Re: How to secure IBM Navigator For I -- MIDRANGE-L

More to Rob's point: Why "secure" WebNav?

Is the reason to keep people from accessing data they shouldn't be able to
see?
Is the reason to reduce WebNav load on the system or keep people on-task
(i.e. you also don't want them on Facebook, etc.)?

Depending on the goal, the solution will differ.

If the goal is to keep people from accessing data they are not authorized
to view, the answer is unrelated to WebNav. Set up a proper security model
on the i based on least privilege guidelines, which means users can only
access the objects they're authorized to use.

If the goal is to keep people on task or to reduce WebNav load on the i,
put tech in place to deny the access:
- Put a web filter (a.k.a. content gateway) or proxy between the users and
the i (and the internet).
- Use an app/site whitelist agent on the PCs to block access.

Ideally, a layered defense would be used where you have both a proper
security model on the i and appropriate controls around access to the i
from the network (and outside world). That way you can handle situations
like a BYOD that doesn't have the whitelist agent or a normally authorized
user who is coming in on a spare PC because his regular one just crashed.

On Wed, Feb 6, 2013 at 8:20 AM, <brad.lovelady@xxxxxxxxxxxxxx> wrote:

Jerome,

Read up on functional usage (WRKFCNUSG). In fairness, I have never used
this but it appears there are functional usage IDs you could use to prevent
someone from accessing IBM i web administration tasks.

Here are the IDs I would look into.....

QIBM_QINAV_WEB_CONFIGURE
QIBM_QINAV_WEB_FUNCTIONS
QIBM_QINAV_WEB_INTERFACE
QIBM_QSY_SYSTEM_CERT_STORE

***********************************
Bradford Lovelady

Operating Systems Engineer
Technology Infrastructure Services

Wells Fargo Bank l 200 Wildwood Pkwy l Birmingham, AL 35209
MAC W2691-010
Tel 205-938-1999 l Cell 205-826-2834

brad.lovelady@xxxxxxxxxxxxxx

Wells Fargo Confidential

This message may contain confidential and/or privileged information. If
you are not the addressee or authorized to receive this for the addressee,
you must not use, copy, disclose, or take any action based on this message
or any information herein. If you have received this message in error,
please advise the sender immediately by reply e-mail and delete this
message. Thank you for your cooperation.

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:
midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of jerome.domont@xxxxxx
Sent: Wednesday, February 06, 2013 2:42 AM
To: Midrange Systems Technical Discussion
Subject: How to secure IBM Navigator For I

Hello

Is there a way to prevent users from openning Web IBM Navigator For I
session ?

or

Is there a way to allow just few people to open Web IBM Navigator For I
session ?
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.