IBM i

IBM i 

A space for professionals working with IBM’s integrated OS for Power systems to exchange ideas, ask questions, and share expertise on topics like RPG and COBOL development, application modernization, open source integration, system administration, and business continuity.


#Power


#IBMi
 View Only

Don't Just Disable, automate: Why Exit Programs are Your IBM i Security Solution

By Nirmal Khatri posted yesterday

  

Introduction

In the past, securing AS/400 and iSeries systems was straightforward, mainly involving managing user permissions through menus. Today, that approach is no longer enough. The IBM i is now widely connected to other systems, partners, and customers, which introduces new security challenges from modern threats and evolving regulations.

One effective way to enhance system security is by implementing exit points. An exit point is a specific checkpoint in a system process where control is temporarily given to an exit program. This program can monitor or act on the process before it continues.

Many organizations do not use or monitor these features, but since exit programs can access sensitive system information, any misuse or unauthorized access through them is a serious security breach.

    

What are Exit Programs and Exit Points?

An exit program is a special program that temporarily takes control of another program or system process. You can use these to customize how your system works. While you can write your own, some are already built in. To use one, you just call it like any other program.

An exit point is where a system process hands over control to an exit program. Think of it as a checkpoint.

The registration facility acts as a central database for all exit points and programs, making them easy to find and manage. You can use the WRKREGINF (Work with Registration Information) command to view and manage details about exit points and their associated exit programs. An exit point is a specific, predefined hook within a system process created by IBM. A developer can then write a custom exit program and associate it with that exit point. The person who writes the exit program is responsible for ensuring it works correctly and efficiently.

Leveraging exit points for IBM i security

The IBM i operating system allows you to use exit programs to gain precise control over system functions. You can write these programs to apply custom rules based on a variety of system information.

For example, an exit program for an FTP file transfer could control access based on a user's profile, their IP address, or the time of day. It can also log into the activity for auditing. However, developing and managing these programs can be complex and may impact performance if not done correctly.

Many organizations use third-party solutions to simplify this process. These solutions optimize performance and ensure your exit programs are always up to date. They also help IT departments meet compliance rules by separating the duties of security software development and system management.

  

Key Areas for Access Control

While IBM i offers many exit points, these four areas are most frequently used to enhance security and provide granular control over external connections:

·       Controlling Network Access: Network protocols like FTP and ODBC allow direct access to the IBM i database. By using specific exit points for each protocol, you can carefully manage this access and prevent security issues.

·       Controlling Access Through Communication Ports: For protocols like SSH or SFTP, the IBM i offers socket exit points. These allow you to secure connections by defining rules based on the ports or IP addresses being used.

·       Securing Databases with "Open Database File": The IBM i's Open Database File exit point (QIBM_QDB_OPEN) is a powerful tool to secure sensitive data. It is particularly useful against modern open-source access (e.g., Python or JSON). This exit point activates whenever a specified file is opened, adding a crucial layer of control.

·       Command Control Beyond Basic Security: Command-specific exit points offer advanced control over how commands are used. You can create exit programs to precisely limit command use, even for powerful users like *ALLOBJ or *SECADM.

Real-World Examples

·       SFTP/FTP Servers: You can use an exit program to control who can upload/download files, enforce naming rules, and even scan incoming files for malware.

·       Database Connections (ODBC/JDBC): An exit program can restrict specific users to certain tables or rows based on dynamic criteria.

·       Remote Commands (RCMD): You can implement an approval process for all remote command executions, adding a layer of security even for powerful users.

Registering and Removing Exit Programs

To be effective, your exit programs must be registered. You can do this using the WRKREGINF command.

1.    To register an exit program:

·       Open the command-line interface and enter WRKREGINF.

·       Scroll to find the exit point you want to use (e.g., FTP Server Logon).

·       Enter 8 next to the entry and press Enter.

·       On the next screen, enter 1 to add a new exit program.

·       Specify the program’s name and its library.

·       Press Enter to confirm.

·       Finally, end and restart the FTP server for the changes to take effect.

·       Thoroughly test your program to ensure it works correctly.

2.    To remove an exit program:

·       Enter WRKREGINF at the command line.

·       Navigate to the exit point and enter 8 to work with its programs.

·       On the next screen, enter 4 to indicate removal.

·       Specify the program name and library, then press Enter.

·       After removing all necessary programs, stop and restart the server for the changes to be applied.

*Note

·       You must have *SECADM special authority or be authorized by the Registration Facility to perform these tasks.

·       Always test a new or modified exit program in a development or test partition before deploying it to production. A faulty exit program can block legitimate users.

You can query the system catalog views listed below for a clearer list of your system's exit points and registered programs:

Select * FROM QSYS2.EXIT_POINT_INFO; -- This view lists all available exit points on the system.

Select * FROM QSYS2.EXIT_PROGRAM_INFO; -- This view shows all the custom programs currently registered to those exit points.

Security and Performance Considerations

·       Performance Impact: Exit programs run synchronously, the job issuing the database open waits for the exit program to complete. Poorly written exit programs can significantly degrade system performance.

·       Thread Safety Requirement: Exit programs must be thread safe.

·       Recursion Handling: If exit programs perform database operations themselves, they must handle recursion to avoid infinite loops.

·       Security of Exit Programs: Exit programs themselves should be secured with object-level authority using USRPRF(*OWNER) to prevent circumvention.

Conclusion

In today's interconnected world, IBM i continues to prove its adaptability. Exit programs are a vital part of this, providing the advanced features and precise control needed to manage external connections securely. By leveraging these unsung heroes, we can unlock the full potential of IBM i, ensuring both robust security and seamless integration. Don't overlook the significance of exit programs—they are often the key to truly maximizing your IBM i investment.

0 comments
12 views

Permalink

https://community.ibm.com/community/user/blogs/nirmal-khatri/2025/10/08/dont-just-disable-automate-why-exit-programs-are-y