AS/400 Security
All you want to know about:
Exit Programs
Jim Stracka
PentaSafe
Outline
 Exit Program Overview
Why do I need exit-programs?
What is purpose of exit-programs?
If exit-programs don’t exit, why
are they called exit programs?
 Sample exit program
 Limit file transfer and commands
 Design Alternatives
2
Security Has Changed
1980s
Today
PC Users
PC
Remote
Systems
Internet
OK Menu
Security
Menu
Security
Menu security worked when
users had no other access
E-Commerce
Menu security ineffective
for today’s environment
3
Other Access Data
Remote
Systems
DDM (Distributed Data
Management)
 File Transfer
 Remote Commands
FTP
 File Transfer
 Remote Commands
Exit
Program
Shared Folders
Internet
Exit Programs
can restrict
requests
FTP
 File Transfer
 Remote Commands
 Telnet
 IFS (Integrated File
System)
4
PC Access Data




Menu
Security
Work Station
Messages
PC
Printer Support
Shared Folders
& Documents
 Remote Commands
 File Transfer
Exit
 API - Data Queue
Program
 API - ODBC
 IFS (Integrated
File System)
Exit Programs
can control PC
requests
5
Why Exit Programs
Can object security be
used to protect data?
YES AS/400 security
can lock up data.
HOWEVER
Security design often
makes security protection
ineffective make security
ineffective
6
Why Exit Programs
What security designs make
object security ineffective?
Group
Profile Owns
Objects
Excessive
Public
Authority
Excessive
Special
Authority
*PUBLIC
Production
Owner
*ALL
Group
Profile
SPCAUT
*ALLOBJ
End End End
UserUser User
Need to provide
additional protection
7
Why Exit Programs
Users are authorized to data because of
existing applications
Need exists to prevent the user from
using their access outside of applications
Need to provide
additional protection
EXIT PROGRAMS provide additional
protection for application data
8
What are Exit Programs
Exit
Program
Exit programs are installation provided
programs used to supplement security
Actions often performed in exit programs:
 Monitor user activity
 Modify user requests
Assign user profile to anonymous sign-on
 Review request to determine if
request meets installation rules
 Reject requests that do not
meet installation rules
The purpose of exit programs is not to exit
9
Request Processing
If these programs don’t exit, why are
they called “Exit Programs”?
Programs are called exit programs because
the system (OS/400) exits to a user
program in the middle of a request
Exit
Program
AS/400
Server
Exit
Program
1. Another system generates a request
2. Server called to process request
3. Server calls “exit program” to validate request
4. Server rejects or processes the request
10
Request Processing
AS/400
Server
AS/400
Server
2
1
User Exit
Program
PARAMETERS
4
3
 Server calls user exit program with parameters
 Exit program analyzes the parameters
 Exit program sets return code
 Server rejects or performs the request
based on exit program return code
11
Specifying Exit Programs
How are exit programs specified?
There are two methods to name the exit programs
Network Attributes
DDMACC
PCSMACC
 Limited number of
request types
- Distributed Data Management
- PC support (Client Access)
 One exit program per
network attribute
Registration
Facility
 Multiple request types
-Distributed data
-Client Access
-Integrated File System
-Internet (FTP, Telnet)
-Security
- ...
 Multiple exits specific
to function
12
Specifying Exit Programs
CHGNETA
DDMACC(lib/pgm)
DDMACC
*OBJAUT - Request access
determined by
object authority
*REJECT - Prevent all
requests
Lib/Pgm - Qualified name
of exit program
Network
Attributes
PCSACC(lib/pgm)
PCSACC
*OBJAUT - Request access
determined by
object authority
*REJECT - Prevent all
requests
*REGFAC - Use registration
facility
Lib/Pgm - Qualified name
of exit program
Must have *ALLOBJ special authority to change the network attributes
13
Specifying Exit Programs
Registration
Facility
WRKREGINF
Work with Registration Information
Type options, press Enter.
5=Display exit point
8=Work with exit programs
Opt
_
_
_8
_
_
_
_
_
_
_
_
Exit
Point
QIBM_QHQ_DTAQ
QIBM_QJO_DLT_JRNRCV
QIBM_QLZP_LICENSE
QIBM_QMF_MESSAGE
QIBM_QNPS_ENTRY
QIBM_QNPS_SPLF
QIBM_QOE_OV_USR_ADM
QIBM_QOE_OV_USR_SND
QIBM_QOK_NOTIFY
QIBM_QOK_SUPPLIER
QIBM_QOK_VERIFY
Command
===>
F3=Exit
F4=Prompt
Exit
Point
Format
DTAQ0100
DRCV0100
LICM0100
MESS0100
ENTR0100
SPLF0100
UADM0100
DOCI0900
VRFY0100
SUPL0100
VRFY0100
F9=Retrieve
Registered
*YES
*YES
*YES
*YES
*YES
*YES
*YES
*YES
*YES
*YES
*YES
F12=Cancel
Text
Original Data Queue Server
Delete Journal Receiver
Original License Mgmt Server
Original Message Server
Network Print Server - entry
Network Print Server - spool
OfficeVision/400 Administrati
OfficeVision/400 Mail Send Ex
System Directory Notify Exit
System Directory Supplier Exi
System Directory Verify Exit
More...
14
Specifying Exit Programs
Exit point:
Work with Exit Programs
QIBM_QLZP_LICENSE
Format:
Type options, press Enter
1=Add
4=Remove
5=Display
Opt
_
1
Exit
Program
Number
LICM0100
When a request
arrives PROG1
will be called
10=Replace
Exit
Program
___________
PROG1
Registration
Facility
Library
___________
MYLIB
(No exit programs found.)
Bottom
Command
===>
F3=Exit
F4=Prompt
F5=Refresh
F9=Retrieve
F12=Cancel
15
Exit Points
What exit points are used
for a specific request?
No good
documentation
available
What are the parameters
passed to an exit?
Exit points are documented in the following publications
Client Access (File transfer, ODBC)
AS/400 Client Access Host Servers
SC41-5740
Distributed Data Management (DDM, remote commands)
AS/400 Distributed Data Management
SC41-5307
Internet (Telnet, FTP)
TCP/IP Configuration and Reference
SC41-5420
Security
System API Reference Security APIs
SC41-5872
16
Outline
 Exit Program Overview
Why do I need exit-programs?
What is purpose of exit-programs?
If exit-programs don’t exit, why
are they called exit programs?
 Sample exit program
 Limit file transfer and commands
 Design Alternatives
17
Exit Programs
CALL EXIT (RTNCDE STRUCTURE)
'0' NO
'1' OK
Field
User profile name
Application name
Function
Object name
Library name
Object type
Format name
Variable data length
Variable data
Format Size
Char
10
Char
10
Char
10
Char
10
Char
10
Char
7
Char
10
Zoned
5, 0
Char
*
 AS/400 Distributed Data Management SC41-5307
 Client Access Server Concepts
SC41-5740
18
Operation code by Function
Applic
ation
function / operation
*LMSR
license management
REQUEST RELEASE
*VPRT
virtual print
EXTRACT CHECK
OPEN
*TFRFCL file transfer
SELECT
JOIN
REPLACE
EXTRACT AS/400 -> PC
retrieve information
SELECT
AS/400 -> PC
download file
JOIN
AS/400 -> PC
download joined file
REPLACE PC --> AS/400
UPLOAD file
19
Operation code by Function
Applic
function / operation
ation
*FLRSRV shared folders type 2
CHANGE
CREATE
DELETE
EXTRACT MOVE
OPEN
RENAME
*MSGFCL messages
SEND
RECEIVE
*DDM
distributed data management
ADDMBR
DELETE
RENAME
CHANGE
EXTRACT
RGZMBR
CHGMBR
INITIALIZE RMVMBR
Submit
CLEAR
LOAD
RNMMBR
Remote
COMMAND
Command
COPY
MOVE
LOCK
CREATE
OPEN
UNLOAD
20
Prevent Remote Commands
1. Create CL program
CRTCLPGM STOPCMDS SRCFILE( )
PGM
PARM(&RTNCODE &DATA)
DCL
&DATA
*CHAR 30
DCL
&RTNCODE *CHAR 1
DCL
&FUNC
*CHAR 10
CHGVAR &FUNC (%SST(&DATA 21 10))
IF (&FUNC = 'COMMAND ') +
THEN( CHGVAR &RTNCODE '0')
ELSE CHGVAR &RTNCODE '1'
ENDPGM
2. Change network attributes
CHGNETA DDMACC(STOPCMDS)
21
Exit Program Example
2 of 2
Prevent Remote Commands and File Upload
MONMSG
CPF0000 EXE(GOTO EXIT)
/*If error exit*/
CHGVAR
&RC
'1'
/*Allow request*/
CHGVAR
&USER
%SST(&STRU 1 10) /*Get user
*/
CHGVAR
&APP1
%SST(&STRU 11 10) /*Get appl
*/
CHGVAR
&APP2
%SST(&STRU 21 10) /*Get function */
/*Do not log IBM request to check license */
IF (&APP1 =
'*LMSRV') GOTO EXIT
IF &USER = 'XXXXXXXXX') GOTO LOG
/* Prevent use of remote commands
*/
IF (&APP1 = '*DDM' *AND &APP2 = 'COMMAND') +
CHGVAR
&RC '0'
/* Prevent the request */
ELSE /* Prevent file upload from PC users
*/
/* File download to PC is not prevented
*/
IF
(&APP1 = '*TFRFCTL' *AND &APP2 = 'REPLACE') +
CHGVAR
&RC '0'
/* Prevent the request */
/* Log request in the audit journal
*/
LOG:CHGVAR &TYPE ( 'X' *CAT &RC)
SNDJRNE QAUDJRN TYPE(&TYPE) &ENTDTA(&STRU)
EXIT:ENDPGM
Good Way to Monitor Use
23
Exit Program Usage
The Exit Point Will Depend Upon the
Operating Client Operating System
File transfer from
Operating Inter
API
ODBC
System
active
DOS
EXIT1
EXIT1
N/A
Win
EXIT1
EXIT1 EXIT2
3.1
Win
EXIT2
EXIT2 EXIT2
95/98/NT
Description
EXIT1 = Original File Transfer
EXIT2 = Data Base Server
Exit Point
QIBM_QTF_TRANSFER
QIBM_QZDA_NDB1
24
Exit Program Usage
Two programs are required because
parameters are different
Original File
Transfer
EXIT1
Windows 95 and
NT File Transfer
EXIT2
Difficult to determine if
request was upload or
download
25
Outline
 Exit Program Overview
Why do I need exit-programs?
What is purpose of exit-programs?
If exit-programs don’t exit, why
are they called exit programs?
 Sample exit program
 Limit file transfer and commands
 Design Alternatives
32
Exit Design Alternative
Compare to
constant
IF (&USER = ’ELLEN ’)
Constant
Advantages
• Excellent performance
• Easy to determine program
flow
Limitations
• Must recompile program to
make any change
• Security specification uses a
different technique
33
Exit Design Alternative
Read from File
Exit
Program
Read
Advantages
• Good performance
• Add and remove users without
recompiling program
Limitations
• Program logic more complex
• Security specification uses a
different technique
34
Exit Design Alternative
Authorization
list users
Exit
Program
Authorization
List
CHKOBJ
List of
Users
Advantages
• Good performance
• Add and remove users without
recompiling program
• Security specification uses a
same technique
Limitations
• Program logic more complex
35
Check an Authorization List
Exit
Program
Authorization
List
CHKOBJ
List of
Users
IF COND(………………. ) THEN(DO)
CHKOBJ OBJ(QSYS/FILEREAD) +
OBJTYPE(*AUTL) AUT(*USE)
MONMSG MSGID(CPF9800) +
EXEC(CHGVAR &RC '0')
GOTO
LOG
ENDDO
Possible to check for different authorities
*USE
for Read actions
*CHANGE for Update actions
36
File Transfer Transactions
1. Request transfer
Shows user library list
2. Select Library WOE
Shows files in library
3. Select file SOURCE
Shows member list
4. Specify add member SECOFR
during the data transfer
Performs copy
*...+....1....+....2....+....3....+....4....+....5....
WOE
*SQL
ZDAI0100
WOE
*RTVOBJINFZDAR0100X'1800'
*USRLIBL
1
WOE
*SQLSRV
ZDAQ0200X'180C'
2
WOE
*RTVOBJINFZDAR0100X'1805'
WOE
WOE
*NDB
ZDAD0100X'1802'
SOURCE
WOE
*NDB
ZDAD0100X'1805'
SOURCE
3
WOE
*RTVOBJINFZDAR0100X'1804'
WOE
WOE
*SQLSRV
ZDAQ0200X'1803'
WOE
*SQLSRV
ZDAQ0200X'1800'
WOE
*SQLSRV
ZDAQ0200X'1805'
4
WOE
*NDB
ZDAD0100X'1806'
SOURCE
37
38
SUMMARY
Menu security is not
adequate to limit a user.
You must protect data
from access via the other
Client Access servers:
• FILE TRANSFER
• REMOTE COMMANDS
• FOLDER ACCESS
Use exit programs to
supplement object security
39
Summary
Specifying exit program
using network attributes
is not recommended
 Increase overhead
 Network attributes a
limited set of exits
Use Registration Facility to
specify exit programs
40
Information Sources
Exit Point Documentation
 Client Access (File transfer, ODBC)
AS/400 Client Access Host Servers
 Distributed Data Management
(DDM, remote commands)
AS/400 Distributed Data Management
 Internet (Telnet, FTP)
TCP/IP Configuration and Reference
 Security
System API Reference Security APIs
SC41-5740
SC41-5307
SC41-5420
SC41-5872
41
Information Sources
MANUALS
SC41-5300 Tips and Tools for
Securing Your AS/400
SC41-5301 AS/400 Security Basic
SC41-5302 AS/400 Security Reference
Internet
S325-6321 IBM Secure Way AS/400 and
the Internet
G325-6321 AS/400 and the Internet
SG24-4929
AS/400 Internet Security:
Protecting Your AS/400 from HARM on the Internet
42
More ? ?
Jim Stracka
j.stracka@pentasafe.com
www.pentasafe.com
713-860-9412 - direct
43