Premium packagesIBM Bob Premium Package for i
Security guidelines
Security guidelines to use Bob safely and responsibly on IBM i.
IBM Bob Premium Package for i is a tool that enhances IBM Bob with significant capabilities for code development and IBM i system interaction. With these capabilities comes the responsibility to use Bob securely. General security guidelines for IBM Bob are available at the IBM Bob Security Guidance page.
IBM i specific security considerations
The items below are additional security considerations specific to the IBM Bob Premium Package for i.
IBM i access and usage
- IBM i communication: IBM Bob Premium Package for i strictly uses Code for IBM i to communicate with the IBM i over SSH. Ensure this is configured securely to allow Bob to connect to your IBM i safely. Multi-factor authentication: Multi-factor authentication is supported and recommended where applicable in Code for IBM i as described here.
- User profile usage: IBM Bob Premium Package for i interacts with the IBM i via the user profile of the active connection made via Code for IBM i. When Bob creates new objects on the IBM i, ensure the parent location is secure and proper permissions are set. In addition, ensure the user profile used has the least privileges necessary — any operation the user profile is permitted to perform on the IBM i, Bob will also be able to perform.
- Activity tracking: IBM Bob Premium Package for i sets the
CLIENT_APPLNAMEspecial register for SQL jobs it uses to a value identifying the extension and its dependencies (e.g.1.109.5+IBM.bob-code 2.0.0 | code-for-ibmi 3.0.10). This value can be used to track and audit activity originating from Bob on your IBM i.
Extension installation and usage
- Prerequisite extensions: IBM Bob Premium Package for i depends on several open source IBM i extensions. Ensure these extensions are always kept up to date. This can be achieved easily by enabling Auto Update from the Extensions view.
- Install trusted extensions only: In Bob, you have the ability to install any extension from the Extensions view. However, when installing extensions, only install extensions that are trusted. Otherwise, the integrity of the environment could be compromised.
- Code for IBM i
- Temporary library access: Code for IBM i requires the use of a temporary library to store temporary objects. By default it is set to
ILEDITORand is shared with other users. You can strengthen security by specifying your own individual temporary library and excluding access by all other users as described here. - Temporary IFS directory: Code for IBM i requires the use of a temporary IFS directory to store temporary stream files. By default it is set to
~/.vscode/tmpin your home folder. If the folder is changed, ensure permissions are set so that only you have access. - IFS system configuration files: Code for IBM i supports the use of system-wide settings that can be configured once in the IFS, in a fixed location, and then applied to all users that connect to that system using Bob. This is useful for setting up a consistent environment across multiple users or teams. These configuration files are stored under
/etc/vscode/in the IFS. Always ensure the configuration is valid and permissions are set accordingly so only appropriate users can edit them.
- Temporary library access: Code for IBM i requires the use of a temporary library to store temporary objects. By default it is set to
- IBM i Testing
- RPGUnit installation: The use of the IBM i Testing extension requires RPGUnit to be installed on the IBM i. This is completely optional and only required in order to leverage the unit testing tools, skills, and workflows. To streamline this installation process, the extension offers the ability to install RPGUnit test library on your IBM i as described here. By default, it will be installed into the
RPGUNITlibrary. You can strengthen security by having your own individual RPGUnit library with sole access and all other users excluded. - RPGUnit permissions: By default, public access to the
RPGUNITlibrary is*CHANGE. Regardless if the library is installed via the extension or manually, ensure that access to the library is configured properly so that developers have read access to it and only system administrators are able to update it.
- RPGUnit installation: The use of the IBM i Testing extension requires RPGUnit to be installed on the IBM i. This is completely optional and only required in order to leverage the unit testing tools, skills, and workflows. To streamline this installation process, the extension offers the ability to install RPGUnit test library on your IBM i as described here. By default, it will be installed into the
How is this topic?