Discussion:
not all remote sql access captured by exit points?
(too old to reply)
Steve Richter
2007-08-27 13:49:57 UTC
Permalink
I am using ODBC and DDM exit point programs to troubleshoot problems
implementing the MSFT host integration server. Problem is, the the SQL
stmts sent to the as400 thru the HIS OLE DB connection are not
captured by as400 exit points I am using.

The host integration server sql traffic passes thru the DDMACC exit
point of the as400. But that exit point has minimal information and is
called at the initial connection only.

The database server exit points, qibm_qzda_init, ndb1, sql2, roi1, are
not called for what I am guessing is OLE DB access to the as400
database.

Are there other exit points I am not aware of? I think the client
access .net provider also uses ole db. So going by this little bit
that I know, I cant use exit points to filter out sql access that
arrives via that route also?

-Steve
Thomas
2007-08-29 04:49:49 UTC
Permalink
Post by Steve Richter
I am using ODBC and DDM exit point programs to troubleshoot problems
implementing the MSFT host integration server. Problem is, the the SQL
stmts sent to the as400 thru the HIS OLE DB connection are not
captured by as400 exit points I am using.
The host integration server sql traffic passes thru the DDMACC exit
point of the as400. But that exit point has minimal information and is
called at the initial connection only.
The database server exit points, qibm_qzda_init, ndb1, sql2, roi1, are
not called for what I am guessing is OLE DB access to the as400
database.
Are there other exit points I am not aware of? I think the client
access .net provider also uses ole db. So going by this little bit
that I know, I cant use exit points to filter out sql access that
arrives via that route also?
Steve:

Not much I can add to this. It looks like you've got a clear picture of
the situation. Only advice I can offer is to take care in allowing those
connections.
--
Tom Liotta
http://zap.to/tl400
Steve Richter
2007-08-29 15:03:40 UTC
Permalink
Post by Thomas
Post by Steve Richter
I am using ODBC and DDM exit point programs to troubleshoot problems
implementing the MSFT host integration server. Problem is, the the SQL
stmts sent to the as400 thru the HIS OLE DB connection are not
captured by as400 exit points I am using.
The host integration server sql traffic passes thru the DDMACC exit
point of the as400. But that exit point has minimal information and is
called at the initial connection only.
The database server exit points, qibm_qzda_init, ndb1, sql2, roi1, are
not called for what I am guessing is OLE DB access to the as400
database.
Are there other exit points I am not aware of? I think the client
access .net provider also uses ole db. So going by this little bit
that I know, I cant use exit points to filter out sql access that
arrives via that route also?
Not much I can add to this. It looks like you've got a clear picture of
the situation. Only advice I can offer is to take care in allowing those
connections.
thanks for the confirmation Tom. Likely, the IBM OLEDB .Net provider
takes the same, unmonitorable, route to the as400 database as HIS
does. What is the point of locking down ODBC access to the system
when OLEDB access ( if that is what it is called ) cant be secured the
way ODBC can?

-Steve
CRPence
2007-08-31 17:12:33 UTC
Permalink
Did you look at PCSACC beyond just DDMACC [On DSPNETA & CHGNETA]?
Does the Redbook document SG24-5183 assist?
http://www.redbooks.ibm.com/redbooks/pdfs/sg245183.pdf
From what I infer, it seems perhaps the desired outcome will be
achieved by a request to CHGNETA PCSACC(*REGFAC) ??

Regards, Chuck
--
All comments provided "as is" with no warranties of any kind
whatsoever and may not represent positions, strategies, nor views of my
employer
Post by Steve Richter
I am using ODBC and DDM exit point programs to troubleshoot problems
implementing the MSFT host integration server. Problem is, the the SQL
stmts sent to the as400 thru the HIS OLE DB connection are not
captured by as400 exit points I am using.
The host integration server sql traffic passes thru the DDMACC exit
point of the as400. But that exit point has minimal information and is
called at the initial connection only.
The database server exit points, qibm_qzda_init, ndb1, sql2, roi1, are
not called for what I am guessing is OLE DB access to the as400
database.
Are there other exit points I am not aware of? I think the client
access .net provider also uses ole db. So going by this little bit
that I know, I cant use exit points to filter out sql access that
arrives via that route also?
-Steve
Steve Richter
2007-09-01 13:58:49 UTC
Permalink
Post by CRPence
Did you look at PCSACC beyond just DDMACC [On DSPNETA & CHGNETA]?
Does the Redbook document SG24-5183 assist?
http://www.redbooks.ibm.com/redbooks/pdfs/sg245183.pdf
From what I infer, it seems perhaps the desired outcome will be
achieved by a request to CHGNETA PCSACC(*REGFAC) ??
just tried it. sorry to say, no effect.

when I run odbc code from the PC, the zdai0100 and zdaq0200 exit
points fire on the as400. When I execute sql on the as400 from HIS,
the only exit point that is called is DDMACC.

thanks for the tip,

-Steve
Kent Milligan
2007-09-06 15:01:59 UTC
Permalink
Any middleware like the Hit Software driver that uses the open group DRDA
standard to access DB2 for i5/OS will not trigger the qzda exit programs.
That's why a secure object-based security implementation is needed to protect
your business data.

If you're worried about the exposure, one possible solution might be to only use
middleware that doesn't rely on DRDA and then end the *DDM TCP server.
Post by Steve Richter
Post by CRPence
Did you look at PCSACC beyond just DDMACC [On DSPNETA & CHGNETA]?
Does the Redbook document SG24-5183 assist?
http://www.redbooks.ibm.com/redbooks/pdfs/sg245183.pdf
From what I infer, it seems perhaps the desired outcome will be
achieved by a request to CHGNETA PCSACC(*REGFAC) ??
just tried it. sorry to say, no effect.
when I run odbc code from the PC, the zdai0100 and zdaq0200 exit
points fire on the as400. When I execute sql on the as400 from HIS,
the only exit point that is called is DDMACC.
thanks for the tip,
-Steve
--
Kent Milligan
ISV Enablement - System i
Post by Steve Richter
Post by CRPence
ibm.com/iseries/db2
(opinions stated are not necessarily those of my employer)
Loading...