Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

not all remote sql access captured by exit points?

73 views
Skip to first unread message

Steve Richter

unread,
Aug 27, 2007, 9:49:57 AM8/27/07
to
I am using ODBC and DDM exit point programs to troubleshoot problems
implementing the MSFT host integration server. Problem is, the the SQL
stmts sent to the as400 thru the HIS OLE DB connection are not
captured by as400 exit points I am using.

The host integration server sql traffic passes thru the DDMACC exit
point of the as400. But that exit point has minimal information and is
called at the initial connection only.

The database server exit points, qibm_qzda_init, ndb1, sql2, roi1, are
not called for what I am guessing is OLE DB access to the as400
database.

Are there other exit points I am not aware of? I think the client
access .net provider also uses ole db. So going by this little bit
that I know, I cant use exit points to filter out sql access that
arrives via that route also?

-Steve

Thomas

unread,
Aug 29, 2007, 12:49:49 AM8/29/07
to
Steve Richter wrote:

Steve:

Not much I can add to this. It looks like you've got a clear picture of
the situation. Only advice I can offer is to take care in allowing those
connections.

--
Tom Liotta
http://zap.to/tl400

Steve Richter

unread,
Aug 29, 2007, 11:03:40 AM8/29/07
to

thanks for the confirmation Tom. Likely, the IBM OLEDB .Net provider
takes the same, unmonitorable, route to the as400 database as HIS
does. What is the point of locking down ODBC access to the system
when OLEDB access ( if that is what it is called ) cant be secured the
way ODBC can?

-Steve

CRPence

unread,
Aug 31, 2007, 1:12:33 PM8/31/07
to
Did you look at PCSACC beyond just DDMACC [On DSPNETA & CHGNETA]?
Does the Redbook document SG24-5183 assist?
http://www.redbooks.ibm.com/redbooks/pdfs/sg245183.pdf
From what I infer, it seems perhaps the desired outcome will be
achieved by a request to CHGNETA PCSACC(*REGFAC) ??

Regards, Chuck
--
All comments provided "as is" with no warranties of any kind
whatsoever and may not represent positions, strategies, nor views of my
employer

Steve Richter

unread,
Sep 1, 2007, 9:58:49 AM9/1/07
to
On Aug 31, 1:12 pm, CRPence <crpe...@vnet.ibm.com> wrote:
> Did you look at PCSACC beyond just DDMACC [On DSPNETA & CHGNETA]?
> Does the Redbook document SG24-5183 assist?
> http://www.redbooks.ibm.com/redbooks/pdfs/sg245183.pdf
> From what I infer, it seems perhaps the desired outcome will be
> achieved by a request to CHGNETA PCSACC(*REGFAC) ??

just tried it. sorry to say, no effect.

when I run odbc code from the PC, the zdai0100 and zdaq0200 exit
points fire on the as400. When I execute sql on the as400 from HIS,
the only exit point that is called is DDMACC.

thanks for the tip,

-Steve

Kent Milligan

unread,
Sep 6, 2007, 11:01:59 AM9/6/07
to
Any middleware like the Hit Software driver that uses the open group DRDA
standard to access DB2 for i5/OS will not trigger the qzda exit programs.
That's why a secure object-based security implementation is needed to protect
your business data.

If you're worried about the exposure, one possible solution might be to only use
middleware that doesn't rely on DRDA and then end the *DDM TCP server.

--
Kent Milligan
ISV Enablement - System i
km...@us.eye-bee-m.com (spam trick) GO HAWKEYES!!
>>> ibm.com/iseries/db2
(opinions stated are not necessarily those of my employer)

0 new messages