[[{“value”:”An IBM i exit point is a specific area in a native i OS function where control can be passed to custom-written exit programs. These programs provide additional user-defined processing for system requests (figure 1). Each exit point has one or more exit point formats that describe the required input and output parameters needed when running an exit program.
Exit points/exit point formats allow developers to insert customized code (exit programs) that runs whenever an IBM i system function is invoked.
Figure 1: How Exit Point Programs WorkIBM i exit programs are commonly used to provide firewall-like capabilities that control user access to functions such as FTP, IFS updates, SQL, file transfer, ODBC, log-ins, and more. Many vendor solutions use exit point programming to enhance IBM i security for user access control items.
Three ways to manage IBM i exit programs
There are three ways you can attach IBM i exit programs to an exit point/exit point format. Two of these methods use native IBM i capabilities provided with the operating system, while the third method uses third-party vendor solutions.
IBM 5250 green-screen commands (native method)
The Exit Program function in IBM Navigator for I (native method)
IBM i exit point managers such as iSecurity Firewall (third-party vendor solution)
Here’s how each method can be used to attach exit programs to an exit point and view IBM i exit point statuses.
Native versus third-party exit program management
Native exit programming methods use “do it yourself” techniques that have been available since the mid-1990s and require scarce developer resources to implement. They require you to research, create, and assign DIY exit programs to an exit point/exit point format combination. Native methods lack security reporting and monitoring, have limited testing capabilities, and require on-going maintenance.
Third-party exit point managers abstract and automate exit program implementation. They provide capabilities that are not available in native IBM i methods, including firewall-like functionality to manage and report on user access. They can also perform simulation testing before going live and have monitoring and alert capabilities.
Third-party exit point solutions can be implemented by administrators and security personnel, while native methods require programming support. Evaluate all three methods when considering how to create and manage exit point programming on your systems.
Further reading: Protecting IBM i Access with Custom Written Exit Point Programs…Or Not
IBM 5250 green-screen commands (native method)
There are three native IBM i commands that can be used to assign or remove exit programs for a specific exit point/exit format.
Work with Registration Facility (WRKREGINF): View and manage all or a subset of your IBM i exit points
Add Exit Program (ADDEXITPGM): Add an exit program to a specific exit point/exit point format
Remove Exit Program (RMVEXITPGM): Remove an exit program from a specific exit point/exit point format
Using these commands can be a little kludgy and you have to specifically know the exit point and exit point format you’re dealing with. Note that for auditing purposes, there is no green-screen option to produce a listing of all exit programs associated with your exit points. There is also no monitoring, notification, or reporting capabilities for exit point usage.
The WRKREGINF command displays all available exit points on your system, as shown here.
Inside this screen, you can take option 8=Work with Exit Programs to view and assign exit programs to a specific exit point/exit point format. Because multiple exit programs can be attached to a single exit point/exit point format, each exit program entry must contain a program number that will be used to sequence program execution when the exit point is invoked.
You can also attach an exit program to a specific exit point/exit point format by using the ADDEXITPGM command and pressing the F4 key. This will show the Add Exit Program screen shown here. Enter the exit point, exit point format, program number, exit program name and library, and press ENTER to attach an exit program to your exit point/exit point format.
Conversely, you can remove an exit program from an exit point/exit point format combination by using the RMVEXITPGM command. You only need to enter the exit point, the exit point format, and the program number to remove an exit program.
The Exit Program function in IBM Navigator for i (native method)
You can use the Exit Program function in IBM Navigator for i to graphically manage exit programs. Inside your browser, select the System and Exit Program option under the IBM Navigator for i tree to view this display.
The Exit Program screen displays the exit program information associated with all IBM i exit point/exit format combinations. Right click on any exit point/exit format and you’ll be able to add or remove an exit program. You can also filter for specific exit points and formats. Like the 5250 commands, there is no option to produce an inventory list of all exit programs associated with your exit points and there is no auditing, reporting, or notification capability for exit point activity.
IBM i exit point managers (third-party vendor solutions)
Third-party exit point management solutions take a different approach to exit programming. Rather than explicitly creating and assigning DIY exit programs to exit points, they abstract and automate exit point management through a 5250 or Web user interface.
Third-party exit point managers such as iSecurity Firewall provide capabilities that aren’t available with native methods (figure 2). They work with IBM i exit points behind the scenes to provide the same sort of capabilities you would find in an enterprise firewall, including:
Providing security access rules to protect IBM i databases and to secure user access
IP filtering, port restrictions, rule wizards, and other capabilities for preventing unauthorized access
Simulation modes where you can test access rules without affecting production
Intrusion prevention modes
Automated monitoring when security events occur
Logging inbound and outbound user activity for popular access methods including FTP, ODBC, and File Transfer
Access logs and reporting for auditing, security, and compliance
Figure 2 Third-party solutions abstract and automate exit point managementIBM i Exit Programming and Beyond
From simple IBM i commands to sophisticated exit point managers offering firewall capabilities, there are several different ways that you can use IBM i exit programs to protect your system from unauthorized access. Please contact SEA if you’d like to learn more about using exit programs to secure and keep your IBM i servers in compliance. “}]] Read More
