Working with exit programs in i5/OS V6

Rich Loeber
In my last System i security tip, I looked at new system values in i5/OS V6 that give better control over system passwords. To continue exploring what's new in V6, this tip will review some of the new security related exit points that are now available.

What are exit programs?
Exit programs are user written extensions to the operating system that let you impose our own rules over specific areas within the operating system. Exit programs are integrated with the OS through exit points. An exit program must be registered to the exit point before it will work on your system. Exit points have been around in OS/400 and i5/OS for more than 10 years now and each new release of the OS introduces new points and new functionality. V6 is no exception in this arena.

If you are unfamiliar with exit programs on your system, use the "Work with Registration Information" command (WRKREGINF) to see the exit points. This will display a list of the exit points on your system. You can also generate a listing of the exit points and registered exit programs by using the OUTPUT(*PRINT) option on this command.

More on exit programs:
APIs and exit programs: Thousands of lines of free code

Accessing any job's QTEMP

Exit programs in V6
For any exit point, you can see if there is a registered exit program by placing an 8 next to it. The OS ships from IBM with some exit programs already registered. A typical example of this are the series of exit programs used with the Mail Server Framework (MSF). So, if you see registered exit programs, don't go deleting any until you are absolutely certain that they can safely be removed. Making registration changes to exit points is not for the feint of heart, so study the IBM documentation before attempting this.

The first set of new exit points you will see in V6 are for Cryptographic Services. There are four new exit points to support this feature in the new OS, as follows:

Clear Master Key - QIBM_QC3_CLR_MSTKEY
Delete Keystore Record - QIBM_QC3_DLT_KREC
Set Master Key - QIBM_QC3_SET_MSTKEY
Translate Keystore - QIBM_QC3_TRN_KSF
Each of these exit points provides you with the ability to control operations within the OS. They allow you to attach your own exit program and return a pass/fail indicator back to the OS as to whether the requested operation should be allowed or denied. This is part of the cryptographic services function that is also new in V6. The exit points will give you important added control over the cryptographic key store on your system, something that will become more and more important as encryption becomes more imbedded in System i computing.

Another new exit point in V6 is the Optical Exit Point (QIBM_QMO_OPT). This exit point gives you control over the initialization process on optical drives. Implementing this point will let you disallow optical drive initialization according to your own policy rules. This can be used for virtual optical drives to make sure that existing drives are not inadvertently or intentionally initialized and their contents subsequently lost.

If you have any questions about anything included in this tip, you can reach me at rich@kisco.com. All email messages will be answered as quickly as possible.

ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

This was first published in March 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.