Prestart Server Jobs and Exit Programs
Securing IBM i is essential and it’s important to understand how to control access to your system with prestart server jobs.
By Dawn May04/02/2019
IBM i provides many exit points where your program (the “exit program”) can get invoked to take additional action. In the case of prestart server jobs, these exit points provide a way to perform additional validation to determine what actions are allowed for the user accessing the system
All Host Server prestart jobs support exit programs that can be used to check who is accessing the system and limit their access appropriately. In addition, the SQL Server Mode CLI Connection has an exit program, as does the DDM/DRDA server. For the DDM/DRDA server, it’s not part of the registration information; rather, you specify your exit program on the DDMACC parameter on the CHGNETA command. For all of these servers, the exit program is passed parameters, which vary depending upon the type of the prestart server job. Your exit program can review the information and determine whether access should be allowed or denied.
The full capabilities of these exit programs are very extensive and writing your own exit programs can be a lot of work. There are a number of third-party security solutions that provide exit point protection. If you are not protecting access to your system with these exit programs, you need to.
It should be noted that the considerations discussed here also apply to other types of network access, such as FTP.
Dawn May is an IBM i consultant. She owns Dawn May Consulting, LLC in the Greater Boston area. Dawn is a former IBM senior technical staff member.