Using security exit programs

Some system functions provide an exit so that your system can run a user-created program to perform additional checking and validation. For example, you can set up your system to run an exit program every time that someone attempts to open a distributed data management (DDM) file on your system.

Sources of sample exit programs

You can use the registration function to specify exit programs that run under certain conditions. The Sources of sample exit programs table provides a list of these exit programs and sources for example programs.

Table 1. Sources of Sample Exit Programs

Type of exit programs	Purpose	Where to find examples
Password validation	The QPWDVLDPGM system value can specify a program name or indicate that validation programs registered for the QIBM_QSY_VLD_PASSWRD exit point be used to check a new password for additional requirements that are not handled by the QPWDxxx system values. The use of this program should be carefully monitored because it receives unencrypted passwords. This program should not store passwords in a file or pass them to another program.	An Implementation Guide for iSeries Security and Auditing, GG24–4200 Security reference
PC Support/400 or Client Access access	You can specify this program name in the Client request access (PCSACC) parameter of the network attributes to control: Virtual printer function File transfer function or Shared folders Type 2 function Client access message function Data queues Remote SQL function	An Implementation Guide for iSeries Security and Auditing, GG24–4200
Distributed Data Management (DDM) access	You can specify this program name in the DDM request access (DDMACC) parameter of the network attributes to control the following functions: Shared folders Type 0 and 1 function Submit Remote Command function	An Implementation Guide for iSeries Security and Auditing, GG24–4200
Remote sign on	You can specify a program in the QRMTSIGN system value to control what users can be automatically signed on from which locations (pass-through.)	An Implementation Guide for iSeries Security and Auditing, GG24–4200
Open Database Connectivity (ODBC) with IBM i Access. See IBM i Access ODBC.	Control these functions of ODBC: Whether ODBC is allowed at all. What functions are allowed for IBM i database files. What SQL statements are allowed. What information can be retrieved about database server objects. What SQL catalog functions are allowed.	None available
QSYSMSG break handling program	You can create a program to monitor the QSYSMSG message queue and take appropriate action (such as notifying the security administrator) depending on the type of message.	An Implementation Guide for iSeries Security and Auditing, GG24–4200
TCP/IP	Several TCP/IP servers (such as FTP, TFTP, TELNET, and REXEC) provide exit points. You can add exit programs to handle log-on and to validate user requests, such as requests to get or put a specific file. You can also use these exits to provide anonymous FTP on your system.	TCP/IP User Exits in the Application programming interfaces topic collections.
User profile changes	You can create exit programs for these user profile commands: CHGUSRPRF CRTUSRPRF DLTUSRPRF RSTUSRPRF	Security reference TCP/IP User Exits in the Application programming interfaces topic collections.