DRDA server access control exit programs with example

A security feature of the DRDA^® server, for both APPC and TCP/IP use, extends the use of the DDMACC parameter of the CHGNETA command to DRDA.

The parameter previously applied only to DDM file I/O access. The DRDA usage of the function is limited to connection requests, however, and not to requests for data after the connection is made.

If you do not choose to take advantage of this security function, you normally do not need to do anything. The only exception is if you are currently using a DDM exit program that is coded to reject operations if an unknown function code is received, and you are also using DRDA to access data on that server. In this case, you must modify your exit program so that a '1' is returned to allow DRDA access if the function code is 'SQLCNN '.

To use the exit program for blocking or filtering DRDA connections, you need to create a new DDM exit program, or modify an existing one.

This security enhancement includes a DRDA function code on the list of request functions that can be input to the program in the input parameter structure. The function code, named 'SQLCNN ' (SQL connect request), indicates that a DRDA connection request is being processed (see the FUNC parameter in the following example). The APP (application) input parameter is set to '*DRDA ' instead of '*DDM ' for DRDA connection request calls.

In addition to this enhancement, the following parameters are useful for DRDA:

The USER parameter, allows the program to allow or deny DRDA access based on the user profile ID.
The SRVNAME parameter in the following example might also be of use. If this parameter is set, it indicates the name of the client server. If it is not set, it has the value *N. It should always be set for an iSeries™ DRDA Application Requester.
The TYPDEFN gives additional information about the type of client attempting to connect.
The PRDID (product ID) parameter identifies the product that is attempting to connect, along with the product's release level. A partial list of these codes follows. (You should verify the non-IBM codes before you use them in an exit program.)
QSQ

IBM^® DB2 Universal Database™ for iSeries

DSN

IBM DB2 Universal Database™ for z/OS^®

SQL

IBM DB2 Universal Database for Linux^®, UNIX^® and Windows^® (formerly called DDCS)

ARI

IBM DB2 Universal Database for VSE and VM

GTW

Oracle Corporation products

GVW

Grandview DB/DC Systems products

XDB

XDB Systems products

IFX

Informix^® Software products

RUM

Wall Data Rumba for Database Access

SIG

StarQuest products

STH

FileTek products

The rest of the field is structured as vvrrm, where vv is version, rr is release, and m is modification level.

The DDM Architecture Reference manual and the DRDA Reference (both available from The Open Group) give more information about these fields.

If the exit program returns a RTNCODE value of '0', and the Application Requester system type is iSeries, then the message indicating the connection failure to the user will be SQ30060, 'User is not authorized to relational database ....'. In general, the response to a denial of access by the exit program is the DDM RDBATHRM reply message, which indicates that the user is not authorized to the relational database.

Restrictions

If a function check occurs in the user exit program, the same reply message will be returned, and the connection attempt will fail. The exit program must not do any committable updates to DB2^® UDB for iSeries, or unpredictable results might occur. A further restriction results from the fact that when the prestart jobs used with the TCP/IP server are recycled for subsequent use, some cleanup is done to the jobs for security reasons. Part of this processing involves the use of the RCLACTGRP ACTGRP(*ELIGIBLE) function. As a result, attempts to use any residual linkages in the prestart server job to activation groups destroyed by the RCLACTGRP can result in MCH3402 exceptions (where the program tried to refer to all or part of an object that no longer exists). Furthermore, an exit program should not attempt to access a file that was opened in a prior invocation of the prestart server job.

Example

This example demonstrates a PL/I user exit program that allows all DDM operations, and all DRDA connections except for when the user ID is 'ALIEN'.

Note: By using the code examples, you agree to the terms of the Code license and disclaimer information.

/*******************************************************************/
/*                                                                 */
/* PROGRAM NAME: UEPALIEN                                          */
/*                                                                 */
/* FUNCTION:     USER EXIT PROGRAM THAT IS DESIGNED TO             */
/*               RETURN AN UNSUCCESSFUL RETURN CODE WHEN           */
/*               USERID 'ALIEN' ATTEMPTS A DRDA CONNECTION.        */
/*               IT ALLOWS ALL TYPES OF DDM OPERATIONS.            */
/*                                                                 */
/* EXECUTION:    CALLED WHEN ESTABLISHED AS THE USER EXIT          */
/*               PROGRAM.                                          */
/*                                                                 */
/* ALL PARAMETER VARIABLES ARE PASSED IN EXCEPT:                   */
/*                                                                 */
/*    RTNCODE - USER EXIT RETURN CODE ON WHETHER FUNCTION IS       */
/*              ALLOWED: '1' INDICATES SUCCESS; '0' FAILURE.       */
/*                                                                 */
/*******************************************************************/

UEPALIEN: PROCEDURE (RTNCODE,CHARFLD);

DECLARE RTNCODE CHAR(1);           /* DECLARATION OF THE EXIT      */
                                   /* PROGRAM RETURN CODE.  IT     */
                                   /* INFORMS REQUEST HANDLER      */
                                   /* WHETHER REQUEST IS ALLOWED.  */
DECLARE                            /* DECLARATION OF THE CHAR      */
 1  CHARFLD,                       /* FIELD PASSED IN ON THE CALL. */
    2  USER     CHAR(10),          /* USER PROFILE OF DDM/DRDA USER*/
    2  APP      CHAR(10),          /* APPLICATION NAME             */
    2  FUNC     CHAR(10),          /* REQUESTED FUNCTION           */
    2  OBJECT   CHAR(10),          /* FILE NAME                    */
    2  DIRECT   CHAR(10),          /* LIBRARY NAME                 */
    2  MEMBER   CHAR(10),          /* MEMBER NAME                  */
    2  RESERVED CHAR(10),          /* RESERVED FIELD               */
    2  LNGTH    PIC '99999',       /* LENGTH OF USED SPACE IN REST */
    2  REST,                       /* REST OF SPACE = CHAR(2000)   */
      3  LUNAME  CHAR(10),         /* REMOTE LU NAME (IF SNA)      */
      3  SRVNAME CHAR(10),         /* REMOTE SERVER NAME           */
      3  TYPDEFN CHAR(9),          /* TYPE DEF NAME OF DRDA AR     */
      3  PRDID,                    /* PRODUCT ID OF DRDA AR        */
        5 PRODUCT  CHAR(3),        /* PRODUCT CODE                 */
        5 VERSION  CHAR(2),        /* VERSION ID                   */
        5 RELEASE  CHAR(2),        /* RELEASE ID                   */
        5 MOD      CHAR(1),        /* MODIFICATION LEVEL           */
      3  REMAING CHAR(1983);       /* REMAINING VARIABLE SPACE.    */

START:
IF (USER = 'ALIEN' &             /* IF USER IS 'ALIEN' AND         */
      FUNC = 'SQLCNN') THEN      /*   FUNCTION IS DRDA CONNECT     */
  RTNCODE = '0';                 /* SET RETURN CODE TO UNSUCCESSFUL*/
ELSE                             /* IF ANY OTHER USER, OR DDM      */
  RTNCODE = '1';                 /* SET RETURN CODE TO SUCCESSFUL  */

END UEPALIEN;