Transferring methods that remove the object signature

Using FTP stream files or using the cut and paste function on mapped drives to transfer objects to another system removes the object’s signature. The signature is removed because an i5/OS object signature can cause problems on a target system if this system does not support an i5/OS object signature.

7.2.5 Prerequisites

You need the following licensed program products (LPPs) installed on your system to use object signing:

 5722-SS1 Option 34 Digital Certificate Manager

 5722-DG1 HTTP Server for i5/OS (for using DCM)

You also need to have the HTTP ADMIN server active on the system since the DCM is run through a Web browser interface.

7.3 Virus scanning

In V5R3, support was added to i5/OS that allows a third-party vendor to write virus scanning software and plug it into i5/OS.

7.3.1 Exit points

For virus scanning to work, the product needs to register itself to the following new exit points:

 QIBM_QP0L_SCAN_OPEN

 QIBM_QP0L_SCAN_CLOSE

To limit the performance impact of virus scanning, the System i development team has implemented a way to manage scanning operations that is far superior to what you typically find for PC-based scanning techniques when run against the integrated file system:

 With the System i architecture, i5/OS keeps track of scanning activities and file changes.

 Only when a file changes or the virus definition file is updated, i5/OS calls the exit program (scanning software) to scan files for viruses.

 Even in an independent auxiliary storage pool (IASP) environment where disk subsystems can be moved between systems, scanning statistics are

maintained across system boundaries, so that no new scanning must be done. This requires that the virus definition files are kept in sync on the systems.

7.3.2 System values

The new system value, Scan File Systems (QSCANFS), controls whether virus scanning is performed. You can set this value to:

 Scan objects of type *STMF that are in *TYPE2 directories in the root(/), QOpenSys, and user-defined file systems (*ROOTOPNUD)

 Perform no scanning (*NONE)

The second system value, Scan File Systems control (QSCANFSCTL), controls scanning behaviors and properties. Valid QSCANFSCTL parameter values include:

 *NONE: This indicates that the system uses the following scanning options when calling the registered exit programs:

– Perform write access upgrades

– Fail close request if scan fails during close – Scan on next access after object is restored

 *FSVRONLY: When you select this option (Scan accesses through file servers only), only access from a file server to the system is scanned. Access through the Network File System (NFS) is scanned as well as other file server methods. However, native or direct connections to the system are not scanned. If this option is not selected, all access is scanned regardless of whether you connect directly to the system or through a file server.

 *ERRFAIL: When you select this option (Fail request if exit program fails), you specify to fail the request or operation which triggered the call to the exit program, if there are errors when the exit program is called. Possible errors may be that the program is not found or the program is not coded properly to handle the exit program request. If such an error happens, the requested operation receives an indication that the object failed a scan. If this option is not selected, the system skips the failing exit program and treats the object as though it was not scanned by this exit program.

 *NOWRTUPG: When you select this option (Perform no write access upgrades), you specify that you do not want to allow the system to upgrade the access for the scan descriptor passed to the exit program to include write access. Do not use this option if you want the exit program to fix or modify objects even though they were originally opened with read-only access. This option does not upgrade the access to include write access.

 *USEOCOATR: By selecting this option (Use only when objects have changed), the system uses the specification of the “object change only”

attribute to scan the object if it has been modified (not also because scan software has indicated an update). If this option is not specified, the “object change only” attribute is not used. Then, the object is scanned after it is modified and when scan software indicates an update.

 *NOFAILCLO: By selecting this option (Fail close request if scan fails during close), the system does not fail the close request if an object failed a scan during close processing. This option applies only to close requests. This value overrides the *ERRFAIL specification for close processing, but not for any other scan-related exit points.

 *NOPOSTRST: When you select this option (Scan on next access after object has been restored), objects are not scanned simply because they are

restored. Scanning depends on the object’s scanning attribute. In general, it is good practice to scan restored objects at least once.

Do not select *NOPOSTRST if you want objects to be scanned at least once after being restored regardless of its object scan attribute.

7.3.3 Setting security policy properties for virus scanning

You have the option to set your virus scanning options with iSeries Navigator. To select the virus scanning control options:

1. From iSeries Navigator, expand Security and click Policies.

2. In the right pane, right-click Security Policy and select Properties (see Figure 7-3).

Figure 7-3 Selecting the Security Policy properties

Important: If you scan the integrated file system using a PC mapped to your system through iSeries NetServer™, the following actions occur:

 It uses up network resources.

 It moves data across network in the “clear”.

 It might cause scanners to go into infinite loops.

3. In the Security Policy Properties window (Figure 7-4), click the Scan tab. You can now select the scanning options that are appropriate for you.

Figure 7-4 Security policy properties: Scan tab

The Use registered exit programs to scan the root(/), QOpenSys, and user-defined file systems option is equal to the system value QSCANFS.

Selecting this option is the same as setting system value QSCANFS to

*ROOTOPNUD. The Scan control option and the six Scan control options represent the system value QSCANFSCTL.

After you select the necessary options, click OK.

Important: The Perform no write access upgrades (*NOWRTUPG) system value is contrary to Perform write access upgrades in the Scan control options in the Security Policy Properties in iSeries Navigator. The same applies to the No fail close request if scan fails (*NOFAILCLO) system value, which is contrary to the Fail close request if scan fails during close and No Scan on next access after object has been restored

(*NOPOSTRST) system values, which are contrary to the Scan on next access after object has been restored system value.