ibm-information-center/dist/eclipse/plugins/i5OS.ic.ddm_5.4.0.1/rbae5exitpgms.htm

195 lines
12 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="DRDA server access control exit programs with example" />
<meta name="abstract" content="A security feature of the DRDA server, for both APPC and TCP/IP use, extends the use of the DDMACC parameter of the CHGNETA command to DRDA." />
<meta name="description" content="A security feature of the DRDA server, for both APPC and TCP/IP use, extends the use of the DDMACC parameter of the CHGNETA command to DRDA." />
<meta name="DC.Relation" scheme="URI" content="rbae5exitpgm.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1999, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1999, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rbae5exitpgms" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>DRDA server
access control exit programs with example</title>
</head>
<body id="rbae5exitpgms"><a name="rbae5exitpgms"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">DRDA server
access control exit programs with example</h1>
<div><p>A security feature of the DRDA<sup>®</sup> server, for both APPC and TCP/IP use,
extends the use of the DDMACC parameter of the <span class="cmdname">CHGNETA</span> command
to DRDA. </p>
<div class="section"><p>The parameter previously applied only to DDM file I/O access.
The DRDA usage
of the function is limited to connection requests, however, and not to requests
for data after the connection is made.</p>
</div>
<div class="section"><p>If you do not choose to take advantage of this security function,
you normally do not need to do anything. The only exception is if you are
currently using a DDM exit program that is coded to reject operations if an
unknown function code is received, and you are also using DRDA to access
data on that server. In this case, you must modify your exit program so that
a '1' is returned to allow DRDA access if the function code is 'SQLCNN '.</p>
</div>
<div class="section"><p>To use the exit program for blocking or filtering DRDA connections,
you need to create a new DDM exit program, or modify an existing one.</p>
</div>
<div class="section"><p>This security enhancement includes a DRDA function code on the list of request
functions that can be input to the program in the input parameter structure.
The function code, named 'SQLCNN ' (SQL connect request), indicates that
a DRDA connection
request is being processed (see the FUNC parameter in the following example).
The APP (application) input parameter is set to <samp class="codeph">'*DRDA '</samp> instead
of <samp class="codeph">'*DDM '</samp> for DRDA connection request calls.</p>
</div>
<div class="section"><div class="p">In addition to this enhancement, the following parameters are
useful for DRDA: <ul><li>The USER parameter, allows the program to allow or deny DRDA access based
on the user profile ID.</li>
<li>The SRVNAME parameter in the following example might also be of use. If
this parameter is set, it indicates the name of the client server. If it is
not set, it has the value *N. It should always be set for an <span class="keyword">iSeries™</span> DRDA Application
Requester.</li>
<li>The TYPDEFN gives additional information about the type of client attempting
to connect.</li>
<li>The PRDID (product ID) parameter identifies the product that is attempting
to connect, along with the product's release level. A partial list of these
codes follows. (You should verify the non-IBM codes before you use them in
an exit program.) <dl><dt class="dlterm">QSQ</dt>
<dd>IBM<sup>®</sup> <span class="keyword">DB2 Universal Database™ for iSeries</span></dd>
<dt class="dlterm">DSN</dt>
<dd>IBM DB2
Universal Database™ for z/OS<sup>®</sup></dd>
<dt class="dlterm">SQL</dt>
<dd><span>IBM DB2 Universal Database for Linux<sup>®</sup>, UNIX<sup>®</sup> and Windows<sup>®</sup> (formerly
called DDCS)</span></dd>
<dt class="dlterm">ARI</dt>
<dd><span>IBM DB2 Universal Database for VSE and
VM</span></dd>
<dt class="dlterm">GTW</dt>
<dd>Oracle Corporation products</dd>
<dt class="dlterm">GVW</dt>
<dd>Grandview DB/DC Systems products</dd>
<dt class="dlterm">XDB</dt>
<dd> XDB Systems products</dd>
<dt class="dlterm">IFX</dt>
<dd>Informix<sup>®</sup> Software
products</dd>
<dt class="dlterm">RUM</dt>
<dd>Wall Data Rumba for Database Access</dd>
<dt class="dlterm">SIG</dt>
<dd>StarQuest products</dd>
<dt class="dlterm">STH</dt>
<dd>FileTek products</dd>
</dl>
The rest of the field is structured as <samp class="codeph">vvrrm</samp>,
where <samp class="codeph">vv</samp> is version, <samp class="codeph">rr</samp> is release, and <samp class="codeph">m</samp> is
modification level. </li>
</ul>
</div>
</div>
<div class="section"><p>The <em>DDM Architecture Reference</em> manual and the <em>DRDA Reference</em> (both
available from The Open Group) give more information about these fields.</p>
</div>
<div class="section"><p>If the exit program returns a RTNCODE value of '0', and the Application
Requester system type is <span class="keyword">iSeries</span>,
then the message indicating the connection failure to the user will be SQ30060,
'User is not authorized to relational database ....'. In general, the response
to a denial of access by the exit program is the DDM RDBATHRM reply message,
which indicates that the user is not authorized to the relational database.</p>
</div>
<div class="section"><h4 class="sectiontitle">Restrictions</h4><p>If a function check occurs in the user
exit program, the same reply message will be returned, and the connection
attempt will fail. The exit program must not do any committable updates to <span class="keyword">DB2<sup>®</sup> UDB for iSeries</span>, or unpredictable results might
occur. A further restriction results from the fact that when the prestart
jobs used with the TCP/IP server are recycled for subsequent use, some cleanup
is done to the jobs for security reasons. Part of this processing involves
the use of the RCLACTGRP ACTGRP(*ELIGIBLE) function. As a result, attempts
to use any residual linkages in the prestart server job to activation groups
destroyed by the RCLACTGRP can result in MCH3402 exceptions (where the program
tried to refer to all or part of an object that no longer exists). Furthermore,
an exit program should not attempt to access a file that was opened in a prior
invocation of the prestart server job.</p>
</div>
<div class="section"><h4 class="sectiontitle">Example</h4><p>This example demonstrates a PL/I user exit
program that allows all DDM operations, and all DRDA connections except for when the user
ID is 'ALIEN'.</p>
<div class="note"><span class="notetitle">Note:</span> By using the code examples, you agree to the terms
of the <a href="codedisclaimer.htm">Code license and disclaimer information</a>.</div>
<div class="p"> <pre id="rbae5exitpgms__rbae5exitpgmxmp"><a name="rbae5exitpgms__rbae5exitpgmxmp"><!-- --></a>/*******************************************************************/
/* */
/* PROGRAM NAME: UEPALIEN */
/* */
/* FUNCTION: USER EXIT PROGRAM THAT IS DESIGNED TO */
/* RETURN AN UNSUCCESSFUL RETURN CODE WHEN */
/* USERID 'ALIEN' ATTEMPTS A DRDA CONNECTION. */
/* IT ALLOWS ALL TYPES OF DDM OPERATIONS. */
/* */
/* EXECUTION: CALLED WHEN ESTABLISHED AS THE USER EXIT */
/* PROGRAM. */
/* */
/* ALL PARAMETER VARIABLES ARE PASSED IN EXCEPT: */
/* */
/* RTNCODE - USER EXIT RETURN CODE ON WHETHER FUNCTION IS */
/* ALLOWED: '1' INDICATES SUCCESS; '0' FAILURE. */
/* */
/*******************************************************************/
UEPALIEN: PROCEDURE (RTNCODE,CHARFLD);
DECLARE RTNCODE CHAR(1); /* DECLARATION OF THE EXIT */
/* PROGRAM RETURN CODE. IT */
/* INFORMS REQUEST HANDLER */
/* WHETHER REQUEST IS ALLOWED. */
DECLARE /* DECLARATION OF THE CHAR */
1 CHARFLD, /* FIELD PASSED IN ON THE CALL. */
2 USER CHAR(10), /* USER PROFILE OF DDM/DRDA USER*/
2 APP CHAR(10), /* APPLICATION NAME */
2 FUNC CHAR(10), /* REQUESTED FUNCTION */
2 OBJECT CHAR(10), /* FILE NAME */
2 DIRECT CHAR(10), /* LIBRARY NAME */
2 MEMBER CHAR(10), /* MEMBER NAME */
2 RESERVED CHAR(10), /* RESERVED FIELD */
2 LNGTH PIC '99999', /* LENGTH OF USED SPACE IN REST */
2 REST, /* REST OF SPACE = CHAR(2000) */
3 LUNAME CHAR(10), /* REMOTE LU NAME (IF SNA) */
3 SRVNAME CHAR(10), /* REMOTE SERVER NAME */
3 TYPDEFN CHAR(9), /* TYPE DEF NAME OF DRDA AR */
3 PRDID, /* PRODUCT ID OF DRDA AR */
5 PRODUCT CHAR(3), /* PRODUCT CODE */
5 VERSION CHAR(2), /* VERSION ID */
5 RELEASE CHAR(2), /* RELEASE ID */
5 MOD CHAR(1), /* MODIFICATION LEVEL */
3 REMAING CHAR(1983); /* REMAINING VARIABLE SPACE. */
START:
IF (USER = 'ALIEN' &amp; /* IF USER IS 'ALIEN' AND */
FUNC = 'SQLCNN') THEN /* FUNCTION IS DRDA CONNECT */
RTNCODE = '0'; /* SET RETURN CODE TO UNSUCCESSFUL*/
ELSE /* IF ANY OTHER USER, OR DDM */
RTNCODE = '1'; /* SET RETURN CODE TO SUCCESSFUL */
END UEPALIEN;</pre>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rbae5exitpgm.htm" title="Customers who use menu-level security, which is accomplished by restricting the user's access to functions on the server, are likely to have a large number of public files. Public files are those files to which the public has some or all authority. A user exit program allows you to restrict each DDM user's access to public files and to private files.">DDM server access control exit program for additional security</a></div>
</div>
</div>
</body>
</html>