1.  Home
  2. MIDRANGE-L
  3. October 2005

RE: Using HATSLE

Great, thanks!

-----Original Message-----
From: GKern@xxxxxxxxxxxxxxxx [mailto:GKern@xxxxxxxxxxxxxxxx]
Sent: Thursday, October 13, 2005 12:55 PM
To: midrange-l@xxxxxxxxxxxx
Subject: RE: Using HATSLE


Bryan,

"What was involved in locking it down?  Does the server have to use the 
iSeries user IDs and passwords?" 

To lock it down, after I configured IAFW and got it running, in IAFW, I 
had to (as qsecofr) first verify that all users belong to a group profile 
(they did). Then for each group profile, review all the options available 
in IAFW, and basically change the ALLOW access attribute to DENY for 
everything (well almost everything except for some of the stuff required 
to enable users to use the 5250 stuff). It was tedious at first, trial and 
error, and the most time consuming part, but once done for one group 
profile, IAFW lets you copy a config to other group profiles. I spent 10 
hours on Saturday on our test system for everything from start to finish 
including config, setup, lockdown and testing. Sunday it took 3 hours to 
clone everything I learned on Saturday to our production system.

And yes iSeries authentication is used since users are logging on to the 
iSeries.

We also don't have our iSeries' available over the internet. Users have to 
use our ipsec vpn or ssl vpn client to connect to our network. Once 
they've established contact through the vpn they just click on a shortcut 
that links to IAFW where they are prompted to authenticate with the 
iSeries. Once that is done the browser presents a page where they click on 
the start session button which uses their authentication to bypass logging 
on again and the session starts at their initial menu. At that point 
they're on the iSeries. (During setup, I configured a generic session for 
users and 'shared' it with the each of the group profiles. This elimiates 
users from doing their own setup and leaves me in control of what they can 
and cannot do. I also created a macro (and 'shared' it too) to capture the 
iSeries authentication, which enables bypassing logging on when starting 
the 5250 session. 

"We do pay annual maintenance so IAFW could save us some money." 

Yes provided that IAFW does what you want. I also didn't experiment with 
any of the printing features so I can't comment on printing in IAFW.

Here is a link with the steps I used to configure IAFW using TOMCAT. I 
followed it step by step and it worked first time on both systems for me. 

http://www-03.ibm.com/servers/eserver/iseries/access/web/pdf/v5r3_iwa_asftom
cat.pdf

One thing to my advantage was at Common last month I attended numerous 
sessions regarding IAFW. At that time I didn't know squat about the 
product, and during my setup I did refer to my handouts (containing very 
bad and very few notes), but one in particular was most helpful. That 
sessioin was IAFW Setup and Config presented by Doug Beauchene. The 
handout is 13MB so I can't email it due to its size exceeding our 10mb 
email limit. 

HTH

Regards, Jerry

Gerald Kern
MIS Project Leader, Lotus Notes/Domino Administrator
IBM Certified RPG IV Developer, RPG IV Programmer
The Toledo Clinic, Inc.
4235 Secor Road
Toledo, OH 43623-4299
Phone 419-479-5535
gkern@xxxxxxxxxxxxxxxx

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.