Prestart Server Jobs and Exit Programs
Securing IBM i is essential and it’s important to understand how to control access to your system with prestart server jobs
Securing IBM i is essential and it’s important you understand how to control access to your system with prestart server jobs. Prestart server jobs allow users to connect over the network and you must have a plan in place to ensure you don’t allow unintended or unrestricted access to the system. You also need to ensure you do not allow users to access data in unintended ways. Accessing the system through the network can potentially allow authorized users the ability to access and manipulate information in ways they could not do through a traditional 5250 application. For example, accessing the system through the database server, file server, and remote command server can allow remote users to do such things as edit, copy, or delete data by directly accessing files or other objects.
IBM i provides many exit points where your program (the “exit program”) can get invoked to take additional action. In the case of prestart server jobs, these exit points provide a way to perform additional validation to determine what actions are allowed for the user accessing the system
All Host Server prestart jobs support exit programs that can be used to check who is accessing the system and limit their access appropriately. In addition, the SQL Server Mode CLI Connection has an exit program, as does the DDM/DRDA server. For the DDM/DRDA server, it’s not part of the registration information; rather, you specify your exit program on the DDMACC parameter on the CHGNETA command. For all of these servers, the exit program is passed parameters, which vary depending upon the type of the prestart server job. Your exit program can review the information and determine whether access should be allowed or denied.
The full capabilities of these exit programs are very extensive and writing your own exit programs can be a lot of work. There are a number of third-party security solutions that provide exit point protection. If you are not protecting access to your system with these exit programs, you need to.
It should be noted that the considerations discussed here also apply to other types of network access, such as FTP.