Jim, Do you happen to remember whether there was a locked padlock symbol at the lower right of the Host On-Demand window? If so, that would indicate that the connection is encrypted.
A few years ago I did an awful lot of work with a particular state government to help them get Host On-Demand installed and properly secured for their needs. In their case the accessible mainframe applications and data were (are) very valuable and very private, including such things as the state prison system records. So we had a lot of reviews, discussion, design consultations, etc. to configure Host On-Demand appropriately. What you observed would not be possible, for example. But other state systems vary. There are even a few totally open and public 3270 access points, such as university library book catalog systems. One thing that's usually a requirement for any system that demands a logon is to encrypt the connection. Otherwise it's much easier for someone to intercept the logon information (user ID, password). So if indeed there is a hole here -- and I agree about reporting it -- then probably the very first remediation I would take is to get that HOD session encrypted. (That's assuming the Internet access is needed; often it is.) I'm not talking about "https" in the Web address -- that's irrelevant and unnecessary, actually. HOD isn't the part that needs protection. It's the 3270 connection itself, indicated by the padlock at the lower right. Now, that may not be sufficient -- it wasn't for my particular state government customer -- and additional design steps may be warranted. But it's a basic configuration setting which is quite important for most. Ever since at least OS/390 V2R6 (I think) it has been quite easy to enable SSL for TN3270E on the host side. - - - - - Timothy Sipples IBM Consulting Enterprise Software Architect Specializing in Software Architectures Related to System z Based in Tokyo, Serving IBM Japan and IBM Asia-Pacific E-Mail: [EMAIL PROTECTED] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
