Re: How to secure IBM Navigator For I

[John Jones <chianime@xxxxxxxxx>]

More to Rob's point:  Why "secure" WebNav?

Is the reason to keep people from accessing data they shouldn't be able to
see?
Is the reason to reduce WebNav load on the system or keep people on-task
(i.e. you also don't want them on Facebook, etc.)?

Depending on the goal, the solution will differ.

If the goal is to keep people from accessing data they are not authorized
to view, the answer is unrelated to WebNav.  Set up a proper security model
on the i based on least privilege guidelines, which means users can only
access the objects they're authorized to use.

If the goal is to keep people on task or to reduce WebNav load on the i,
put tech in place to deny the access:
- Put a web filter (a.k.a. content gateway) or proxy between the users and
the i (and the internet).
- Use an app/site whitelist agent on the PCs to block access.

Ideally, a layered defense would be used where you have both a proper
security model on the i and appropriate controls around access to the i
from the network (and outside world).  That way you can handle situations
like a BYOD that doesn't have the whitelist agent or a normally authorized
user who is coming in on a spare PC because his regular one just crashed.

On Wed, Feb 6, 2013 at 8:20 AM, <brad.lovelady@xxxxxxxxxxxxxx> wrote:

> Jerome,
>
> Read up on functional usage (WRKFCNUSG). In fairness, I have never used
> this but it appears there are functional usage IDs you could use to prevent
> someone from accessing IBM i web administration tasks.
>
> Here are the IDs I would look into.....
>
> QIBM_QINAV_WEB_CONFIGURE
> QIBM_QINAV_WEB_FUNCTIONS
> QIBM_QINAV_WEB_INTERFACE
> QIBM_QSY_SYSTEM_CERT_STORE
>
> ***********************************
> Bradford Lovelady
>
> Operating Systems Engineer
> Technology Infrastructure Services
>
> Wells Fargo Bank  l  200 Wildwood Pkwy  l  Birmingham, AL 35209
> MAC W2691-010
> Tel 205-938-1999  l  Cell 205-826-2834
>
> brad.lovelady@xxxxxxxxxxxxxx
>
>
> Wells Fargo Confidential
>
> This message may contain confidential and/or privileged information. If
> you are not the addressee or authorized to receive this for the addressee,
> you must not use, copy, disclose, or take any action based on this message
> or any information herein. If you have received this message in error,
> please advise the sender immediately by reply e-mail and delete this
> message.  Thank you for your cooperation.
>
> -----Original Message-----
> From: midrange-l-bounces@xxxxxxxxxxxx [mailto:
> midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of jerome.domont@xxxxxx
> Sent: Wednesday, February 06, 2013 2:42 AM
> To: Midrange Systems Technical Discussion
> Subject: How to secure IBM Navigator For I
>
> Hello
>
>
>
> Is there a way to prevent users from openning Web IBM Navigator For I
> session ?
>
> or
>
> Is there a way to allow just  few people to open Web IBM Navigator For I
> session ?
> --
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
> list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
> unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
> moment to review the archives at http://archive.midrange.com/midrange-l.
>
> --
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.