Re: filter access to As400 with exit point

There are so many examples in google. You might want to think about purchasing one versus the time needed to get this done. I have used Bsafe and its a great bang for the buck. It allows you to control access by more than just the connection. For example say you have a user run a sql statment in ADO or what not. You can allow them to run this but no other variations of the string.

Re: filter access to As400 with exit point

I'm assuming by OpsNav you mean the IBMi Windows client. Controlling the available functionality of OpsNav is a policy decision of what you install.

If database access via the the "Run a SQL Script" app is what you intend to filter, the database exit points will be triggered - it connects using JDBC.

I'd suggest using google to search for examples, plenty of links come up when I do.

FTP links



database (ODBC,JDBC) links

Re: filter access to As400 with exit point

i posted some FTP exit programs for FTP to the midrange mailing list http://archive.midrange.com/midrange.../msg00452.html of course you'd have to make some minor tweaks for your shop. i also have some for the SQL, etc if you would want copies but it may take me a while to actually get them posted as i have tons of meetings, etc today.

Re: filter access to As400 with exit point

ok i created a v5r4 save file with the objects & source code for all common exit points(ODBC/JDBC, FTP, etc). to restore RSTLIB EXITPGMSV *SAVF SAVF(whateverlib/whateversavefile) if you don't know how to FTP a save file to your system you can either search these forums for many posts that explain the process OR google it....

Re: filter access to As400 with exit point

"Operations navigator" is a rather broad statement.
I'll assume you are wishing to control what people can access through the interface. If that's the case, have a look at Application Administration (right click on the system name).

Re: filter access to As400 with exit point

I Tom , thanks for you reply / code; i have tried to istall you pogram and i have applied the ODBCLOGIN exit. After this i was not more able to access with operatio navigator.. then i have tried to add my user with MNTODBCUSR cmd , but i not was able to connect yet. So i have elimated the exit from QIBM_QZDA_INIT with WRKREGINF ans now NOBODY is able to connect with client access / operation navigator ?? !!!!

when i tried to connect i receive the error "CWBSY1008 - 408".
i have checked the QUSER profile and seems to be ok
if i go to WRKACTJOB QSYSWRK QZSOSGND i see :
CPIAD07

Message. . . : Verified error of the server of the host with code of
error 5.

5--the start of the job of the server of the host has had negative result.

Can you help me ??
Thanks in advance

Re: filter access to As400 with exit point

Ho Tom

i have restored the QYSMSVRE obj from backup, and now the users are able to connect to As400; now i have this problem: if i try to open the database from operation navigator i receive the error :
"error of initialization list
is non valid cursor"

other users don't ahe this problem !!

If you could help me, i would be gratefull

Re: filter access to As400 with exit point

did you add your libraries to the LIBLIST table? the exit program library must be in the library list in order to avoid problems.

also this is the list of exit points:
the exit point programs do not replace or modify any IBM programs, etc so there shouldn't have been any need to restore any objects, simply remove the exit point programs.

Re: filter access to As400 with exit point

The programs can't simply be restored and applied to exit points and then be expected to work. Steps need to be taken to prepare for them. The programs should be applied to exit points during off-hours when testing can be done without disturbing normal processing. If you have a test LPAR or second test system, do the work there instead of on a production environment. Keep notes of the testing steps so you know what to do for production.

Assuming that everything was restored into library EXITPGMSV, first thing that should be done after RSTLIB is to change ownership of the EXITPGMSV library and of all objects in that library from QDFTOWN to some other profile. QDFTOWN should not own anything after this first piece is done. Probably best would be to create a new *USRPRF with no special authorities and give ownership to that profile. (If the restore was to a different library name, then change them wherever they are.)

Next, ensure QUSER has *USE authority to the library and the objects. (If the server jobs run under a different profile than QUSER, then set *USE for that profile.) *PUBLIC can need *USE authority also. Check QAUDJRN for AF (Authority Failure) entries. If any user profiles other than QUSER (or your server jobs profile) show AF entries, the objects noted in the audit journal entries will be the ones where *PUBLIC *USE is needed.

You might create one or two *AUTLs, one for data objects and one for other objects. Assign all authorities through the *AUTLs once that's done.

Note that the database *FILE objects might need *CHANGE authority. If you recompile and recreate the *PGM and *SRVPGM objects, you can create them as USRPRF(*OWNER) and give *CHANGE authority to the program and service program owner profile. That can help avoid giving *PUBLIC any authority the files. Use the system audit journal to verify your testing. Don't apply the objects during normal work hours until the audit journal shows that your testing is done.

Also note that logic changes might be needed. For example, you might not want the library lists being manipulated in the way that the programs are coded to do it. That part might need to be disabled or modified. It's almost certain that you'll want to change nearly all of the hard-coded profile names in different parts of the code.

Bear in mind that these are examples of how to code exit programs. They might not work for you in your environment. You might even need system PTFs before they work at all.

Finally, for the QYSMSVRE *USRIDX object, a restore can work; but it probably shouldn't be restored. Simply delete it when problems show up with it, and it will be recreated the first time it's needed again. A restore can put the object back to an older version that's no longer valid or might simply restore a damaged version. As long as it's working now, it's likely that nothing more needs to be done. A Google search for [ QYSMSVRE site:ibm.com ] will bring up various IBM documents describing related actions for the object.

One or more types of problems with system access through OpsNav or iNav can be resolved by deleting QYSMSVRE. It's not a cure for everything, but it sometimes saves a lot of searching. I don't know of circumstances where deleting it when access problems are happening that it causes additional trouble.