Are you truly in control of who accesses your IBM i data – how, and when – through external connections?

If Not, Then Let Us…,

Unlock a new dimension of security and control for your IBM i’s external connections. 

Introduction

In the past, securing AS/400 and iSeries systems primarily involved managing user permissions through menus. Today, that is no longer enough. IBM i systems are now widely open, communicating with other systems, partners, and customers, which makes security a significant challenge due to new threats and evolving regulations.

To boost security, exit points are key. Whenever certain tasks occur, you can run your custom programs in IBM i. They can monitor and act, and then the original task can continue. Many do not use or monitor them, but since exit programs can access system information, any misuse or unauthorized access through them is a serious security breach.

Exit Programs

An exit program is a program that takes over from another program, whether it is an application you are using or a system program. You can use these exit programs to customize how things work to fit your specific needs.

Usually, people write their own exit programs. However, a few are already built into the system, like some for the Operational Assistant.

To use an exit program, you simply call it like any other program. There are not any specific requirements to start using them.

Exit Points

An exit point is a specific place in a system process or program where control is temporarily given to one or more special programs called exit programs. These exit programs then perform a specific task.

The registration facility acts like a central database. It stores details about all exit points (both IBM i and others) and exit programs, allowing you to easily identify any that exist within your system.

To manage this information, you can use APIs (Application Programming Interfaces) to view and edit the information in the registration facility. These allow you to register new exit points, remove old ones, add or remove exit programs, and get information about them. Another way to do this is by using the Work with Registration Information (WRKREGINF) command.

Finally, whoever creates an exit point (the exit point provider) is responsible for setting up all the necessary information for it, deciding how the exit program will receive data, and making sure the exit program runs when needed.

Leveraging Exit Points for IBM i Security

The IBM i operating system lets you use exit programs to gain precise control over system functions. As stated earlier, you can write these programs to apply custom rules based on OS information.

For instance, an exit program for FTP could control file transfers based on user profiles, IP addresses, or time, and even record activity for auditing. However, developing and managing these programs can be complex and impact system performance if not done right.

Third-party solutions simplify this process, optimize performance, and ensure your exit programs stay updated. They also help IT departments meet compliance rules by enabling a crucial separation of duties between security software development and system management.

Methods for Access Control

While IBM i offers many exit points, these four areas are most frequently leveraged to enhance security and provide granular control over external connections:

• Controlling Network Access

Network protocols like FTP, ODBC, and others allow direct database access to IBM i. Despite its convenience, this needs to be controlled carefully. Network access can be managed and security issues can be prevented by using specific exit points for each protocol.

• Controlling Access Through Communication Ports

Even when protocols like SSH or SFTP lack their specific controls, IBM i offers socket exit points. These allow you to secure connections by defining rules based on the ports and/or IP addresses involved, giving you a vital layer of access control.

• Securing Databases with “Open Database File”

IBM i’s Open Database File exit point is a powerful tool to secure sensitive data. It is especially useful against open-source access (like JSON or Python) that lacks built-in security. This exit point activates whenever any specified file (i.e. physical, logical, or SQL table/view) is opened, providing a crucial layer of control.

• Command Control Beyond Basic Security

In the Commands area, command-specific exit points offer advanced control over how commands are used, going beyond basic user profiles or file permissions. You can create exit programs to precisely limit command use, even for powerful users like *ALLOBJ or *SECADM.

Registering Exit Programs

To ensure the effectiveness of your exit programs, it is necessary to register them before they can take effect. The registration process can be completed using the Work with Registration Information (WRKREGINF) command on your IBM i FTP server.

To register your exit programs, you can follow these steps:

• Open the character-based interface and enter the command WRKREGINF.
• Navigate to the FTP Server Logon exit point by scrolling down the page.
• Enter 8 in the opt field to the left of the exit point entry and press Enter.
• On the Work with Exit Programs display, select option 1 to add a new exit program.
• Specify the name of the exit program in the Exit Program
• Provide the name of the library that contains the exit program in the library field.
• Press Enter to confirm the registration.
• For exit programs used by all instances of the FTP server, it is necessary to end and restart the FTP server.
• Thoroughly evaluate your exit programs to ensure their proper functionality.

By following these steps, you will be able to successfully register your exit programs on your IBM i FTP server.

Removing Exit Programs

To remove an installed exit program, you can follow these steps:

• Open the Work with Exit Program display by entering WRKREGINF at a command line.
• Page down until you find the FTP Server Logon exit point. You can either:
  1. To the left of the exit point entry, enter 8 in the opt field and press Enter.
  2. In the Work with Exit Program display, enter 4 to indicate removal.
• Enter the name of the exit program in the Exit Program
• Enter the name of the library that contains the exit program in the library field.
• Press Enter to proceed.
• Once you have finished removing all the exit points, it is necessary to stop and restart the FTP server.

For comprehensive information about exit points and exit programs, including the exit point data, you can refer to the following SQL Views available in IBM i 7.4 TR3 and 7.3 TR9:

• EXIT_POINT_INFO: This view lists all the exit points and provides detailed information about them.
• EXIT_PROGRAM_INFO: This view also lists all the exit programs and provides information about them but includes the associated exit point data.

To access this information, you can execute the following SQL queries:

SELECT * FROM QSYS2.EXIT_POINT_INFO; SELECT * FROM QSYS2.EXIT_PROGRAM_INFO;

Real-World Examples

• API Gateways: When IBM i services are exposed via APIs, exit programs can function as an API gateway, enforcing authentication, authorization, rate limiting, and data transformation for every API call.
• SFTP/FTP Servers: Used for controlling who can upload/download files, enforcing naming conventions, and scanning for malware on incoming files.
• Database Connections (ODBC/JDBC): Used for restricting specific users or applications to certain tables – or even rows – based on dynamic criteria.
• Remote Commands (RCMD): Can be used for implementing a robust approval process for all remote command executions.

Conclusion

In an increasingly interconnected world, the IBM i platform continues to prove its adaptability and resilience. Exit programs are a vital component of this, providing the extended features and granular control necessary to manage external connections securely and efficiently. By leveraging these unsung heroes, organizations can unlock the full potential of their IBM i, ensuring both robust security and seamless integration with their broader IT landscape. Do not overlook the significance of exit programs – they are often the key to truly maximizing your IT investments.