're "users"?

Going further, there are several ways to achieve real

protection

"exchanging credentials" on Apache, such as writing an

application

wich reads and verifies data ("user" and "password") saved

anywhere,

IP ranges, validation lists (again "user" and "password"),

user name

(again from anywhere), and finally i5/OS USRPRF (perhaps

this one is

really a "user"), or maybe a combination or any of those.

As there are many applications wich run on i5, wich

behave such as

Apache, where exactly a "visitor" becames an "user"?

Microsoft defines "user" those defined on Active Directory

- such as

an USRPRF - anything else is defined as a "visitor", it's

simple and

maybe it don't covers all possibilities, but it's

perfectly clear.

Thanks,

Rubens Lehmann

--
This is the Midrange Systems Technical Discussion
(MIDRANGE-L) mailing list To post a message email:
MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change
list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting,
please take a moment to review the archives at
http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion
(MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion
(MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion
(MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion
(MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion
(MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion
(MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.