STRPCCMD - PC command listener - 7.1 - Security

[bruceanthony]

I just finished watching your latest 5.3 webinar.
The new PC listener sounds like and wonderful replacement for the Java applet.
The Java applet takes a long time to load when it is first used after PC REBOOT.
The Java applet can have other strange issues and problems and at it is no fun to trouble shoot when you have over 150 users.

I have two questions.

Can it be used under IBMi 7.1 OS?
Are there any security issues when using the listener?

Thank you.

[Scott Klement]

Can it be used under IBMi 7.1 OS?

The PC Command listener will work with IBM i 6.1 and higher.

In 6.1 and 7.1, the STRPCCMD command limits you to 123 characters or less. In 7.2 this limit was increased. This is an IBM limit, however, not a Profound one. (Our PC Command listener and Java applet both work with either length, and our runPCCommand() API does not have this limit.)

Are there any security issues when using the listener?

The PC Command listener runs on the same PC as the web browser. When a command is sent, it is sent from the browser to the listener, and this is done using the PC's "loopback" or "localhost" interface, so it never goes over the network. For this reason, it is very secure and not exploitable from any other location except the PC it was run on.

However, there is one flaw: The browser will refuse to connect to the PC Command listener if the web page is SSL but the listener is not SSL. When data is sent to the browser with SSL, it will refuse to send it to the PC Command listener over a non-SSL channel. This is NOT a security problem since its never sent over the network, so there's no chance of it being viewed, but the browser THINKS it's a security problem because it's switching from encrypted to non-encrypted, and will refuse to do it.

So if you're connecting to your IBM i with SSL, the PC Command Listener will not work. You will have to use the Java client instead.

If you are connecting to the IBM i without SSL, the PC Command listener will work nicely and there are no security concerns with PC Commands.

[jmendes]

Hi Scott,

Is there any developments beening done, to address the SSL issue?

Right now I cannot use the latest versions os Chrome because it doesn't support JAVA Applets, and cannot use PC command Listener in IE because of the SSL.

Even more, with SSL and all the security the company as implemented in the browser java applet is very slow, specially when it starts. So it would be nice to have PC command listner for SSL as well.

[Scott Klement]

Joao,

Please contact support@profoundlogic.com and put in a feature request. Although we know about this limitation, we have not had any customers request an improvement. Until we have a feature request, we probably won't do anything about it.

-SK