Thanks scott for the tips and guide I think better to stick to ssl/crypto.
I have already informed my company to install and configure ssl on our i but they have not done yet.
Last week we had a big problem because of this, my boss wanted such solution as this dual control thing. Anyway I will explain things to him.
Thanks for the support.
Out of this can I update/write data to a file in C drive. I know I can do by STRPCCMD but can I do it from RPG.
Regards,
Chamara Withanachchi
IBM Certified Power System Expert
RPG Programmer
(owner of www.rpgiv.info)
WWW.RPGIV.INFO
Mob: +971 50 5698644
Tel: +971 6 5595887
chamaraw@xxxxxxxxxx
www.rpgiv.info
i want to be future ready. i want control. i want an i.
Sent from my BlackBerry® wireless device
-----Original Message-----
From: Scott Klement <rpg400-l@xxxxxxxxxxxxxxxx>
Date: Mon, 15 Jun 2009 13:58:07
To: RPG programming on the IBM i / System i<rpg400-l@xxxxxxxxxxxx>
Subject: Re: Access pc file from RPG program
Putting it in the registry doesn't solve the problem. The user could
then export the registry keys and import them on another computer. Not
especially difficult to do.
Not only that, in order to read the registry from RPG, you'd need to
have Windows software that reads the registry information and sends it
(via socket or similar tool) back to the i. Any hacker would see this
registry key going over the Internet and would be able to replicate it.
Since you'd have to write a program on Windows to send the data over the
network, why bother saving it to the registry? Why not just have the
program calculate the value and send it over the network, why write it
to disk first?
In any case, what you are considering is a huge security problem. Any
time you let the PC decide for itself if it's allowed to connect, it's
going to open an exposure. It's a simple matter of trust. In order to
allow the PC to "authorize itself", your IBM i has to be able to TRUST
that PC. You have to find a way to do that that ensures that it's not
trusting the wrong PC -- a hacker's PC, for example. Or a disgruntled
ex-employee's PC. How do you know which PCs you can or can't trust?
One way to establish trust is to restrict it by IP address. But you
can't do that because of the whole "dual control" thing.
Another way is to use digital cryptographic keys. Give the PC a public
key and you keep the private key. Have them send you something
encrypted with the public key and verify that it matches the private
key. If not, you have a problem, and you deny the connection. That's
what technologies like SSL and SSH do.
But what you're trying to do (as far as I can tell... you don't seem to
want to provide much description) is have the PC provide all of the
authorizing by itself. If you do that, you're going to have to trust
all PCs, since you'll have know way of knowing the legitimate PCs from
the illegitimate ones. In that scenario, you'll always have a security
hole. It doesn't matter if the data is stored in a file or in the
registry or any other form of storage. As long as you put yourself in a
situation of having to trust all PCs, you will have a security hole,
because a hacker will be able to see what you're sending, and will be
able to replicate it.
Chamara Withanachchi wrote:
In that case can I access pc registry from rpg program? We have few
issues with ssl and vpn.
midrange.com
