Web terminal access control

Latest Green Screens Web Terminal version contains many new security features from included IP filtering engine, enhanced JavaScript Tn5250 API security to better web terminal encrypted URL control.

Some of interesting features we will write about today are:

  • creation of time limited URL connection for sharing
  • enforcing browser fingerprint to prevent URL sharing
  • IP filtering

For everyone who already used our web terminal it is known that web terminal encrypted URL contains encrypted login parameters which can contain UUID, HOST and other optional parameters like USERNAME, PASSWORD, PRINTER NAME etc.

Along mentioned parameters, browser timestamp (ts), expiration date (exp) and unique browser fingerprint (fingerprint) are added.

With combination of those parameters it is possible to do fine grained access control.

Time limited URL

Purpose of time limited URL is to enable sharing of web terminal URL link to someone through email, chat etc. with time usage limitation. Receiving side will be able to use generated URL until encrypted timestamp is less than server side timestamp.

To generate such URL one can use our Tn5250 API inside browser or use PHP script we prepared on our GitHub repository.

// allow next 24hr from current time
var exp = Date.now() + 24*60*60*1000;
var params = Tn5250.Protector.encrypt({uuid:'0', host:'DEMO', exp: exp })
var url = Tn5250.Base.makeUrl(location.origin, params);
console.log(url);

NOTE: Host configuration for shared URL link must have URL sharing prevention disabled.

Browser fingerprint

Some clients require very special protection schemes like preventing workstation clients to share and exchange web terminal encrypted URL links. To solve that problem, we use browser fingerprinting techniques.

Each browser has some set of unique values like browser version, agent string and other enabled features. We use those values to generate fingerprint numeric value that is exchanged with Green Screens Terminal Service.

When URL Sharing Prevention is enabled through web admin console, server will check client browser fingerprint and fingerprint encrypted inside URL address. If fingerprints do not match, connection to the web terminal will be denied.

We provide two options inside server configuration to prevent URL sharing:

  • fingerprint security status to enable / disable browser fingerprint checking
  • fingerprint enforcing status to disable access from encrypted URL's without fingerprint data

Second option will completely disable URL sharing and will force workstation client to use login screen.

TIP: Create multiple host configurations. For example, one with enforced fingerprint checking to disable sharing, and one with non-enforced fingerprint checking. Second can be used to generate URL's with days/hours' expiration value.

IP filtering

Latest version of Green Screens web administration contains simple IP filter engine to allow access to web terminal only from specified IP addresses.

Many clients have additional requirement for access control in combination of USERNAME with IP address of client computer and other login parameters. Usually, this is done with Telnet Exit Programs at host machine.

As Green Screens Terminal Service is mediator between browser and host machine, standard Telnet Exit Programs that relies on client IP filtering won't work as visible IP address will be address of Green Screens Terminal service, not client computer. To solved that problem, we have introduced terminal environment variable PROXYIP which is set during terminal handshake (connection initialization).

With PROXYIP envvar it is possible to retrieve client IP address inside Telnet Exit Program. To see how to get client IP from Telnet Exit Program, please look at template CL program below.

TIP: Creating Telnet Exit programs require extra care to not to completely block telnet access. Use DATAAREA status flag to tell exit program when it is on or off. In a case of problems, use for example JT400 based app to update DATAAREA with off signal to disable telnet exit program.

/*****************************************************************/
/* Copyright 2016. Green Screens Ltd.                            */
/*                                                               */
/*                  Telnet Exit CL program                       */
/*****************************************************************/
             PGM        PARM(&USRDI &DEVDI &CNNDI &ENVOPT &ENVLEN +
                             &ALWCNN &ALWASG)

/* PARAMETERS DECLARATIONS */
             DCL        VAR(&USRDI)  TYPE(*CHAR) LEN(1024)
             DCL        VAR(&DEVDI)  TYPE(*CHAR) LEN(1024)
             DCL        VAR(&CNNDI)  TYPE(*CHAR) LEN(1024)
             DCL        VAR(&ENVOPT) TYPE(*CHAR) LEN(1024)
             DCL        VAR(&ENVLEN) TYPE(*CHAR) LEN(4)
             DCL        VAR(&ALWCNN) TYPE(*CHAR) LEN(1)
             DCL        VAR(&ALWASG) TYPE(*CHAR) LEN(1)

/* CONSTANTS DECLARATIONS */
             DCL        VAR(&UVAR) TYPE(*CHAR) LEN(1) VALUE(X'03')
             DCL        VAR(&PROXYIP) TYPE(*CHAR) LEN(7) +
                        VALUE('PROXYIP')
             DCL        VAR(&DEVNAME) TYPE(*CHAR) LEN(7) +
                        VALUE('DEVNAME')

/* WORK VARIABLES */
             DCL        VAR(&CLIENTIP) TYPE(*CHAR) LEN(15) +
                        VALUE('               ')
             DCL        VAR(&DEVD) TYPE(*CHAR) LEN(10) +
                        VALUE('          ')
             DCL        VAR(&UNAME) TYPE(*CHAR) LEN(10)
             DCL        VAR(&NUM)  TYPE(*DEC)  LEN(4 0)
             DCL        VAR(&SPOS) TYPE(*UINT) LEN(2)
             DCL        VAR(&EPOS) TYPE(*UINT) LEN(2)
             DCL        VAR(&LEN)  TYPE(*UINT) LEN(2)

             CHGVAR     VAR(&NUM) VALUE(&ENVLEN)

             MONMSG     MSGID(CPF0000)

/* EXTRACT PROXYIP USERVAR */

             IF (&NUM > 23) DO

               CHGVAR VAR(&SPOS) VALUE(%SCAN(&ENVOPT &PROXYIP))
               CHGVAR VAR(&SPOS) VALUE(&SPOS + 8)
               CHGVAR VAR(&EPOS) VALUE(%SCAN(&ENVOPT &UVAR &SPOS))
               CHGVAR VAR(&LEN)  VALUE(&EPOS - &SPOS)

               IF (&LEN < 16) DO

                  CHGVAR VAR(&CLIENTIP) +
                  VALUE(%SST(&ENVOPT &SPOS &LEN))

               ENDDO

             ENDDO

/* EXTRACT DISPLAY NAME USERVAR */

             IF (&NUM >18) DO

               CHGVAR VAR(&SPOS) VALUE(%SCAN(&ENVOPT &DEVNAME))
               CHGVAR VAR(&SPOS) VALUE(&SPOS + 8)
               CHGVAR VAR(&EPOS) VALUE(%SCAN(&ENVOPT &UVAR &SPOS))
               CHGVAR VAR(&LEN) VALUE(&EPOS - &SPOS)

               IF (&LEN < 11) DO

                  CHGVAR VAR(&DEVD) +
                  VALUE(%SST(&ENVOPT &SPOS &LEN))

               ENDDO

             ENDDO

/* EXTRACT USER NAME VALUE */

             CHGVAR     VAR(&UNAME) VALUE(%SST(&USRDI 5 10))

/* IF CLIENTIP IS NOT DEFINED - EXIT  */
             IF (&CLIENTIP *EQ '               ') GOTO DENY

/* DO FILTERING  */

        /* CALL EXTERNAL PROGRAM FOR IP FILTERING PASSING :   */
        /* &UNAME(in), &DEVD(in), &CLIENTIP(in), &ALWCNN(out) */

             GOTO END

/* PREVENT ACCESS  */
 DENY:       CHGVAR VAR(&ALWCNN) VALUE('0');
             GOTO END

/* EXIT PROGRAM  */
 END:        ENDPGM

To install program as telnet exit point, use example shown here

/*****************************************************************/
/*  Installation program (CL)                                    */
/*****************************************************************/
             PGM
             CHGOBJOWN  OBJ(QGPL/TNEXCL) OBJTYPE(*PGM) NEWOWN(QSECOFR)
             RVKOBJAUT  OBJ(QGPL/TNEXCL) OBJTYPE(*PGM) USER(*ALL) +
                          AUT(*ALL)
             CHGPGM     PGM(TNEXCL) USRPRF(*OWNER)
             ADDEXITPGM EXITPNT(QIBM_QTG_DEVINIT) FORMAT(INIT0100) +
                          PGMNBR(1) PGM(QGPL/TNEXCL) TEXT('TN +
                          SERVER EXIT PROGRAM') REPLACE(*YES)
             ENDPGM