2.1.2 Network Security

During installation the xxxPGMLIB and QOTHPRDOWN user profiles are created with a default password of LANSA. You need to change these passwords to make your system secure.

 

You can restrict access to your JSM instance by using TCP/IP client address filtering.

The JSM instance can be configured to only accept connections from specified TCP/IP clients.

For example, if you are running a JSM instance on your IBM i and the LANSA or RPG client programs are running on the same machine (partition), then you can use the LOOPBACK (127.0.0.1) address.

The JSM server will listen on port 4560 and address 127.0.0.1, and only accepts clients from 127.0.0.1.

Using the LOOPBACK address, means no communication traffic extends to the physical card.

It is impossible for another machine or network scanner to access the TCP/IP interface.

tcp.port=4560

tcp.backlog=20

tcp.interface=127.0.0.1

tcp.client.address=127.0.0.1

 

Multihomed LOOPBACK address

You can use multiple LOOPBACK addresses for multiple JSM instances and use the same port number.

tcp.port=4560

tcp.interface=127.0.0.1

 

tcp.port=4560

tcp.interface=127.0.0.2

 

ADDTCPIFC INTNETADR('127.0.0.2') LIND(*LOOPBACK) SUBNETMASK('255.0.0.0')

 

GO CFGTCP

 

  1. Work with TCP/IP interfaces

 

     10.2.0.173       255.255.0.0      ETHLINE      *ELAN

     127.0.0.1        255.0.0.0        *LOOPBACK    *NONE

     127.0.0.2        255.0.0.0        *LOOPBACK    *NONE

 

Remember you need to start the 127.0.0.2 interface.

 

   PING '127.0.0.1'

   PING '127.0.0.2'

 

ADDTCPIFC *LOOPBACK help

 

The interface being changed is the loopback or LOCALHOST interface.

Because processing associated with loopback does not extend to a physical line, there is no line description associated with a loopback address.

This special value must be used for any INTNETADR that has a first octet value of 127.