The IP address is available to the exit point. I've been logging with it for over 5 years. I require a trusted client certificate and use the exit point to verify that. I log the username from the certificate as well as the timestamp, user and device name if supplied (named device is required for SSL connections to my servers, so I change the status to denied if there is no device name). Pretty simple, really. There are many examples in the archives. Be sure NOT to change the parameter that allows signon - it will let any user on immediately even with a valid password. (That's all in the archives too; I'm pretty sure Scott Klement pointed that out at least once.) If you intend to use details from a client certificate, you'll need to be aware that older (unsupported) versions of the OS had a problem on the offset that has been corrected. If I'm not mistaken, it was Bruce Vining who commented on my post about that.
--
Sean Porterfield
________________________________________
From: John Earl
Sent: Friday, August 19, 2011 20:58
To: Midrange Systems Technical Discussion
Subject: Re: TELNET Project
Robert,
The QIBM_QTG_DEVINIT exit point will provide the data you want - and will also provide you with the ability to deny certain users or IP addresses with access to Telnet (though the security geek in me feels compelled to note that this exit point alone will not prevent other network connections such as FTP, ODBC, etc. from a valid user).
It's a simple interface with a data structure parameter list that provides a number of fields into the program and a single binary out of the program (An allow/deny access switch). You can use the input parameters to capture things like user name, job name, job number, and _I_think_ IP address. If the parameter list doesn't provide IP address, I know that information is available in one of the "current job" API calls (Gary Monnier probably knows for sure) so you might have to make an extra program call.
The only other thing to do then is arrange the data in a format (File, Dataq, journal?) that is easy for you to report on. Should be a simple task.
One word of caution - when you attach the exit program to the exit point, all future Telnet connections will be regulated by this exit program - so if it has a bug, no one will be able to make a new connection. Therefore, when testing, have aan active connection (or 5) that you can use to unregister the exit point just in case. (Just some been there done that advice.)
HTH
jte
On Aug 18, 2011, at 8:30 AM, Robert Munday wrote:
Greetings from the sunny south.
I have been tasked with capturing the user profiles and IP addresses of
those who sign into our system remotely. An analyst has directed me to
the IBM site for instructions on TELNET processing. It uses a program at
the Exit Point - QIBM_QTG_DEVINIT, and this is where I am to capture the
data. I have downloaded and am reviewing the programs from the IBM site.
Have you worked with this type of data capture? It's new to me and I seek
your guidance.
Thanks,
Robert Munday
Munday Software Consultants
Montgomery, AL
This email is confidential, intended only for the named recipient(s) above and may contain information that is privileged. If you have received this message in error or are not the named recipient(s), please notify the sender immediately and delete this email message from your computer as any and all unauthorized distribution or use of this message is strictly prohibited. Thank you.
midrange.com
