What's New for Security in IBM i 7.1

June 27, 2016

IBM added additional security functions in version 7.1 to further establish the Power Systems IBM i operating system as a world-class securable environment.

1. User profile enhancements let you specify an expiration date or expiration interval (number of days) to administer temporary user profiles. Integration with the existing CHGEXPSCDE and DSPEXPSCD commands has been added. Profile deletion is also supported.

2. This version includes an option on the command execution exit point (QIBM_QCA_RTV_COMMAND) to indicate if the exit program should be called before or after (new) the invocation of the command processing program.

3. New options for user command auditing (*CMD) allow you to indicate how the command was run corresponding to the “where allowed to run” parameter on the Create Command (CRTCMD) command:

'Y' maps to *IPGM, *BPGM, *IMOD, and *BMOD

'R' maps to *IREXX and *BREXX

'E' maps to *EXEC

'B' maps to *BATCH

4. A filter is included for the database open (QIBM_DB_OPEN) exit program to selectively invoke the exit program based on the file being open. This enhancement is designed primarily to address performance implications of this exit point.

5. ASP Encryption can be turned on and off, and the encryption key can be changed for an existing user ASP. This also facilitates periodic key rotation.

6. The database is significantly enhanced via support of a function known as “field procedures” or FIELDPROC, designed to encode or decode a field value. For example, this addresses masking and selective encryption/decryption capabilities.

7. Telnet client is enhanced to support SSL connections.

8. It is now possible to audit changes to a Query Manager profile if security auditing is enabled via AUDLVL(*SECURITY).

9. A DB2 system procedure is now included to protect sensitive data. After you set the secure attribute for a column in a specific table, DB2 for i creates the masking for SQL Performance Monitors (Database Monitors) and SQL Plan Cache.

10. Version 7.1 adds enhancements to Work With Functional Usage (WRKFCNUSG) to limit SQL analysis and tuning by users with *ALLOBJ special authority. There are also new authority options for database server (inbound) connections, such as ODBC and JDBC, as a code-free but less granular alternative to network exit programs.

11. DB2 for i authorization catalogs are extended to indicate the name of the Authorization List related to user access to the object.

12. There are numerous enhancements for DB2 for i services, including Display_Journal function.

13. IBM i Navigator is enhanced make it easier to analyze audit (QAUDJRN) and data journals. A new look is provided without client software to manage.

14. A new QIBM_QSP_SECURITY exit point allows more granular control to individual spooled files. Access granted by this exit program can override the necessity for object authority to the output queue and control of the users’ own spooled files.

15. SSL support is enhanced to include TLS v1.1 and v1.2, including the IBM HTTP server for i.

16. Provision is given for TCP/IP accept(), connect(), and listen() APIs to monitor connection time functions.



Related Solutions