Use security exit programs

Some system functions provide an exit so that your system can run a user-created program to perform additional checking and validation. For example, you can set up your system to run an exit program every time that someone attempts to open a DDM (distributed data management) file on your system.

Sources of Sample Exit Programs

You can use the registration function to specify exit programs that run under certain conditions. The following table provides a list of these exit programs and sources for example programs.
Table 1. Sources of Sample Exit Programs
Type of exit programs Purpose Where to find examples
Password validation The QPWDVLDPGM system value can specify a program name or indicate that validation programs registered for the QIBM_QSY_VLD_PASSWRD exit point be used to check a new password for additional requirements that are not handled by the QPWDxxx system values. The use of this program should be carefully monitored because it receives unencrypted passwords. This program should not store passwords in a file or pass them to another program.
  • An Implementation Guide for iSeries™ Security and Auditing, GG24–4200
  • iSeries Security Reference, SC41-5302-07
PC Support/400 or Client Access access1 You can specify this program name in the Client request access (PCSACC) parameter of the network attributes to control the following functions:
  • Virtual printer function
  • File transfer function v Shared folders Type 2 function
  • Client access message function
  • Data queues
  • Remote SQL function
An Implementation Guide for iSeries Security and Auditing, GG24–4200
Distributed Data Management (DDM) access You can specify this program name in the DDM request access (DDMACC) parameter of the network attributes to control the following functions:
  • Shared folders Type 0 and 1 function
  • Submit Remote Command function
An Implementation Guide for iSeries Security and Auditing, GG24–4200
Remote sign on You can specify a program in the QRMTSIGN system value to control what users can be automatically signed on from which locations (pass-through.) An Implementation Guide for iSeries Security and Auditing, GG24–4200
Open Database Connectivity (ODBC) with iSeries Access1 Control the following functions of ODBC:
  • Whether ODBC is allowed at all.
  • What functions are allowed for iSeries database files.
  • What SQL statements are allowed.
  • What information can be retrieved about database server objects.
  • What SQL catalog functions are allowed.
None available
QSYSMSG break handling program You can create a program to monitor the QSYSMSG message queue and take appropriate action (such as notifying the security administrator) depending on the type of message. An Implementation Guide for iSeries Security and Auditing, GG24–4200
TCP/IP Several TCP/IP servers (such as FTP, TFTP, TELNET, and REXEC) provide exit points. You can add exit programs to handle log-on and to validate user requests, such as requests to get or put a specific file. You can also use these exits to provide anonymous FTP on your system. TCP/IP User Exits in the iSeries System API Reference book
User profile changes You can create exit programs for the following user profile commands: CHGUSRPRF CRTUSRPRF DLTUSRPRF RSTUSRPRF
  • iSeries Security Reference, SC41-5302-07
  • TCP/IP User Exits in the iSeries System API Reference book