There are about a bazillion ways to send receive data from IBM i. I
always feel it is more important to secure the data than to try to secure
various ways of accessing the data. For example, you may want to say
users have NO access to your data but they can only access it from your
programs by using adopted authority. Granted, it makes the use of ad hoc
query tools troublesome.
But if you just got to secure various access points, like perhaps the FTP
client, you may wish to look at security tools like PowerTech
http://www.helpsystems.com/powertech
They have numerous competitors. Evaluating vendors alone is enough to
enlighten you on all the access points.
Note: I get no money from any of them so it's no skin off my hide if you
do or do not take this suggestion.
I've actually written my own and was asked if I was looking elsewhere when
a vendor came in to make a presentation.
See WRKREGINF.
You can even limit what ftp commands they use. And even what parameters
on what ftp commands they use. For example PUT but not GET. And only
from certain directories or libraries.
For our external ftp site I use a vendor product just because I liked the
enrollment process better and it did sftp and I'm pretty busy.
You may wish to secure the ftp command. Do a WRKOBJ on it and use the
option to edit authority. If, however, your goal is to thwart other
systems people and you have a tendency to abhor proper testing and
therefore give developers *ALLOBJ that won't do you any good.
You can change the command so that it can only be used in a program by
doing this:
CHGCMD CMD(FTP) ALLOW(*BPGM *IPGM)
See also STRTCPFTP
If you modify these commands you may want to log that for upgrades and
whatnot. Some people put these mods in their QSTRUP program.
There are also ways in iNav to control what various ftp operations
Rob Berendt
midrange.com
