ibm-information-center/dist/eclipse/plugins/i5OS.ic.ddp_5.4.0.1/rbal1exitpgms.htm

173 lines
11 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="DRDA server access control exit programs" />
<meta name="abstract" content="A security feature of the Distributed Relational Database Architecture (DRDA) server, for use with both Advanced Program-to-Program Communication (APPC) and TCP/IP, extends the use of the DDMACC parameter of the Change Network Attributes (CHGNETA) command to DRDA." />
<meta name="description" content="A security feature of the Distributed Relational Database Architecture (DRDA) server, for use with both Advanced Program-to-Program Communication (APPC) and TCP/IP, extends the use of the DDMACC parameter of the Change Network Attributes (CHGNETA) command to DRDA." />
<meta name="DC.subject" content="ASP group, definition, user exit program, function check" />
<meta name="keywords" content="ASP group, definition, user exit program, function check" />
<meta name="DC.Relation" scheme="URI" content="rbal1secure.htm" />
<meta name="DC.Relation" scheme="URI" content="rbal1sacep.htm" />
<meta name="DC.Relation" scheme="URI" content="../cl/rclactgrp.htm" />
<meta name="DC.Relation" scheme="URI" content="../cl/chgneta.htm" />
<meta name="DC.Relation" scheme="URI" content="rbal1objsec.htm" />
<meta name="DC.Relation" scheme="URI" content="../ddm/rbae5kickoff.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rbal1exitpgms" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>DRDA server
access control exit programs</title>
</head>
<body id="rbal1exitpgms"><a name="rbal1exitpgms"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">DRDA server
access control exit programs</h1>
<div><p>A security feature of the Distributed
Relational Database Architecture™ (DRDA<sup>®</sup>) server, for use with both Advanced
Program-to-Program Communication (APPC) and TCP/IP, extends the use of the
DDMACC parameter of the <span class="cmdname">Change Network Attributes (CHGNETA)</span> command
to DRDA.</p>
<p>The parameter previously applied only to DDM file I/O access. The DRDA usage of
the function is limited to connection requests, however, and not to requests
for data after the connection is made.</p>
<p>If you do not choose to use this security function, you normally do not
need to do anything. The only exception is if you are currently using a DDM
exit program that is coded to reject operations if an unknown function code
is received, and you are also using DRDA to access data on that system. In
this case, you must change your exit program so that a '1' is returned to
allow DRDA access
if the function code is 'SQLCNN '.</p>
<p>To use the exit program for blocking or filtering DRDA connections, you need to create a
new DRDA exit
program, or change an existing one. </p>
<div class="note"><span class="notetitle">Note:</span> If your system is configured with multiple databases (ASP groups), the
exit program must reside in a library in the system database (on an auxiliary
storage pool in the range 1-32).</div>
<p>You can find general instructions for creating a DRDA exit program in the Distributed data
management topic.</p>
<p>This security feature adds a DRDA function code to the list of request
functions that can be input to the program in the input parameter structure.
The function code, named 'SQLCNN ' (SQL connect request), indicates that
a DRDA connection
request is being processed (see the FUNC parameter in Example: DRDA server access
control exit program). The APP (application) input parameter is set to <samp class="codeph">'*DRDA
'</samp> instead of <samp class="codeph">'*DDM '</samp> for DRDA connection
request calls.</p>
<p>When you code exit programs for DRDA, the following fields in the parameter
structure might be useful: </p>
<ul><li>The USER field allows the program to allow or deny DRDA access based on the user profile ID.</li>
<li>The RDBNAME field contains the name of the RDB to which the user wants
to connect. This can be the system database or a user database (ASP group).
This field can be useful if you want to deny access to one or more databases
in an environment where multiple databases are configured.</li>
<li>The SRVNAME parameter in Example: DRDA server access control exit program
might or might not be set by the caller of the exit program. If it is set,
it indicates the name of the client system. If it is not set, it has the value
*N. It will always be set when the DRDA Application Requester is an <span class="keyword">iSeries™ server</span>.</li>
<li>The TYPDEFN parameter gives additional information about the type of client
that is connecting. For an IBM<sup>®</sup> mainframe, TYPEDEFN will be QTDSQL370. For an <span class="keyword">iSeries server</span>, it will be QTDSQL400. For
an Intel<sup>®</sup> PC,
it will be QTDSQLX86. For an RS/6000<sup>®</sup> client, it will be QTDSQLASC.</li>
<li>The PRDID (product ID) parameter identifies the product that is attempting
to connect, along with the product's release level. Here is a partial list
of the first three characters of these codes (You should verify the non-IBM
codes before you use them in an exit program): <dl><dt class="dlterm">QSQ</dt>
<dd>IBM <span class="keyword">DB2 Universal Database™ for iSeries</span></dd>
<dt class="dlterm">DSN</dt>
<dd>IBM DB2
Universal Database™ for z/OS<sup>®</sup></dd>
<dt class="dlterm">SQL</dt>
<dd>IBM DB2
Universal Database for Linux<sup>®</sup>, Unix and Windows<sup>®</sup> (formerly
called DDCS)</dd>
<dt class="dlterm">ARI</dt>
<dd>IBM DB2
Universal Database for VSE &amp; VM</dd>
<dt class="dlterm">GTW</dt>
<dd>Oracle Corporation products</dd>
<dt class="dlterm">GVW</dt>
<dd>Grandview DB/DC Systems products</dd>
<dt class="dlterm">XDB</dt>
<dd> XDB Systems products</dd>
<dt class="dlterm">IFX</dt>
<dd>Informix<sup>®</sup> Software
products</dd>
<dt class="dlterm">RUM</dt>
<dd>Wall Data Rumba for Database Access</dd>
<dt class="dlterm">SIG</dt>
<dd>StarQuest products</dd>
<dt class="dlterm">STH</dt>
<dd>FileTek products</dd>
<dt class="dlterm">JCC</dt>
<dd>IBM DB2<sup>®</sup> Universal
Driver for SQLJ and JDBC</dd>
</dl>
The rest of the field is structured as <samp class="codeph">vvrrm</samp>,
where <samp class="codeph">vv</samp> is version, <samp class="codeph">rr</samp> is release, and <samp class="codeph">m</samp> is
modification level. </li>
</ul>
<p>If the exit program returns a RTNCODE value of '0', and the connection
request came from an iSeries client, then the message indicating the connection
failure to the user will be SQ30060, 'User is not authorized to relational
database ....'. In general, the response to a denial of access by the exit
program is the DRDA RDBATHRM
reply message, which indicates that the user is not authorized to the relational
database. Note that different client platforms might report the error differently
to the user. </p>
<div class="section"><h4 class="sectiontitle">Restrictions:</h4><ul><li>If a function check occurs in the user exit program, the program returns
the same reply message, and the connection attempt will fail. The exit program
must not do any committable updates to <span class="keyword">DB2 UDB for iSeries</span>,
or unpredictable results might occur.</li>
<li>You should not use exit programs to attempt to access a file that was
opened in a prior call of the prestart server job.</li>
<li>Prior to V5R2, a further restriction resulted when the prestart jobs used
with the TCP/IP server were recycled for subsequent use. Some cleanup is done
to prepare the job for its next use. Part of this processing involves using
the <span class="cmdname">Reclaim Activation Group (RCLACTGRP)</span> command with the
ACTGRP parameter with value of *ELIGIBLE. As a result, attempts to use any
residual linkages in the prestart server job to activation groups destroyed
by the <span class="cmdname">RCLACTGRP</span> can result in MCH3402 exceptions (where
the program tried to refer to all or part of an object that no longer exists).
One circumvention to this restriction is to set the MAXUSE value for the QRWTSRVR
prestart jobs to 1 as follows: CHGPJE SBSD(QSYSWRK) PGM(QRWTSRVR) MAXUSE(1).</li>
</ul>
</div>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="rbal1sacep.htm">Example: DRDA server access control exit program</a></strong><br />
This exit program shows an example of a PL/I exit program that
allows all DRDA operations
and all DRDA connections
except when the user ID is ALIEN.</li>
</ul>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rbal1secure.htm" title="The iSeries server has security elements built into the operating system to limit access to the data resources of an application server. Security options range from simple physical security to full password security coupled with authorization to commands and data objects.">Security</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rbal1objsec.htm" title="If the iSeries server is an application server (AS), there are two object-related levels at which security can be enforced to control access to its relational database tables.">Object-related security for DRDA</a></div>
<div><a href="../ddm/rbae5kickoff.htm">Distributed data management</a></div>
</div>
<div class="relref"><strong>Related reference</strong><br />
<div><a href="../cl/rclactgrp.htm">Reclaim Activation Group (RCLACTGRP) command</a></div>
<div><a href="../cl/chgneta.htm">Change Network Attributes (CHGNETA) command</a></div>
</div>
</div>
</body>
</html>