Re: Can a DDMF point to localhost?

[CRPence <CRPbottle@xxxxxxxxx>]

  As I understand it, the server authority entry will just replace 
the USRID and optionally the PASSWORD for the requester.  If no 
server authority entry exists which matches the request [resolving 
specific to generic], the current user profile name and password is 
used for the connection user ID in negotiating a connection.  Thus 
*IP DDM files should be functional without any ADDSRVAUTE, neither 
for the QDDMSERVER nor RDB-name [nor *ALL as a more generic catch] 
as the SERVER(), at least when there is a matching user profile & 
password on the remote system.?

  The use of the RDB as redirect for the DDM file on how to 
negotiate the connection, enables indirectly an additional RMTAUTMTH 
[Remote Authentication Method] parameter [on the ADDRDBDIRE], with 
an optional ability to restrict or enable negotiating a lower [less 
secure] authentication method.  The default security method or 
mechanism [called SECMEC in a link below] used for DDM files is 
essentially the *USERIDPWD, but has no option to control if a higher 
or lower authentication method is used in response to the UserID and 
password that gets sent; i.e. use of just *USRID may be negotiated, 
for only a user identifier required to establish the connection [if 
the CHGDDMTCPA has *NO set for its PWDRQD() "password required" 
parameter], for which I infer the default user QUSER in the QRWTSRVR 
is used like for an *SNA connection default user.?

http://publib.boulder.ibm.com/infocenter/iseries/v5r3/topic/ddm/rbae5sourcesecurity.htm
http://publib.boulder.ibm.com/infocenter/iseries/v5r3/topic/ddm/rbae5failures.htm
http://publib.boulder.ibm.com/infocenter/iseries/v5r3/topic/ddp/rbal1elementsusetcp.htm

Regards, Chuck

Evan Harris wrote:
> My recollection was that DDM files defined over an IP connection
> require a server authentication entry.
>
> First time I defined that stuff was at V5R2 so I have no
> recollection of what V5R1 had or didn't have. Come to think of it
> - I don't remember working on V5R1 except for a couple of test
> boxes.
>
> Vern Hamberg wrote:
> > I looked at a v5r4 machine and saw no entries for my profile.
> > Those don't even exist on our v5r1 machine.
> >
> > Seems I remember you saying something about IASPs in this
> > context - but I've not tested that kind of thing.
> >
> > Confused!!
> >
> > Evan Harris wrote:
> > > Yes it can be done. I've seen it done a couple of different
> > > ways.
> > >
> > > Do you have the DDM Server started and also does it require a
> > > password ?
> > >
> > > Note also when setting up TCP DDM files that you need to add
> > > a server authentication entry ADDSVRAUTE for the target
> > > system.
> > >
> > > Jose Antonio Salazar wrote:
> > > > I was asked if a small set of DDMFs can be created pointing
> > > > to the same IBM i. That way we could use a single machine
> > > > for development.
> > > >
> > > > Using RMTLOCNAME(MYSYSTEM *SNA) and attempting a DSPPFM
> > > > fails with: "Remote location AFIRMED for program device
> > > > DDMDEVICE was not found."
> > > >
> > > > Using RMTLOCNAME(LOCALHOST *IP) or RMTLOCNAME('127.0.0.1'
> > > > *IP) and attempting a DSPPFM fails with: "A remote host
> > > > refused an attempted connect operation."
> > > >
> > > > I'm not knowledgeable enough about device or network
> > > > configuration to conclude that it can't be done, though.