AS/400 SecurityAll you want to know about:

Jim Stracka

PentaSafe

Exit Programs

2

Outline

Exit Program OverviewWhy do I need exit-programs?What is purpose of exit-

programs?If exit-programs don’t exit, why

are they called exit programs?

Sample exit program Limit file transfer and commands

Design Alternatives

3

1980s

Security Has Changed

TodayFixed

FunctionDisplays

Remote Systems

Internet

E-Commerce

Menu Security

OK

Menu security worked when users had no other access

Menu security ineffectivefor today’s environment

MenuSecurity

PC Users

PC

4

Other Access Data

Remote Systems

Internet

DDM (Distributed Data Management) File TransferRemote Commands

FTPFile TransferRemote Commands

Shared Folders

FTPFile TransferRemote Commands

TelnetIFS (Integrated File

System)

ExitProgram

Exit Programs can restrict requests

5

PC Access Data

Work-stationEmulation

Fixed function display

Printer Support Shared Folders & Documents Remote Commands File Transfer API - Data Queue API - ODBC IFS (Integrated File System)

Work Station

Menu Security

Messages

ExitProgram

Exit Programs can control

PC requests

PC

6

Why Exit Programs

Can object security be used to protect data?

YES AS/400 security can lock up data.

HOWEVER Security design often

makes security protection ineffective make security

ineffective

7

Why Exit Programs

What security designs make object security ineffective?

Group Profile Owns

Objects Production

Owner

GroupProfile

EndUser

EndUser

EndUser

Excessive Public

Authority

Production Data

*PUBLIC*ALL

Excessive Special

Authority

SPCAUT*ALLOBJ

Need to provide additional protection

8

Why Exit Programs

Users are authorized to data because of existing applications

Need exists to prevent the user from using their access outside of applications

Need to provide additional protection

EXIT PROGRAMS provide additional protection for application data

9

What are Exit ProgramsExit programs are installation provided programs used to supplement security

ExitProgram

Actions often performed in exit programs:

Monitor user activity

Modify user requests Assign user profile to anonymous sign-on Review request to determine if request meets installation rules

Reject requests that do not meet installation rules

The purpose of exit programs is not to exit

10

Request ProcessingIf these programs don’t exit, why are

they called “Exit Programs”?Exit

Program

Programs are called exit programs because the system (OS/400) exits to a user program in the middle of a request

request

1. Another system generates a request

AS/400Ser

ver

2. Server called to process request

Exit Program

3. Server calls “exit program” to validate request4. Server rejects or processes the request

11

Request Processing

AS/400Ser

ver

request

PARAMETERSAS/400 Server

User Exit Program

4

1

Server calls user exit program with parameters

2

Exit program analyzes the parameters

3

Exit program sets return code

Server rejects or performs the request based on exit program return code

12

Network Attributes

DDMACC PCSMACC

Specifying Exit Programs

How are exit programs specified?

There are two methods to name the exit programs

Limited number of request types- Distributed Data Management- PC support (Client Access)

One exit program per network attribute

Registration

Facility

Multiple request types-Distributed data-Client Access-Integrated File System-Internet (FTP, Telnet)-Security- ...

Multiple exits specific to function

13

DDMACC*OBJAUT - Request access determined by

object authority

*REJECT - Prevent all requests

Lib/Pgm - Qualified name of exit program

PCSACC

*OBJAUT - Request access determined by

object authority

*REJECT - Prevent all requests

*REGFAC - Use registration facility

Lib/Pgm - Qualified name of exit program

Specifying Exit Programs NetworkAttributes

CHGNETA DDMACC(lib/pgm) PCSACC(lib/pgm)

Must have *ALLOBJ special authority to change the network attributes

14

WRKREGINF

Specifying Exit Programs

Work with Registration Information Type options, press Enter. 5=Display exit point 8=Work with exit programs Exit Exit Point Opt Point Format Registered Text _ QIBM_QHQ_DTAQ DTAQ0100 *YES Original Data Queue Server _ QIBM_QJO_DLT_JRNRCV DRCV0100 *YES Delete Journal Receiver _ QIBM_QLZP_LICENSE LICM0100 *YES Original License Mgmt Server _ QIBM_QMF_MESSAGE MESS0100 *YES Original Message Server _ QIBM_QNPS_ENTRY ENTR0100 *YES Network Print Server - entry _ QIBM_QNPS_SPLF SPLF0100 *YES Network Print Server - spool _ QIBM_QOE_OV_USR_ADM UADM0100 *YES OfficeVision/400 Administrati _ QIBM_QOE_OV_USR_SND DOCI0900 *YES OfficeVision/400 Mail Send Ex _ QIBM_QOK_NOTIFY VRFY0100 *YES System Directory Notify Exit _ QIBM_QOK_SUPPLIER SUPL0100 *YES System Directory Supplier Exi _ QIBM_QOK_VERIFY VRFY0100 *YES System Directory Verify Exit More... Command ===> F3=Exit F4=Prompt F9=Retrieve F12=Cancel

8

RegistrationFacility

15

Work with Exit Programs Exit point: QIBM_QLZP_LICENSE Format: LICM0100 Type options, press Enter 1=Add 4=Remove 5=Display 10=Replace Exit Program Exit Opt Number Program Library _ ___________ ___________ (No exit programs found.) Bottom Command ===> F3=Exit F4=Prompt F5=Refresh F9=Retrieve F12=Cancel

Specifying Exit Programs

1 PROG1 MYLIB

When a request arrives PROG1

will be called

RegistrationFacility

16

Exit Points

What exit points are used for a specific request?

What are the parameters passed to an exit?

Exit points are documented in the following publications

Client Access (File transfer, ODBC)AS/400 Client Access Host Servers SC41-5740

Distributed Data Management (DDM, remote commands)AS/400 Distributed Data Management SC41-5307

Internet (Telnet, FTP)TCP/IP Configuration and Reference SC41-5420

SecuritySystem API Reference Security APIs SC41-5872

No good documentation

available

17

Outline

Exit Program OverviewWhy do I need exit-programs?What is purpose of exit-programs?If exit-programs don’t exit, why

are they called exit programs?

Sample exit program Limit file transfer and commands

Design Alternatives

18

CALL EXIT (RTNCDE STRUCTURE)

Field Format SizeUser profile name Char 10Application name Char 10Function Char 10Object name Char 10Library name Char 10Object type Char 7Format name Char 10Variable data length Zoned 5, 0Variable data Char *

'0' NO'1' OK

Exit Programs

AS/400 Distributed Data Management SC41-5307Client Access Server Concepts SC41-5740

19

Applic function / operationation

*LMSR license management REQUEST RELEASE*VPRT virtual print EXTRACT CHECK OPEN

*TFRFCL file transfer SELECT JOIN REPLACE EXTRACT AS/400 -> PC retrieve information SELECT AS/400 -> PC download file JOIN AS/400 -> PC download joined file REPLACE PC --> AS/400 UPLOAD file

Operation code by Function

20

Applic function / operationation*FLRSRV shared folders type 2 CHANGE CREATE DELETE EXTRACT MOVE OPEN RENAME*MSGFCL messages SEND RECEIVE*DDM distributed data management ADDMBR DELETE RENAME CHANGE EXTRACT RGZMBR CHGMBR INITIALIZE RMVMBR CLEAR LOAD RNMMBR COMMAND COPY MOVE LOCK CREATE OPEN UNLOAD

Operation code by Function

SubmitRemote

Command

21

PGM PARM(&RTNCODE &DATA) DCL &DATA *CHAR 30 DCL &RTNCODE *CHAR 1 DCL &FUNC *CHAR 10 CHGVAR &FUNC (%SST(&DATA 21 10)) IF (&FUNC = 'COMMAND ') + THEN( CHGVAR &RTNCODE '0') ELSE CHGVAR &RTNCODE '1'ENDPGM

Prevent Remote Commands

2. Change network attributesCHGNETA DDMACC(STOPCMDS)

1. Create CL programCRTCLPGM STOPCMDS SRCFILE( )

23

MONMSG CPF0000 EXE(GOTO EXIT) /*If error exit*/ CHGVAR &RC '1' /*Allow request*/ CHGVAR &USER %SST(&STRU 1 10) /*Get user */ CHGVAR &APP1 %SST(&STRU 11 10) /*Get appl */ CHGVAR &APP2 %SST(&STRU 21 10) /*Get function */ /*Do not log IBM request to check license */ IF (&APP1 = '*LMSRV') GOTO EXIT IF &USER = 'XXXXXXXXX') GOTO LOG /* Prevent use of remote commands */ IF (&APP1 = '*DDM' *AND &APP2 = 'COMMAND') + CHGVAR &RC '0' /* Prevent the request */ ELSE /* Prevent file upload from PC users */ /* File download to PC is not prevented */ IF (&APP1 = '*TFRFCTL' *AND &APP2 = 'REPLACE') + CHGVAR &RC '0' /* Prevent the request */ /* Log request in the audit journal */LOG:CHGVAR &TYPE ( 'X' *CAT &RC) SNDJRNE QAUDJRN TYPE(&TYPE) &ENTDTA(&STRU)EXIT:ENDPGM

Good Way to Monitor Use

Exit Program ExamplePrevent Remote Commands and File Upload

2 of 2

24

The Exit Point Will Depend Upon the Operating Client Operating System

Exit Program Usage

File transfer fromOperating

SystemInter

activeAPI ODBC

DOS EXIT1 EXIT1 N/AWin3.1

EXIT1 EXIT1 EXIT2

Win95/98/NT

EXIT2 EXIT2 EXIT2

Description Exit Point EXIT1 = Original File Transfer QIBM_QTF_TRANSFER EXIT2 = Data Base Server QIBM_QZDA_NDB1

25

Original File Transfer

Windows 95 and

NT File Transfer

Exit Program Usage

EXIT1EXIT2

Two programs are required becauseparameters are different

Difficult to determine if request was upload or

download

32

Outline

Exit Program OverviewWhy do I need exit-programs?What is purpose of exit-programs?If exit-programs don’t exit, why

are they called exit programs?

Sample exit program Limit file transfer and commands

Design Alternatives

33

Exit Design Alternative

Compare to constant

IF (&USER = ’ELLEN ’)

Advantages• Excellent performance• Easy to determine program flow

Limitations• Must recompile program to make any change• Security specification uses a different technique

Constant

34

Exit Design Alternative

Read from File

Advantages• Good performance• Add and remove users without recompiling program

Limitations• Program logic more complex• Security specification uses a different technique

Exit Program Read

35

Exit Design Alternative

Authorization list users

Advantages• Good performance• Add and remove users without recompiling program• Security specification uses a same technique

Limitations• Program logic more complex

Exit Program

CHKOBJ

AuthorizationList

List ofUsers

36

IF COND(………………. ) THEN(DO)

CHKOBJ OBJ(QSYS/FILEREAD) + OBJTYPE(*AUTL) AUT(*USE)

MONMSG MSGID(CPF9800) + EXEC(CHGVAR &RC '0')

GOTO LOG ENDDO

Possible to check for different authorities *USE for Read actions *CHANGE for Update actions

Check an Authorization List

Exit Program

CHKOBJ

AuthorizationList

List ofUsers

37

File Transfer Transactions

*...+....1....+....2....+....3....+....4....+....5.... WOE *SQL ZDAI0100 WOE *RTVOBJINFZDAR0100X'1800' *USRLIBL WOE *SQLSRV ZDAQ0200X'180C' WOE *RTVOBJINFZDAR0100X'1805' WOE WOE *NDB ZDAD0100X'1802' SOURCE WOE *NDB ZDAD0100X'1805' SOURCE WOE *RTVOBJINFZDAR0100X'1804' WOE WOE *SQLSRV ZDAQ0200X'1803' WOE *SQLSRV ZDAQ0200X'1800' WOE *SQLSRV ZDAQ0200X'1805' WOE *NDB ZDAD0100X'1806' SOURCE

1. Request transferShows user library list

1

2

2. Select Library WOEShows files in library

3

3. Select file SOURCEShows member list

4

4. Specify add member SECOFR during the data transfer

Performs copy

38

39

SUMMARY

Menu security is not adequate to limit a user.

You must protect data from access via the other

Client Access servers:• FILE TRANSFER• REMOTE COMMANDS• FOLDER ACCESS

Use exit programs to supplement object security

40

Summary

Specifying exit program using network attributes is not recommended Increase overhead Network attributes a

limited set of exits

Use Registration Facility to specify exit programs

41

Information Sources

Exit Point Documentation Client Access (File transfer, ODBC)

AS/400 Client Access Host Servers SC41-5740 Distributed Data Management

(DDM, remote commands)AS/400 Distributed Data Management SC41-5307

Internet (Telnet, FTP)TCP/IP Configuration and Reference SC41-5420

SecuritySystem API Reference Security APIs SC41-5872

42

Information SourcesMANUALS

SC41-5300 Tips and Tools for Securing Your AS/400

SC41-5301 AS/400 Security Basic

SC41-5302 AS/400 Security Reference

Internet S325-6321 IBM Secure Way AS/400 and the Internet

G325-6321 AS/400 and the Internet

SG24-4929 AS/400 Internet Security: Protecting Your AS/400 from HARM on the Internet

43

More ? ?

Jim Stracka

j.stracka@pentasafe.com

www.pentasafe.com

713-860-9412 - direct