In my last System i security tip, I looked at new system values in i5/OS V6 that give better control over system passwords. To continue exploring what's new in V6, this tip will review some of the new security related exit points that are now available.
What are exit programs?
Exit programs are user written extensions to the operating system that let you impose our own rules over specific areas within the operating system. Exit programs are integrated with the OS through exit points. An exit program must be registered to the exit point before it will work on your system. Exit points have been around in OS/400 and i5/OS for more than 10 years now and each new release of the OS introduces new points and new functionality. V6 is no exception in this arena.
If you are unfamiliar with exit programs on your system, use the "Work with Registration Information" command (WRKREGINF) to see the exit points. This will display a list of the exit points on your system. You can also generate a listing of the exit points and registered exit programs by using the OUTPUT(*PRINT) option on this command.
Exit programs in V6
For any exit point, you can see if there is a registered exit program by placing an 8 next to it. The OS ships from IBM with some exit programs already registered. A typical example of this are the series of exit programs used with the Mail Server Framework (MSF). So, if you see registered exit programs, don't go deleting any until you are absolutely certain that they can safely be removed. Making registration changes to exit points is not for the feint of heart, so study the IBM documentation before attempting this.
The first set of new exit points you will see in V6 are for Cryptographic Services. There are four new exit points to support this feature in the new OS, as follows:
Clear Master Key - QIBM_QC3_CLR_MSTKEY
Delete Keystore Record - QIBM_QC3_DLT_KREC
Set Master Key - QIBM_QC3_SET_MSTKEY
Translate Keystore - QIBM_QC3_TRN_KSF
Each of these exit points provides you with the ability to control operations within the OS. They allow you to attach your own exit program and return a pass/fail indicator back to the OS as to whether the requested operation should be allowed or denied. This is part of the cryptographic services function that is also new in V6. The exit points will give you important added control over the cryptographic key store on your system, something that will become more and more important as encryption becomes more imbedded in System i computing.
Another new exit point in V6 is the Optical Exit Point (QIBM_QMO_OPT). This exit point gives you control over the initialization process on optical drives. Implementing this point will let you disallow optical drive initialization according to your own policy rules. This can be used for virtual optical drives to make sure that existing drives are not inadvertently or intentionally initialized and their contents subsequently lost.
If you have any questions about anything included in this tip, you can reach me at firstname.lastname@example.org. All email messages will be answered as quickly as possible.
ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.