Is a special authority needed for active socket connections?

45 pts.
Tags:
PHP
Socket
Special Authorities
Audit log entries for the user QTMHHTTP of type AF subtype K are created, if a PHP script requests a socket connection like LDAP or HTTP with CURL. Does QTMHHTTP need a special authority for this? Which one: *IOSYSCFG, *JOBCTL ... ?

Software/Hardware used:
V5R4, ZendServer

Answer Wiki

Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Discuss This Question: 9  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • TomLiotta
    For AF entries, detail type K means "An attempt was made to perform an operation for which the user did not have the required special authority." I don't have a Zend/PHP configuration to experiment with for now, but I wouldn't be comfortable adding any special authority to any server profile in any case. What objects show up in audit entries? Tom
    125,585 pointsBadges:
    report
  • Gfroehlich
    In the audit entries are no object information: *INSTR/*N/*N There is one entry of thousands that shows a path information. This points to the socket used for communication between native apache and PASE PHP jobs. The reason why I'm thinking that the entries happen at opening remote socket connections, are the remote ports in the audit log entries: 389=LDAP, 80=HTTP (SOAP requests) and 10137=ZendServer remote debug. Is it possible that a bind to a remote socket needs *IOSYSCFG? Gabriel
    45 pointsBadges:
    report
  • TomLiotta
    The "*INSTR" part should be saying that a machine instruction signaled the violation. The "*N/*N" part is for the Object Library and Object Name subfields; but I wouldn't expect those to have anything but "*N" in them for this. What would be more useful would be anything in the path or folder fields farther out in the AF format. What are you using to view the entries? I've never needed any authorities for general sockets work. Zend/PHP runs on a couple of our systems with no problems, though we're not accessing LDAP through it. Tom
    125,585 pointsBadges:
    report
  • Gfroehlich
    I'm using DSPJRN or DSPAUDJRNE and create a file with it. There is only one record with a path information with type A not K, this was possibly a wrong file permission on the socket. The rest has no additional information except the port. Is there something that I can do to get more information? Gabriel
    45 pointsBadges:
    report
  • Rayj1031
    Try the CPYAUDJRNE command. http://publib.boulder.ibm.com/infocenter/iseries/v6r1m0/index.jsp?topic=/cl/cpyaudjrne.htm This command was added in v5r4m0. I have not experimented with this command but since it was just released I would expect it to provide the most information.
    335 pointsBadges:
    report
  • Gfroehlich
    To use CPYAUDJRNE makes no difference in the result: there is no object or path information ore any other information that gives me a hint on what authority is missing. Gabriel
    45 pointsBadges:
    report
  • TomLiotta
    I’m using DSPJRN or DSPAUDJRNE and create a file with it. Use DSPJRN or CPYAUDJRNE -- DSPAUDJRNE is only okay for basic overviews. It should not be used for precise details. See MustGather: Security Issues and Using Auditing to Track Spooling Activity for a couple of the various documents that discourage the use of DSPAUDJRNE for specific analysis. As for the actual problem, I see a V5R3 document, DSPAUDJRNE Shows Numerous AF K Entries after Upgrading to R530, that could apply equally well to V5R4. It looks as if adding *JOBCTL to the QTMHHTTP is worth a try in order to verify that it is the problem. If the problem disappears, then it becomes one of seeing if any alternative exists. Tom
    125,585 pointsBadges:
    report
  • Gfroehlich
    To give the user QTMHHTTP *JOBCTL let the problem disappear. Will see if our audit team accepts this change or not. If somebody has an idea for an alternative, please let me know. Thanks Gabriel
    45 pointsBadges:
    report
  • TomLiotta
    Will see if our audit team accepts this change or not. With the IBM document to justify the change, it could be acceptable. Still, I would make a call to IBM Support and ask for some specific justification for the requirement or for IBM-recommended alternatives. Tom
    125,585 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following