Web terminal access control

The latest Green Screens Web Terminal version contains many new security features from included IP filtering engine, enhanced JavaScript Tn5250 API security to better web terminal encrypted URL control.

Some of the interesting features we will write about today are:

  • creation of time-limited URL connection for sharing
  • enforcing browser fingerprint to prevent URL sharing
  • IP filtering

For everyone who already used our web terminal it is known that web terminal URL contains encrypted login parameters which can contain UUID, HOST and other optional parameters like USERNAME, PASSWORD, PRINTER NAME etc.

Along the mentioned parameters, browser timestamp (ts), expiration date (exp) and unique browser fingerprint (fingerprint) are added.

With the combination of those parameters, it is possible to do fine-grained access control.

Time-limited URL

The purpose of time-limited URL is to enable sharing of the web terminal URL link to someone through email, chat etc. with time usage limitation. Receiving side will be able to use generated URL until encrypted timestamp is less than server-side timestamp.

To generate such URL, one can use our Tn5250 API inside browser or use PHP script we prepared on our GitHub repository.

// allow next 24hr from current time
var exp = Date.now() + 24*60*60*1000;
var params = Tn5250.Protector.encrypt({uuid:'0', host:'DEMO', exp: exp })
var url = Tn5250.Base.makeUrl(location.origin, params);
console.log(url);

NOTE: Host configuration for shared URL link must have URL sharing prevention disabled.

Browser fingerprint

Some clients require very special protection schemes, such as preventing workstation clients to share and exchange web terminal encrypted URL links. To solve that problem, we use browser fingerprinting techniques.

Each browser has some set of unique values such as browser version, agent string and other enabled features. We use those values to generate a fingerprint numeric value that is exchanged with Green Screens Terminal Service.

When URL Sharing Prevention is enabled through web admin console, the server will check client browser fingerprint and fingerprint encrypted inside URL address. If fingerprints do not match, connection to the web terminal will be denied.

We provide two options inside server configuration to prevent URL sharing:

  • fingerprint security status to enable / disable browser fingerprint checking
  • fingerprint enforcing status to disable access from encrypted URL's without fingerprint data

The second option will completely disable URL sharing and will force the workstation client to use the login screen.

TIP: Create multiple host configurations. For example, one with enforced fingerprint checking to disable sharing, and one with non-enforced fingerprint checking. Second can be used to generate URL's with days/hours' expiration value.

IP filtering

Latest version of Green Screens web administration contains simple IP filter engine to allow access to web terminal only from specified IP addresses.

Many clients have additional requirement for access control in combination of USERNAME with IP address of client computer and other login parameters. Usually, this is done with Telnet Exit Programs at the host machine or with QDCRDEVD API.

As Green Screens Terminal Service is a mediator between browser and host machine, standard Telnet Exit Programs that relies on client IP filtering won't work as the visible IP address will be the address of Green Screens Terminal service, not client computer. To solved that problem, we have introduced terminal environment variable PROXYIP which is set during terminal handshake (connection initialization).

With PROXYIP envvar it is possible to retrieve client IP address inside Telnet Exit Program. To see how to get client IP from Telnet Exit Program, please look at template CL program below.

TIP: Extracted client IP can be set into job environment  variable to use from other programs.

TIP: Creating Telnet Exit programs require extra care to not to completely block telnet access. Use DATAAREA status flag to tell exit program when it is on or off. In a case of problems, use for example temporary scheduled job that turns flag off every 5 min. Or use JT400 based app to update DATAAREA with off signal to disable telnet exit program. JT400 will use different port for DDM to access the system.

/*****************************************************************/
/* Copyright 2016. Green Screens Ltd.                            */
/*                                                               */
/*                  Telnet Exit CL program                       */
/*****************************************************************/
             PGM        PARM(&USRDI &DEVDI &CNNDI &ENVOPT &ENVLEN +
                             &ALWCNN &ALWASG)

/* PARAMETERS DECLARATIONS */
             DCL        VAR(&USRDI)  TYPE(*CHAR) LEN(1024)
             DCL        VAR(&DEVDI)  TYPE(*CHAR) LEN(1024)
             DCL        VAR(&CNNDI)  TYPE(*CHAR) LEN(1024)
             DCL        VAR(&ENVOPT) TYPE(*CHAR) LEN(1024)
             DCL        VAR(&ENVLEN) TYPE(*CHAR) LEN(4)
             DCL        VAR(&ALWCNN) TYPE(*CHAR) LEN(1)
             DCL        VAR(&ALWASG) TYPE(*CHAR) LEN(1)

/* CONSTANTS DECLARATIONS */
             DCL        VAR(&UVAR) TYPE(*CHAR) LEN(1) VALUE(X'03')
             DCL        VAR(&PROXYIP) TYPE(*CHAR) LEN(7) +
                        VALUE('PROXYIP')
             DCL        VAR(&DEVNAME) TYPE(*CHAR) LEN(7) +
                        VALUE('DEVNAME')

/* WORK VARIABLES */
             DCL        VAR(&CLIENTIP) TYPE(*CHAR) LEN(15) +
                        VALUE('               ')
             DCL        VAR(&DEVD) TYPE(*CHAR) LEN(10) +
                        VALUE('          ')
             DCL        VAR(&UNAME) TYPE(*CHAR) LEN(10)
             DCL        VAR(&NUM)  TYPE(*DEC)  LEN(4 0)
             DCL        VAR(&SPOS) TYPE(*UINT) LEN(2)
             DCL        VAR(&EPOS) TYPE(*UINT) LEN(2)
             DCL        VAR(&LEN)  TYPE(*UINT) LEN(2)

             CHGVAR     VAR(&NUM) VALUE(&ENVLEN)

             MONMSG     MSGID(CPF0000)

/* EXTRACT PROXYIP USERVAR */

             IF (&NUM > 23) DO

               CHGVAR VAR(&SPOS) VALUE(%SCAN(&ENVOPT &PROXYIP))
               CHGVAR VAR(&SPOS) VALUE(&SPOS + 8)
               CHGVAR VAR(&EPOS) VALUE(%SCAN(&ENVOPT &UVAR &SPOS))
               CHGVAR VAR(&LEN)  VALUE(&EPOS - &SPOS)

               IF (&LEN < 16) DO

                  CHGVAR VAR(&CLIENTIP) +
                  VALUE(%SST(&ENVOPT &SPOS &LEN))

               ENDDO

             ENDDO

/* SET EXTRACTED CLIENTIP INTO *JOB ENVVAR FOR USE BY ANOTHER PROGRAM */
             CHGENVVAR   ENVVAR(CLIENTIP)  VALUE(&CLIENTIP) LEVEL(*JOB)

/* EXTRACT DISPLAY NAME USERVAR */

             IF (&NUM >18) DO

               CHGVAR VAR(&SPOS) VALUE(%SCAN(&ENVOPT &DEVNAME))
               CHGVAR VAR(&SPOS) VALUE(&SPOS + 8)
               CHGVAR VAR(&EPOS) VALUE(%SCAN(&ENVOPT &UVAR &SPOS))
               CHGVAR VAR(&LEN) VALUE(&EPOS - &SPOS)

               IF (&LEN < 11) DO

                  CHGVAR VAR(&DEVD) +
                  VALUE(%SST(&ENVOPT &SPOS &LEN))

               ENDDO

             ENDDO

/* EXTRACT USER NAME VALUE */

             CHGVAR     VAR(&UNAME) VALUE(%SST(&USRDI 5 10))

/* IF CLIENTIP IS NOT DEFINED - EXIT  */
             IF (&CLIENTIP *EQ '               ') GOTO DENY

/* DO FILTERING  */

        /* CALL EXTERNAL PROGRAM FOR IP FILTERING PASSING :   */
        /* &UNAME(in), &DEVD(in), &CLIENTIP(in), &ALWCNN(out) */

             GOTO END

/* PREVENT ACCESS  */
 DENY:       CHGVAR VAR(&ALWCNN) VALUE('0');
             GOTO END

/* EXIT PROGRAM  */
 END:        ENDPGM

To install program as telnet exit point, use example shown here

/*****************************************************************/
/*  Installation program (CL)                                    */
/*****************************************************************/
             PGM
             CHGOBJOWN  OBJ(QGPL/TNEXCL) OBJTYPE(*PGM) NEWOWN(QSECOFR)
             RVKOBJAUT  OBJ(QGPL/TNEXCL) OBJTYPE(*PGM) USER(*ALL) +
                          AUT(*ALL)
             CHGPGM     PGM(TNEXCL) USRPRF(*OWNER)
             ADDEXITPGM EXITPNT(QIBM_QTG_DEVINIT) FORMAT(INIT0100) +
                          PGMNBR(1) PGM(QGPL/TNEXCL) TEXT('TN +
                          SERVER EXIT PROGRAM') REPLACE(*YES)
             ENDPGM