JD Edwards World operates within the confines of IBM i security and relies upon a secure operating system configuration. This section discusses IBM i security features that are especially relevant to the JD Edwards World product. This guide is not a substitute for fully understanding and configuring the IBM i security environment. Please refer to the IBM i Security Guide for the IBM i release you are running.
This chapter contains these topics:
Harden the Network Security Environment
The IBM i usually operates in an environment where access to the corporate network and the Internet are available. The IBM i should be protected behind a firewall, and it should be hardened to only allow authorized communications. You should close unnecessary communications ports.
The IBM i operating system may be installed to operate at one of four Security Levels:
Level 20 – Signon security only; minimal security protection.
Level 30 – Signon and resource security.
Level 40 – Signon and resource security; integrity protection.
Level 50 – Signon and resource security; enhanced integrity protection.
Each of these security levels has implications for other security settings in the operating system. You can view your current IBM i Security Level using the following command:
DSPSECA
Oracle recommends that you configure your IBM i Security Level at Level 40 or Level 50.
Lock and Expire Default User Accounts
The IBM i is delivered with many default accounts, such as QSECOFR and QPGMR. Oracle provides three additional user accounts during JD Edwards World installation: JDE, JDEINSTAL, and JDEPROD. You must change the passwords or disable signon for all default accounts. Refer to the appropriate IBM i Security guide for details.
You must supply a password for each if the profile does not already exist on your machine. After the JD Edwards World software is installed, these default accounts should be dispositioned as described previously. Under no circumstances should you make the passwords for these accounts the same as the User Profile Name.
Note:
The most common security vulnerability, and one that is easily avoided, is setting or leaving an insecure password on a default profile.Your IBM i security guide explains password rules you are able to configure on your IBM i system. Apply basic password management rules, such as password length, reuse, and complexity, to all user passwords.
Typical users should not have powerful authorities such as *SECADMIN, *ALLOBJ, or Command Entry (the Limit Capabilities attribute on the IBM profile should be Yes). Use the Group Profile feature to simplify security administration and to limit special authorities.
All IBM i objects are assigned an owner when they are created. Typically, objects in the World system are owned by user JDE. The JDE IBM profile should be disabled from signing on.
IBM i library security is used to simplify the task of setting up and maintaining security, since all objects in a library may be reserved in a few security records versus having to define security for thousands of objects in the library.
IBM i object authorities are used to define for an object which operational authorities, such as *READ, *CHANGE, or *USE, are allowed to a user or group of users. Files are important objects to secure because they contain your valuable information assets. Object authority should not be left wide open (allowing *PUBLIC all access) on file objects. Since a JD Edwards World environment has thousands of files, it is more practical to set object authorities at the library level. If an individual file requires more restrictive object authority, then you should move it to a separate data library with more restrictive authority or you should set up object authority specific to that file.
Note:
The JD Edwards World files that contain security information should be protected from general update access. These files include:F0003 - Action Code Security
F0003T - Action Code Security Tag
F0103 - Action Code/Search Type Security
F00823 - Advanced Menu Security Master
F0024 - Batch Approval/Post Security
F0001 - Business Unit Security
F00FP - Fast Path Security
F9612 - Function Key Security
F00168 - Generic Text Security
F9425 - Report Writer Form Security
F00042 - User Defined Codes Security
F8201 - Query Group Security File
F8202 - World Writer File/Field level Security
IBM i, beginning with the 6.1 operating system release, provides field level encryption. This protects sensitive information ”at rest”, meaning that the information is secure when copied to tape or other archival formats. Field level encryption does not secure the information from users on the IBM i who are authorized to access the file object.
IBM i authorization lists simplify security administration by allowing you to group objects with similar security requirements. An authorization list is used to secure a group of objects, then it is used to define user or groups of users and the authorities each user or group has to those objects.
The IBM i adopted authority feature allows users, when running a particular program, to adopt a higher authority for that specific program run. This in turn allows the security administrator to give users less direct authority to objects and to reduce the overall security risk.