They opened port 80 on the firewall so that the SQL view in IBM i can consume an xml document at www-912.ibm.com. Generally they are preventing any server, particularly ones with customer data from being able to access anything on the internet directly. We have it open to connect to ECS but that's over HTTPS and VPN, so there was less concern about that originally. We have the same AD and Websense stuff going on and often have to reboot as well to get access restored even on the local network.
Coy Krill
Core Processing Administrator/Analyst
Washington Trust Bank
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx
Sent: Wednesday, October 21, 2015 04:32
To: Midrange Systems Technical Discussion
Subject: RE: systools. group_ptf_currency Secuirty Concern Responses
Importance: Low
Exactly what did they have to open on the internet? Did you just have to open access to port 80 from your IBM i? Or did you have to allow certain ports from the internet to get to your IBM i? I'm pretty sure that you only have to allow your IBM i to get to port 80. Because all of our IBM i lpars can use this new function and very few of them have any access TO them FROM the internet. Do they restrict who can get to the internet by IP address and stuff to limit time wasting and stuff? Here, we have a setting in Windows Active Directory which says whether or not a user can use the internet for http. Those who do access the internet for http have all traffic monitored (and restricted) by WebSense. In general they block porn, gambling and sites known to be hacks. Sometimes it goes crazy and I have to reboot my PC.
Sometimes I have to get permission to access a site which I know to be valid but is blocked for some reason by WebSense. Perhaps this is just your companies process. Rarely, if ever, am I denied.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
From: "Krill, Coy" <CKrill@xxxxxxxxxxx>
To: "Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
Date: 10/20/2015 05:29 PM
Subject: RE: systools. group_ptf_currency Secuirty Concern
Responses
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
Ordering PTFS via SNDPTFORD goes over a VPN or other secure channel to
IBM. IBM has the request for the systools view go out of regular internet
channels. We get our CUM packages from our main software vendor as they
vet them for their software and add additional PTFs when necessary for
their software to work. I generally order the Java, HTTP, Security and
HIPER group packages monthly (and sometimes others depending on the
situation). I was looking at using the systools view to have an easily
accessible tool that can tell me what I can order that I don't already
have installed or waiting to apply. I don't generally compare individual
PTFs, just the groups.
Coy Krill
Core Processing Administrator/Analyst
Washington Trust Bank
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Jack Kingsley
Sent: Tuesday, October 20, 2015 12:34
To: Midrange Systems Technical Discussion
Subject: Re: systools. group_ptf_currency Secuirty Concern Responses
Importance: Low
How are you downloading and installing fixes. Do you have to remote query
IBM to do your local compare for PTF's.
On Tue, Oct 20, 2015 at 3:04 PM, Krill, Coy <CKrill@xxxxxxxxxxx> wrote:
I had our network folks open the firewall so that our Production, Test
and DR machines could access
http://www-912.ibm.com/s_dir/sline003.nsf/PSPbyNumL.xml?OpenView&count
=500 and have the systools.group_ptf_currency view work properly.I've
now been requested to meet with our security folks regarding this
request.
I assume that they are going to have security concerns and are
potentially looking to block this site again. Has anyone had to
respond to any inquiries from security or auditors regarding loading
the xml table from IBM? It seems pretty innocuous to me, but perhaps
I'm missing something larger but in any case I'd like to be prepared
to assuage any security concerns as I would really like to use this
view rather than having to compare a 5250 screen to a webpage every
month.
Coy Krill
Core Processing Administrator/Analyst
Washington Trust Bank
---------------------------------------------------------------------
This electronic mail message and any attachments may contain
confidential or privileged information and is intended for use solely
by the above-referenced recipient. Any review, copying, printing,
disclosure, distribution, or other use by any other person or entity
is strictly prohibited under applicable law. If you are not the named
recipient, or believe you have received this message in error, please
immediately notify the sender by replying to this message and delete
the copy you received
---------------------------------------------------------------------
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at
http://archive.midrange.com/midrange-l.
---------------------------------------------------------------------
This electronic mail message and any attachments may contain confidential
or privileged information and is intended for use solely by the
above-referenced recipient. Any review, copying, printing, disclosure,
distribution, or other use by any other person or entity is strictly
prohibited under applicable law. If you are not the named recipient, or
believe you have received this message in error, please immediately notify
the sender by replying to this message and delete the copy you received
---------------------------------------------------------------------
midrange.com
