|
It's been a comedy. First they told me: -RPC/DPC (remote/distribued program call) is used by -several Client Access funtions such as: - -ODBC (database access) -Retrieve lists -Create/Delete/Modify objects -Management Central - -Evidently some of your clients do not use ODBC and/or -Operations Navigator functions. The phrases "several... such as", and "evidently some" are not terribly credible coming from a support center. I was kind of hoping for documented expertise rather than conjecture. Later in the PMR they say: -My research indicates -that once the client is able to acquire the info it needs -from the AS/400-iSeries, it will probably not try to -access the rmtcmd server for a while, but it is safe to -say that sooner or later, it will request usage -information again via the remote command server and will -again require port 8475. "My research indicates ... it will probably..." ???!!! "sooner or later" !!!??? Gee, can they really afford to get THAT technical? The fact remains that I had one client that was able to connect reliably over several days of logging in, disconnecting, rebooting, and even an IPL. The other clients hit the remote command server every time they connected. If I opened the port, allowed connections, and closed the port the clients would fail the very next time. The behavior is not consistent with this guy's "research". This mention of "usage information" suggests that Vern is right about remote command calls being used for licensing, not authentication. There's a way to do it, but they either the support center won't tell me or they aren't willing to ask someone how CA Express really works. Client Access has always been bloatware. I had thought that CA Express thinned things out. It looks like they've got a long way to go. I think that software developers should have to work in customer sites for a year at a time, implementing their products in the real world context of a full IS Audit. These Client Access folks have been in the lab too long. Waah again. -Jim -----Original Message----- From: John Earl [mailto:john.earl@powertechgroup.com] Sent: Friday, November 22, 2002 2:50 PM To: midrange-l@midrange.com Subject: RE: CA remote command server port >I've asked, "How do I prevent PC5250 from using remote command >server?" and "Under what circumstances does a PC5250 session connect >without making a remote command server request?" I've requested that they >explain the difference between the sessions and explain the circumstances >that would require a remote command server call. Good luck! I'm not sure there is anyone at IBM who can, (or wants to) tell you. This is really a cluster. I don't have a problem with the fact that a user has to be authenticated, my beef is with the idea that in order to use Client Access a user has to be authorized to execute remote commands. If all of the OS commands were locked down from *PUBLIC, this might not be important, but because *PUBLIC can use a couple thousand commands, having Client Access and OpsNav use remote commands is a big mess. If only someone could send you the details on what causes their remote command to get fired off. <sigh> jte John Earl - john.earl@powertechgroup.com The PowerTech Group - Seattle, WA +1-253-872-7788 - www.powertech.com -----Original Message----- From: midrange-l-admin@midrange.com [mailto:midrange-l-admin@midrange.com] On Behalf Of Jim Damato Sent: Thursday, November 21, 2002 1:15 PM To: 'midrange-l@midrange.com' Subject: RE: CA remote command server port Thanks John. You've confirmed what I've suspected. I've used web support to log a problem on the matter, and now I'm involved in a headache-inducing exchange with support. I've reported that some clients are able to connect just fine and I've asked, "How do I prevent PC5250 from using remote command server?" and "Under what circumstances does a PC5250 session connect without making a remote command server request?" I've requested that they explain the difference between the sessions and explain the circumstances that would require a remote command server call. All I'm getting back is "we know what your problem is -- you need to enable port 8475 and remote command server and this is how you do it." I can't believe that presenting an emulated terminal requires authentication in the first place, let alone internally executed remote command calls. I can launch Windows telnet and get to a sign on screen without all this crap. It's even more bizarre that it's not predictable. Waah. -Jim -----Original Message----- From: John Earl [mailto:john.earl@powertechgroup.com] Sent: Thursday, November 21, 2002 1:18 PM To: midrange-l@midrange.com Subject: RE: CA remote command server port Jim, I think what you are referring to is that the Client Access Central Server and/or Signon Server uses Remote Command (in certain cases) to complete the Signon process. This is a wrong-headed implementation by the Client Access team that requires that you allow all of your users to use the remote command server in order to use Client Access - and of course the remote command server allows those same users to run other commands on your iSeries. It now is much more difficult (but not impossible) for you to limit which commands and programs can be used by the remote users. You're going to have to query those inbound transactions and determine what resources they are trying to access. Port blocking and similar firewall restrictions will only give you all or nothing control over the use of the remote command server. You're going to have to get more granular in order to get any real security. jte John Earl - john.earl@powertechgroup.com The PowerTech Group - Seattle, WA +1-253-872-7788 - www.powertech.com -----Original Message----- From: midrange-l-admin@midrange.com [mailto:midrange-l-admin@midrange.com] On Behalf Of Jim Damato Sent: Wednesday, November 20, 2002 9:05 AM To: midrange-l@midrange.com Subject: CA remote command server port I need some help understanding how Client Access Express uses remote command server (PC to AS/400). Remote command supposedly uses port 8475, which we have turned off from certain network entry points. Some of our CA Express users can get in, but others fail as they login to the initial prompt before PC5250. I can't figure out what's making certain PC client configurations think they need port 8475 for remote command, and I can't figure out how to remove the requirement from their CA configuration. There's nothing I can find in CA Express administration that explicitly mentions remote command functions, or where it might be selected and used. Does anyone have any experience with this? Much thanks... -Jim James P. Damato Manager - Technical Administration Dollar General Corporation <mailto:jdamato@dollargeneral.com>
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
