Managing Authentication for Exit Point Logon Requests

These steps guide you through the process of setting up authentication for exit point logon requests.

SecurID supports authentication for the following IBM i exit points:

  • *FTP
  • *DDM
  • *DRDA
  • *FILESRV
  • *FTPSLOG
  • *FTPSVAL
  • *REXECSLOG
  • *SIGNON
  • *SQL
  • *TELNET
WARNING: After enabling SecurID for exit point logon requests, users may encounter an unnecessary number of authentication requests (particularly for the *SIGNON server). If this is the case, you can suppress authentication during an interactive session for a set time period after an initial successful authentication by enabling SecurID's Authentication Suppression feature. See the 'Time period of suppression' and 'Use QINACTITV system value' parameters in the Emergency Override Setup screen for details.

Prerequisites

  • Ensure that the SecurID software is loaded and the relevant software keys have been applied.
  • SecurID controls a single subsystem, called 'ACEDTI’. This should be reviewed on a regular basis to ensure that it is active. Where possible, you should modify your system start-up program to run the command @ACE/STRACEDTI.
  • Any IBM i profile name(s) used when following this guide, must be able to authenticate with an RSA Authentication Manager.
  • Additional software, referred to as “Remote Authentication software” must be installed. For details, see the Installing SecurID Remote Authentication section in the Powertech RSA SecurID Agent for IBM i Installation Guide on the Fortra Support Portal.

  • If IBM i V7R5M0 is installed, and you are using the *FILESRV Exit point to control enrolled users, you must use PWFS0200 instead of PWFS0100.

Configuring Port Connections

Use the following steps to configure the RSA SecurID Agent for communications between the IBM i system and the machine (Windows, AIX, UNIX, etc.) that will be originating the logon requests.

  1. From the Master Menu, choose option 8, Work with TCP/IP port connections. The Work with TCP/IP Connections screen appears.

  2. Press F6 (Add) if Product GENSVR2 does not exist in the displayed list, to choose it from a list. If GENSVR2 does exist, use 2 to select it. The Maintain TCP/IP Connection Details screen appears.

    3. This is the general server that communicates on port 7970 by default.

  3. If RMTSDIAUT does not exist in the displayed list, press F6 (to Add). If RMTSDIAUT exists in the list, enter 2 next to it. The Maintain TCP/IP connection details screen appears.
  4. Enter or confirm the port number. This number must match the TCP/IP port number configured on the PC within the Settings window of SecurID Remote Authentication. Press Enter.

  5. Press ENTER at the Maintain server control parameters screen. Press F3 to exit the program, and return to the Master Menu.

  6. Press Enter again, then F3 to exit the program, and return to the Master Menu.

Authenticating Exit Point Logon Requests

NOTE:
  1. From the Master Menu, select option 10, Work with Client Application Availability. The Work with Available PC Support Apps screen appears.
  2. If the Application Name you would like to secure (*FTPSLOG, *DDM, *SQL etc.) does not exist in the displayed list, press F6 (Create) to select it from a list. If the application name does exist in the list, enter 2 next to it and press ENTER. The Maintain PC Support Availability screen appears.
    NOTE:
    The IBM i provides three different “exit point formats” for the FTP Server Logon exit point: TCPL0100, TCPL0200 and TCPL0300. However, only one of these formats can be active at any one time. SecurID does perform some validation to ensure only one of these formats will be active at any given time. If you are already using one of the FTP Server Logon exit point formats and have selected a different format within SecurID, then IBM i will not allow SecurID to activate your chosen format.
    The REXEC Server Logon Exit Point has two formats that are processed similar to those for FTP (formats one hundred and three hundred):
    TCPL0100
    TCPL0300
  3. Enter the following values:

  4. Authentication requests: S
    5. NOTE: S indicates SecurID will require authentication only for profiles set to Y (under the SecurID column) in the Work with Profiles for SecurID Agent screen. A indicates all profiles will require authentication. If this field is left blank, SecurID will not authenticate this exit point for any profile (even if Activate PCS Checking has been set to Y in the Activate-De-activate PCS Validation screen).
  5. Press Enter.

  6. Press F3 to exit the program, and return to the Master Menu.
  7. From the Master Menu, select option 4, Activate/de-activate remote authentication option, and press ENTER.
  8. Set Activate PCS checking? to Y and press Enter.

  9. Log on to the appropriate PC.

    10. NOTE: SecurID will not authenticate exit points whose 'Authentication Requests' parameter is set to [blank] in the Maintain PC Support Availability screen (even if Activate PCS Checking has been set to Y in the Activate-De-activate PCS Validation screen).

  10. Test authentication by attempting to start, for example, an FTP session with the IBM i.

    Start > Run > ftp <IBM i>

    Where:

    <IBM i> is the name or TCP/IP address of the IBM i LPAR.

  11. Enter the requested details in the “SecurID challenge” window that should appear on the PC and click OK.

See Configuring SecurID Remote Authentication to map and sync IBM i users with the PC.

See Authenticating Exit Point Logon Requests to authenticate logon requests from your PC.