Lukas Beeler’s IT Blog

i5/OS is often touted as one of the more secure operating systems, through it’s very rigid abstraction of everything into objects. I’m not a security expert, and i don’t claim to be one, but in many i5/OS or OS/400 deployments, beginner mistakes are made by the gallon.

A few basic things first: QSECURITY should be at level 40, and all users should have normal user profiles, without special permissions. Even if you are an admin or a developer, if you need *ALLOBJ or similar permissions, you should use a second user account for that.

QPWDLVL should be at value 3 - supporting long, secure and case sensitive passwords. Of course you’ll need to set all the other QPW* system values to enforce secure passwords.

But one thing most often overlooked is the encryption of 5250 connections to the system itself. Many, many companies do not use SSL to encrypt their 5250 sessions, leaving plain ASCII err EBCDIC visible over the network. This makes it particularly easy to hijack sessions and passwords, even those of very important users like QSECOFR.

Note that security wise, a System i without SSL encrypted FTP and Telnet is wide open, even worse than an unpatched Windows machine. It really boggles the mind if you ask yourself why IBM hasn’t made this a standard yet on new OS installs.

Using DCM you should secure Telnet and FTP with SSL. You’ll also need to configure iSeries Access appropriately to use the SSL encryption.

Make sure to configure both the Telnet and FTP server to accept SSL sessions only, using CHGTELNA ALWSSL(*ONLY). This will make sure that only secure connections to your system can be established.

If you’re looking for SSL enabled 5250/FTP clients, i can recommend TN5250, Filezilla (GUI), SSLFTP (CLI). All of them are free.