Exit points and exit programs
To best understand these new terms it is best to start with exit program because it made its way to the AS/400 world many years ago. You may be familiar with it if you have worked with the DDMACC (DDM access) or the PCSACC (PC Support/Client Access) parameters of your network attributes or your QRMTSIGN system value. These parameters/system values allow you to specify programs that are called by the system before certain types of remote access are granted. Programs so specified were and are called exit programs, and some older manuals have been using this term for over a decade.
Now let's look at the term exit point. One definition of exit point, and the one IBM uses, is a "label" onto which an exit program can be attached. Examples of such labels are the previously discussed DDMACC, PCSACC, and QRMTSIGN. But the label itself is only part of an exit point. The other, and more important, part is defining when the exit programs that are attached to an exit point "label" are called, that is, what event(s) triggers them. (Speaking of triggers, a trigger is a type of exit point and a trigger program is a type of exit program. However, they are not clumped in with exit points and exit programs because they are not registered using the system registration facility.)
Take the PCSACC exit point for example. The "label" is PCSACC but what we really need to know is when, why, and how the program specified for it is called. The answer in this case is that the program specified on the PCSACC parameter is called every time a request is received from a Client Access (once known as PC Support ) client. Requests come in the form of file transfer requests, data queue requests, virtual print requests, and the like.
In summary, an exit point is some pre-defined point in a piece of software where an optional exit program is called to perform some kind of user-defined function, the constraints of which are usually dictated by the exit point.
How to use exit programs
The function of an exit program is tied to the exit point to which it is attached. That is, the "when, why, and how" the exit program is called dictates, to a certain degree, the function of the exit program.
Again, take the PCSACC exit point for example. The associated exit program is called every time a Client Access request is received from a PC. The exit program receives two parameters; one contains information about the incoming Client Access request, the other is a 1-byte field that the exit program can use to either accept or reject the request ('1' = accept, '0' or anything else = reject). The "when" (before a request is processed) and the "how" (with the 2 parameters described) gives us a clear indication that the main purpose of a PCSACC exit program is security, whether or not to allow a certain user access to a particular Client Access function and/or particular objects on the AS/400-iSeries.
Why use the registration facility?
Like database triggers, the PCSACC "exit point" is not part of the registration facility, although it is tied to it. The PCSACC network attribute has been around for years, while the registration facility is relatively new. The registration facility¡¦s purpose is to centralize and standardize the various exit points available on the system. Instead of having a couple of network attributes here and a system value there, the registration facility provides a single utility to define and manage exit points and exit programs.
Most of the IBM-supplied exit points were introduced afterthe registration facility was. Therefore, they do not have pre-existing counterparts like the PCSACC. In these cases, you can work directly with the exit points using the registration facility.
On the other hand, the older exit points like the PCSACC network attribute, also have associated true exit points that are managed via the registration facility. To illustrate some of the differences, let¡¦s take a look at why you would want to use the registration facility instead of the PCSACC network attribute.
Client Access (i.e., PC Support) is made up of many individual and distinct components. Some of the more common are:
- File transfer function
- Data queue facility
- Virtual printer function
- Remote SQL
- Remote command function
An exit program specified for the PCSACC network attribute can distinguish which function request caused it to be invoked but it is called for each and every request. This can be a drain on system performance.
The registration facility takes the single exit point PCSACC and splits it into a number of different exit points, roughly one for each Client Access component. This way, you can target only the components you want and not have to waste CPU time on those functions you do not want to cover with an exit program. For example, if you are only interested in securing the data queue remote SQL facility with exit programs, you can specify exit programs for just the QIBM_QHA_DTAQ and QIBM_QRQ_SQL exit points. Client Access components not secured by an exit program will be secured using the normal OS/400 security (i.e., as though *OBJAUT had been specified on the PCSACC network attribute).
More to follow
Now that we understand what exit points and exit programs are and how they work, we will be armed for the next installment when we will develop and deploy an exit program using the registration facility.
About the author: Ron Turull is editor of Inside Version 5. He has more than 20 years' experience programming for and managing AS/400-iSeries systems.
================================== MORE INFORMATION ON THIS TOPIC ==================================
A primer to writing TCP/IP exit point programs
In this article, security guru Dan Riehl explains what the TCP/IP exit points are, and how to use a TCP/IP exit point program to create a log that records each time a user tries to log in to your FTP server.
Can you trust all those trigger programs?
You may think that because you're working on the iSeries that you're safe from rampant computer viruses, worms and other malicious programs moving their way around the Internet, but think again. A malicious program can still get written and installed on your system, hidden away waiting for the right event to come out and strike. How, you ask? As a trigger program.
What exactly are exit programs?
One user writes, ¡§I've heard a lot about exit programs lately. Can you give me an overview of what they are and how they work? I need to write a couple. Also, where can I find some examples? I need to write one for the QIBM_QCA_RTV_COMMAND.¡¨ Site expert John Brandt responds.
This was first published in August 2004