not all remote sql access captured by exit points? - IBM AS400

This is a discussion on not all remote sql access captured by exit points? - IBM AS400 ; I am using ODBC and DDM exit point programs to troubleshoot problems implementing the MSFT host integration server. Problem is, the the SQL stmts sent to the as400 thru the HIS OLE DB connection are not captured by as400 exit ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: not all remote sql access captured by exit points?

  1. not all remote sql access captured by exit points?

    I am using ODBC and DDM exit point programs to troubleshoot problems
    implementing the MSFT host integration server. Problem is, the the SQL
    stmts sent to the as400 thru the HIS OLE DB connection are not
    captured by as400 exit points I am using.

    The host integration server sql traffic passes thru the DDMACC exit
    point of the as400. But that exit point has minimal information and is
    called at the initial connection only.

    The database server exit points, qibm_qzda_init, ndb1, sql2, roi1, are
    not called for what I am guessing is OLE DB access to the as400
    database.

    Are there other exit points I am not aware of? I think the client
    access .net provider also uses ole db. So going by this little bit
    that I know, I cant use exit points to filter out sql access that
    arrives via that route also?

    -Steve


  2. Re: not all remote sql access captured by exit points?

    Steve Richter wrote:

    > I am using ODBC and DDM exit point programs to troubleshoot problems
    > implementing the MSFT host integration server. Problem is, the the SQL
    > stmts sent to the as400 thru the HIS OLE DB connection are not
    > captured by as400 exit points I am using.
    >
    > The host integration server sql traffic passes thru the DDMACC exit
    > point of the as400. But that exit point has minimal information and is
    > called at the initial connection only.
    >
    > The database server exit points, qibm_qzda_init, ndb1, sql2, roi1, are
    > not called for what I am guessing is OLE DB access to the as400
    > database.
    >
    > Are there other exit points I am not aware of? I think the client
    > access .net provider also uses ole db. So going by this little bit
    > that I know, I cant use exit points to filter out sql access that
    > arrives via that route also?


    Steve:

    Not much I can add to this. It looks like you've got a clear picture of
    the situation. Only advice I can offer is to take care in allowing those
    connections.

    --
    Tom Liotta
    http://zap.to/tl400

  3. Re: not all remote sql access captured by exit points?

    On Aug 29, 12:49 am, Thomas wrote:
    > Steve Richter wrote:
    > > I am using ODBC and DDM exit point programs to troubleshoot problems
    > > implementing the MSFT host integration server. Problem is, the the SQL
    > > stmts sent to the as400 thru the HIS OLE DB connection are not
    > > captured by as400 exit points I am using.

    >
    > > The host integration server sql traffic passes thru the DDMACC exit
    > > point of the as400. But that exit point has minimal information and is
    > > called at the initial connection only.

    >
    > > The database server exit points, qibm_qzda_init, ndb1, sql2, roi1, are
    > > not called for what I am guessing is OLE DB access to the as400
    > > database.

    >
    > > Are there other exit points I am not aware of? I think the client
    > > access .net provider also uses ole db. So going by this little bit
    > > that I know, I cant use exit points to filter out sql access that
    > > arrives via that route also?

    >
    > Steve:
    >
    > Not much I can add to this. It looks like you've got a clear picture of
    > the situation. Only advice I can offer is to take care in allowing those
    > connections.


    thanks for the confirmation Tom. Likely, the IBM OLEDB .Net provider
    takes the same, unmonitorable, route to the as400 database as HIS
    does. What is the point of locking down ODBC access to the system
    when OLEDB access ( if that is what it is called ) cant be secured the
    way ODBC can?

    -Steve




  4. Re: not all remote sql access captured by exit points?

    Did you look at PCSACC beyond just DDMACC [On DSPNETA & CHGNETA]?
    Does the Redbook document SG24-5183 assist?
    http://www.redbooks.ibm.com/redbooks/pdfs/sg245183.pdf
    From what I infer, it seems perhaps the desired outcome will be
    achieved by a request to CHGNETA PCSACC(*REGFAC) ??

    Regards, Chuck
    --
    All comments provided "as is" with no warranties of any kind
    whatsoever and may not represent positions, strategies, nor views of my
    employer

    Steve Richter wrote:
    > I am using ODBC and DDM exit point programs to troubleshoot problems
    > implementing the MSFT host integration server. Problem is, the the SQL
    > stmts sent to the as400 thru the HIS OLE DB connection are not
    > captured by as400 exit points I am using.
    >
    > The host integration server sql traffic passes thru the DDMACC exit
    > point of the as400. But that exit point has minimal information and is
    > called at the initial connection only.
    >
    > The database server exit points, qibm_qzda_init, ndb1, sql2, roi1, are
    > not called for what I am guessing is OLE DB access to the as400
    > database.
    >
    > Are there other exit points I am not aware of? I think the client
    > access .net provider also uses ole db. So going by this little bit
    > that I know, I cant use exit points to filter out sql access that
    > arrives via that route also?
    >
    > -Steve


  5. Re: not all remote sql access captured by exit points?

    On Aug 31, 1:12 pm, CRPence wrote:
    > Did you look at PCSACC beyond just DDMACC [On DSPNETA & CHGNETA]?
    > Does the Redbook document SG24-5183 assist?
    > http://www.redbooks.ibm.com/redbooks/pdfs/sg245183.pdf
    > From what I infer, it seems perhaps the desired outcome will be
    > achieved by a request to CHGNETA PCSACC(*REGFAC) ??


    just tried it. sorry to say, no effect.

    when I run odbc code from the PC, the zdai0100 and zdaq0200 exit
    points fire on the as400. When I execute sql on the as400 from HIS,
    the only exit point that is called is DDMACC.

    thanks for the tip,

    -Steve




  6. Re: not all remote sql access captured by exit points?

    Any middleware like the Hit Software driver that uses the open group DRDA
    standard to access DB2 for i5/OS will not trigger the qzda exit programs.
    That's why a secure object-based security implementation is needed to protect
    your business data.

    If you're worried about the exposure, one possible solution might be to only use
    middleware that doesn't rely on DRDA and then end the *DDM TCP server.


    Steve Richter wrote:
    > On Aug 31, 1:12 pm, CRPence wrote:
    >> Did you look at PCSACC beyond just DDMACC [On DSPNETA & CHGNETA]?
    >> Does the Redbook document SG24-5183 assist?
    >> http://www.redbooks.ibm.com/redbooks/pdfs/sg245183.pdf
    >> From what I infer, it seems perhaps the desired outcome will be
    >> achieved by a request to CHGNETA PCSACC(*REGFAC) ??

    >
    > just tried it. sorry to say, no effect.
    >
    > when I run odbc code from the PC, the zdai0100 and zdaq0200 exit
    > points fire on the as400. When I execute sql on the as400 from HIS,
    > the only exit point that is called is DDMACC.
    >
    > thanks for the tip,
    >
    > -Steve
    >
    >
    >


    --
    Kent Milligan
    ISV Enablement - System i
    kmill@us.eye-bee-m.com (spam trick) GO HAWKEYES!!
    >>> ibm.com/iseries/db2

    (opinions stated are not necessarily those of my employer)

+ Reply to Thread