Anda di halaman 1dari 0

IBM Power Systems Technical University

October 1822, 2010 Las Vegas, NV

Session Title: IBM i Best Security


Practices
Session ID: SE03
Speaker Name: Bruce F. Bading

2010 IBM Corporation

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

System Security Levels

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Security Levels, why run at a high security level

System security level 50... Good reasons to run


there.
1. Object Domain Checking
2. Hardware storage protection
3. Parameter validation
NOTE: System security level controlled via QSECURITY system value

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Security Level 30 Not a secure environment

System interfaces perform appropriate authority checks but


security exposures exist on this security level

*USE required by DSPDTAARA


*CHANGE required by CHGDTAARA

Security level 30 is NOT a secure security level!


User written programs, running at security level 30,
can gain access to objects with minimal authority

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Object Domain attributes - Object integrity


Every object: *CMD, *FILE, *PGM, etc. has a domain
Every program has a state (*SYSTEM or *USER)
Program state is compared against object Domain
Program run state: *SYSTEM or *USER (DSPPGM/DSPSRVPGM)
Object Domain:
*SYSTEM or *USER (DSPOBJD)

Programs running *SYSTEM state can access both *USER and *SYSTEM domain.
Programs running *USER state can only access *USER domain objects.
Security level 30 ALLOWS access regardless of state/domain combination
Security level 40 and 50 enforce domain checking
6

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Object Domain, Program State


Object Domain

Program State

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Hardware Storage Protection (HSP) - Object


integrity
Program state is compared against object HSP to determine allowable
access. Every object has a HSP value.
Object HSP attributes:

Allow access from any state (no protection, *USRSPC, *USRQ, *USRIDX)
Read only in any state
(*PGM, *SRVPGM)
No access in user state
(Setting for most objects, V5R3 and prior)
Enhanced storage protection (V5R4 and beyond)

Security level 30 ALLOWS access regardless of state/HSP combination


NOTE: Some HSP violations can occur on all security levels
Security level 40 and 50 enforce HSP checking
8

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Object attributes
MI object overview

SYP
SPP

Encapsulated MI Object, available to LIC


Object domain (Most objects are *SYSTEM domain)
Object owner
Public authority
Hardware storage protection setting
Encapsulated object data

Associated space, byte addressable area for use


by above MI (user and OS) programs.
The associated space is used to store operating
system and user data for objects, i.e. *CMD,
*DTAARA, *JOBD, *USRSPC, *USRPRF, etc.

The CHKOBJITG CL Command can be used to scan the system for suspect objects and *PGMS
9

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Authority checking and integrity support at level 40 & 50


User written programs, running at security level 40 or 50, MUST use system
interfaces (commands and APIs) to gain access to the objects.
Authority checking is enforced by the system interface
Object Domain checking is performed
Object Hardware storage protection is performed

Direct access by user programs to system objects is not allowed at Security


level 40 and 50 due to domain and hardware storage protection attributes.

10

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Disclaimer
This presentation contains programming examples ("Sample Code").
IBM grants you a nonexclusive copyright license to use the Sample Code to generate similar function tailored
to your own specific needs.
The Sample Code is provided by IBM for illustrative purposes only. The Sample Code has not been
thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or
function of the Sample Code.
The Sample Code contained herein is provided to you "AS IS" without any warranties of any kind. THE
IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGMENT ARE EXPRESSLY DISCLAIMED. SOME JURISDICTIONS DO NOT ALLOW THE
EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSIONS MAY NOT APPLY TO YOU. IN
NO EVENT WILL IBM BE LIABLE TO ANY PARTY FOR ANY DIRECT, INDIRECT, SPECIAL OR OTHER
CONSEQUENTIAL DAMAGES FOR ANY USE OF THE SAMPLE CODE INCLUDING, WITHOUT
LIMITATION, ANY LOST PROFITS, BUSINESS INTERRUPTION, LOSS OF PROGRAMS OR OTHER
DATA ON YOUR INFORMATION HANDLING SYSTEM OR OTHERWISE, EVEN IF WE ARE EXPRESSLY
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

11

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Example exposure at security level 30


Signon as a user with *ALLOBJ special authority
Create a job description object
CRTJOBD JOBD(QGPL\TEST) USER(QUSER) AUT(*USE)
Display the job description object paying attention to the user.
DSPJOBD JOBD(QGPL/TEST)
Create and call the program using source on following slide.
CRTBNDC PGM(TESTLIB/TESTPGM1) SRCFILE(QCSRC)

Signon as a user without *ALLOBJ special authority.


Attempt to change the job description object. Not authorized to object.
CHGJOBD JOBD(QGPL/TEST) USER(FRED)
Call the program Source next slide
CALL PGM(TESTLIB/TESTPGM1)
Display the job description object paying attention to the user.
DSPJOBD JOBD(QGPL/TEST)

12

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

After running this program, display the job description


object paying attention to the user in the JOBD.
Note the *JOBD object was changed by a user with only
*USE authority.
#include <mih/rslvsp.h>
#include <mih/setsppfp.h>
#include <string.h>
void main()
{
_SYSPTR jobd_sysptr;
char * space_ptr;
jobd_sysptr = rslvsp(WLI_JOBD, TEST, QGPL, _AUTH_NONE);
space_ptr = setsppfp(jobd_sysptr);
space_ptr=space_ptr +2;
memcpy(space_ptr, QSECOFR , strlen(QSECOFR ));
return;
}
13

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Example exposure at security level 30


Signon as a user with *ALLOBJ special authority
Create a job description object
CRTJOBD JOBD(QGPL\TEST) USER(QUSER) AUT(*USE)
Display the job description object paying attention to the user.
DSPJOBD JOBD(QGPL/TEST)
Create and call the program using source on following slide.
CRTBNDC PGM(TESTLIB/TESTPGM1) SRCFILE(QCSRC)
Signon as a user without *ALLOBJ special authority.
Attempt to change the job description object. Not authorized to object.
CHGJOBD JOBD(QGPL/TEST) USER(FRED)
Call the program Source next slide
CALL PGM(TESTLIB/TESTPGM1)
Display the job description object paying attention to the user.
DSPJOBD JOBD(QGPL/TEST)

14

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

After running this program, display the data area object


paying attention to the data area value.
Note the *DTAARA object was changed by a user with
only *USE authority.
#include <mih/rslvsp.h>
#include <mih/setsppfp.h>
#include <string.h>
void main()
{
_SYSPTR dtaara_sysptr;
char * space_ptr;
dtaara_sysptr = rslvsp(WLI_DTAARA, TEST, QGPL, _AUTH_NONE);
space_ptr = setsppfp(dtaara_sysptr);
space_ptr=space_ptr + 3;
memcpy(space_ptr, JUNK DATA , strlen(JUNK DATA ));
return;
}

15

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

NOTE: The previous two programs, running on


security level 40 or 50, will result in an
MCH6801 exception being signaled during the
running of the program.

The object access is denied!!!!

16

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

System Value Settings


NOTE: Lock down system values via SST after setting

17

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Integrity related system values


QSECURITY
QALWOBJRST

- Consider value *ALWPTF

QFRCCVNRST

- Consider value 6 or 7

QVFYOBJRST

18

- Run at level 50

- Consider value 5

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Altered program description

Altered programs are created by modifying a


program object in an unsupported way.
Program alterations include:
Modifying the program to run in system state
Modifying the program instruction stream
Modifying the program validation value

Common methods available to alter a program:


Using the system service tools to alter program
Save the program and modify it offline
19

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

System state "user" programs, why they are a threat


A program altered to run system state can access system
objects and change data on security level 40 and 50.
They run with the same capabilities as OS programs.

Altered programs can:

20

Deliberately cause system crashes


Modify objects so they cannot be recognized by the OS
Bypass authority checking for objects
Bypass system audit record creation
Attack other aspects of system integrity
2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

System state "user" programs, V6R1 Change


A program altered to run system state will be prevented from
being restored on a V6R1 system. The OS blocks the restore
of the program patched to run system state.
Programs can be patched to system state, using service tools,
while the program exists on the system.

21

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

System values that control restore

1. QVFYOBJRST (Verify object restore)


2. QFRCCVNRST (Force conversion restore)
3. QALWOBJRST (Allow object restore)
When an attempt is made to restore an object onto the system, three
system values work together as filters to determine if the object is
allowed to be restored, or if it is converted during the restore.

22

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Raising the bar against altered programs


Program validation value:
A hash over security relevant parts of the program. The hash
produces the same result on each system and is generated at
program creation.

Digital signing of program objects:


Signing of program objects using a secure private key. The public key
is distributed to systems that need to verify the signature.
NOTE: The signature can be created after an object is altered.

23

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

QVFYOBJRST system value


The 5 QVFYOBJRST options (default is 3):
1. Do not verify signatures on restore. Restore all objects regardless of
their signature. NOTE: Effectively trust everything
2. Verify signatures on restore. Restore unsigned user-state objects.
Restore signed user-state objects, even if the signatures are not valid.
3. Verify signatures on restore. Restore unsigned user-state objects.
Restore signed user-state objects only if the signatures are valid.
4. Verify signatures on restore. Do not restore unsigned user-state
objects. Restore signed user-state objects, even if the signatures are
not valid.
5. Verify signatures on restore. Do not restore unsigned user-state
objects. Restore signed user-state objects only if the signatures are
valid. NOTE: Effectively trust nothing
24

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

QFRCCVNRST system value


The 8 QFRCCVNRST options (default is 0):
0. Do not convert anything. NOTE: Trust everything
1. Objects with validation errors will be converted.
2. Objects requiring conversion to be used on the current version of the
operating system and objects with validation errors will be converted.
3. Objects suspected of having been tampered with, objects containing
validation errors, and objects requiring conversion to be used by the current
version of the operating system will be converted.
4. Objects that contain sufficient creation data to be converted and do not
have valid digital signatures will be converted.
5. Objects that contain sufficient creation data will be converted or else not
restored.
6. All objects that do not have valid digital signatures will be converted.
7. All objects will be converted or else not restored. NOTE: Trust nothing
25

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

QALWOBJRST system value


The QALWOBJRST options (default is *ALL):
*ALL

- Allows all objects to be restored regardless of whether or not they have security-sensitive
attributes or validation errors. NOTE: Effectively trust everything

*NONE

- Does not allow objects with security-sensitive attributes to be restored. NOTE: Effectively trust
nothing

*ALWSYSSTT - Allows programs, service programs, and modules with the system-state or inherit-state attribute
to be restored.
*ALWPGMADP - Allows programs and service programs with the adopt attribute to be restored.
*ALWPTF

- Allow system-state or inherit-state programs, service programs, modules, objects that adopt
authority, objects that have the S_ISUID (set-user-ID) attribute enabled, and objects that have
the S_ISGID (set-group-ID) attribute enabled to be restored to the system during a PTF install.

*ALWSETUID - Allow restore of files that have the S_ISUID (set-user-ID) attribute
*ALWSETGID

or the S_ISGID (set-group-ID) enabled.

*ALWVLDERR - Allow objects with validation errors or suspected of having been tampered with to be restored.
When the setting of the QFRCCVNRST system value causes the object to be converted any
validation errors it may have had will be corrected.

26

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Controlling the system interfaces


The "RST" interfaces are shipped as PUBLIC(*EXCLUDE).
Only trusted users should be authorized to use the restore interfaces.
Note: BRMS interfaces are PUBLIC(*USE) but call the system "RST" interfaces which
are PUBLIC(*EXCLUDE)

Verify the list of users authorized to SAVE data


Protect the use of the system service tools (SST/DST) and
Service related commands (DMPxxx, TRCxxx, etc).

27

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

System Value Settings continued


NOTE: Lock down system values via SST after setting

28

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Auditing related system values

QAUDCTL - Audit on/off switch


QAUDLVL and QAUDLVL2 (new in V5R3)
QAUDENDACN and QAUDFRCLVL - Use default values
QCRTOBJAUD - Audit newly created objects

29

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Auditing continued
Create the QAUDJRN audit journal
Set QAUDCTL to *OBJAUD, *AUDLVL and *NOQTEMP
Set QAUDLVL to *AUDLVL2 (V5R3)
Set auditing values in QAUDLVL2 system value (new for
V5R3). Set audit values in QAUDLVL prior to V5R3.

Turn on audit and save the audit journal receivers.


You may need the audit data in the future!
30

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Password composition system values


WRKSYSVAL SYSVAL(QPWD*)
Consider using enhanced password support (QPWDLVL=1 or 3)
Set the password composition rule SYSVALs on your system
Use the ANZDFTPWD command to check for default passwords
Consider using the ANZPRFACT command to disable inactive
profiles
Consider using the CHGACTSCDE command to limit profiles use to
certain times during the day

31

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Additional security related system values

QALWUSRDMN - Consider value QTEMP


QINACTITV - Set to a reasonable number of minutes
QINACTMSGQ - *ENDJOB/*DSCJOB
QMAXSIGN - Consider setting to 3
QMAXSGNACN - Set to disable device and profile

32

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Resource Security
Resource Security - Protecting your objects

33

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Resource Security

Don't rely on menu security


Exit programs, used to control system interfaces
such as FTP, are useful but not the complete
solution to protect your data
Secure your sensitive objects with the appropriate
level of authority!

34

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Resource Security - protecting your objects


Protecting your objects with resource security is necessary to protect
your data.
Run at a security level 50
Secure your confidential data with *EXCLUDE public authority
Objects that are not security sensitive (public objects) should be
protected with *USE public authority. This gives good performance
for read operations on the object.
Additional authority can be given to users who must change the data
but private auts should be used sparingly for best performance.
35

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Resource Security continued - protecting your


objects
Use adopted authority or profile swap to control access to your data
from within your application.
Set Ownership of your objects to the profile you adopt/swap
Set *PUBLIC to *EXCLUDE for your application objects
Grant NO private authorities for best performance. Rely on the
ownership authority to gain access.

Note: Do not give command line access to users running your


application that adopts or swaps!
36

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Encrypting sensitive data


New set of APIs delivered in V5R3 that provide support for
encrypting data
New set of APIs delivered in V5R4 that provide support to
create, manage and protect encryption keys

Protect encryption keys. Encrypting data, without


protecting the encryption keys, does not protect the data
Protect encryption keys with a master key (V5R4)

37

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Encrypting sensitive data Continued


V6R1 enhancements
SW Encrypted backup. Provides encryption support for tape/virtual tape
via BRMS and tape management APIs (OS option 44)
HW encrypted backup solutions via TS11x0 & LTO-4 (HW available off
release)
Encrypted ASP. Provides disk level encryption support for all data written
to disk (OS option 45)

Encryption key management is required (master keys and data


encryption keys)
38

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Securing Service Tools

Controlling access to the Service Tools is


necessary for a secure system.
Create as few Service Tools User IDs as possible
Create a Service Tool user with the same privileges as
QSECOFR (QSECOFR can become disabled)
Never use QSECOFR Service Tool USERID (save pwd
in a secure location)
Consider not allowing the OS/400 QSECOFR user to have a
QSECOFR level Service Tools USERID

39

2010 IBM Corporation

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Network-Based Intrusion Detection


Firewalls:
Intrusion Monitors:
Intrusion
Monitor

Internet
Development
system

WWW

41

Mail

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Network-Based Intrusion Detection


What Intrusion Monitors Do:
Perform "Signature Analysis" or "Pattern Matching"
Patterns: Looking for known "bad patterns" in IP flow.
Signature Analysis: Watch for "Trend Deviations" in network usage.
o I.e. When someone successfully connects to a machine, packet activity is
quite different when somebody randomly searching for open ports.

Reaction to suspected malicious behavior:


Send e-mail or message to pager
Shutdown network or routers

42

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Network-Based Security Appliance


Internet Security Systems (ISS)
IBM company that produces network security HW & SW
ISS Proventia Multi-Function Security HW
Firewall
Intrusion Detection and Prevention
Anti-Virus
Web Content Filtering
VPN
Monitoring/Reporting
Network Configuration
43

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

IBM Partner Network Security Products


IBM Security Partners Many listed on the IBM i
Security site
Products that enhance the native security features available in the
operating system
Many are network based
Apply additional security rules
Enforcement of the rules
IBM i Security website:
http://www-03.ibm.com/systems/i/security/

44

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

SSL/VPN connection
For remote connections to your iSeries:
Use Virtual Private Network
Use SSL enabled versions of the client
connection applications (Telnet, FTP, iSeries
Navigator, etc)

45

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

General TCP/IP Security Tips

Only start TCP/IP servers that are needed


Prevent applications from using well-known ports
Turn IP Source Routing off
Allow IP Datagram Forwarding only when needed
Don't leave PPP or SLIP lines waiting in answer state

46

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

iSeries Packet Security


IP Packet Filtering can be used to PERMIT or DENY based
on the packet characteristics
Source and Destination IP Address
Source and Destination IP Port
Protocol
Packet Direction
Packet Fragments

IP Network Address Translation (NAT)


Can be used to hide private network behind a single public IP Interface
(address)
47

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

IP filtering and network address translation...


How Do You Use It:
iSeries Navigator:
(system)->network->IP Policies->Packet Rules
Select Rules Editor from context menu.

Wizards pull down has three selections.


Many other features...

48

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Web Applications
When designing Web Applications

Use a default (low power) user profile when accessing


public/internet applications
Provide the minimum amount of required authority to application
objects.

Use either client authentication or USERID/PWD


authentication for intranet applications
Provides user level security and audit for the application.

49

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Additional Things to Know

50

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

i5/OS Security tools

Many security reporting tools exist for the iSeries


Run "GO SECTOOLS" from command entry
Run the report generation security tools

Security tool commands produce reports that can be used to manage


security and look for security holes

51

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

i5/OS Partners

Numerous i5/OS partners provide additional tools

Reporting & Monitoring


Security Configuration
Encryption
Network Security
Authentication/Biometrics

IBM i Security website:


http://www-03.ibm.com/systems/i/security/
52

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Application development considerations

53

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Authority and ownership


Authority and ownership considerations
What user profile will own the application?
What public authority should be used for the application objects?
What user profile should own objects created when the application is
run by an end user? Probably not the user running the application.
What public authority should be used for objects created at run time?
Should adopted authority be used to access the application objects?
54

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Trojan Horse concerns

Library qualify object reference


Program and command invocation should be library qualified
CALL LIBNAME/PGMNAM (parms)
QSYS/CRTDTAARA DTAARA(LIB/DTAARA1) TYPE(*CHAR)
By qualifying the object reference, you prevent trojan horse attacks via the
library list
For objects that contain translatable text (message files, panel groups, etc) you
should use *LIBL for library qualification in order to pick up different versions of
the translated text.

55

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Adopted authority
Adopted Authority
When a program or service program adopts authority, it uses both the authority for
the user that is running plus the authority of the pgm/srvpgm owner.
Adopted authority specified when pgm/srvpgm is created
- C, CL, etc. --> by specifying USRPRF(*OWNER) on the create command.
Must be careful to not include adopted authority in any authority checks.
IFS interfaces do not honor adopted authority
- Must swap to powerful profile to ensure a user is authorized to access an IFS
object.
Make sure command line (or exit program) not available to user when adopting
authority or swapped to a powerful profile.
56

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Profile Swapping
Profile swap
Use of the QSYGETPH or QSYGETPT APIs allow the user profile of a job to be
swapped.
Log in as user "JEFF"
Swap to user "UEHLING"
Must be careful to not include swapped user in any authority checks (unless
appropriate).
IFS interfaces do not honor adopted authority
- Must swap to powerful profile to ensure a user is authorized to access an IFS
object.
Make sure command line (or exit program) not available to user when adopting
authority or swapped to a powerful profile.
57

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Profile Swap Continued...


Profile swap (Cleanup)
Use of the QSYGETPH or QSYGETPT APIs allow the user profile of a job to be
swapped.
Log in as user "JEFF"
Swap to user "UEHLING"
The job is now running under user "UEHLING". If the application fails, the job
continues to run under "UEHLING"
Scope Message provides the ability to cleanup or swap back to original user.
Code example follows...

58

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Disclaimer
This presentation contains programming examples ("Sample Code").
IBM grants you a nonexclusive copyright license to use the Sample Code to generate similar function tailored
to your own specific needs.
The Sample Code is provided by IBM for illustrative purposes only. The Sample Code has not been
thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or
function of the Sample Code.
The Sample Code contained herein is provided to you "AS IS" without any warranties of any kind. THE
IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGMENT ARE EXPRESSLY DISCLAIMED. SOME JURISDICTIONS DO NOT ALLOW THE
EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSIONS MAY NOT APPLY TO YOU. IN
NO EVENT WILL IBM BE LIABLE TO ANY PARTY FOR ANY DIRECT, INDIRECT, SPECIAL OR OTHER
CONSEQUENTIAL DAMAGES FOR ANY USE OF THE SAMPLE CODE INCLUDING, WITHOUT
LIMITATION, ANY LOST PROFITS, BUSINESS INTERRUPTION, LOSS OF PROGRAMS OR OTHER
DATA ON YOUR INFORMATION HANDLING SYSTEM OR OTHERWISE, EVEN IF WE ARE EXPRESSLY
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

59

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Scope Message program


/* Signon with an *ALLOBJ user to create this program. Create this program with USRPRF(*OWNER) in order to adopt
/* authority required to get a profile handle for a USRPRF.

*/
*/

PGM
DCL &ERRCDE *CHAR 8 VALUE(X'0000000000000000')
DCL &MSGKEY *CHAR 4 VALUE(X'00000000')
DCL &HNDLCUR *CHAR 12 VALUE(' ')
DCL &HNDL *CHAR 12 VALUE(' ')
/* Call QSYGETPH to get a profile handle for the current user. */
CALL QSYS/QSYGETPH ('*CURRENT' '*NOPWDCHK' &HNDLCUR)
/* The following API will send a scope message that causes program SCOPEPGM in library QGPL to be called when */
/* this program ends either normally or abnormally.
*/
CALL QSYS/QMHSNDSM
+
('*CSE
'
/* Scope type
'SCOPEPGM QGPL
' /* Scope program name
&HNDLCUR
/* Scope data
X'0000000C'
/* Scope data length - 12
&MSGKEY
/* Message key
&ERRCDE)
/* Error code

*/ +
*/ +
*/ +
*/ +
*/ +
*/

/* Call QSYGETPH to get a profile handle for a user. NOTE: Change XXX to the user who you want to swap to.
CALL QSYS/QSYGETPH ('XXX' '*NOPWDCHK' &HNDL)
/* Call QWTSETP to swap to the profile.
CALL QSYS/QWTSETP &HNDL
ENDPGM
60

*/

*/

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Scope Handling program


PGM (&DATA)

/* SCOPEPGM */

/********************************************************************/
/* This program is called when the invocation that ran the */
/* QMHSNDSM API returns either normally or abnormally. */
/********************************************************************/
DCL &DATA *CHAR 12 /* Data received as input when this scope
/* handling program is called. This data
/* is variable length and is declared and
/* set by the program that issues the
/* QMHSNDSM API.
/* For this test program, pass the 12
/* byte profile handle of the original
/* user obtained via *CURRENT on QSYGETPH.

*/
*/
*/
*/
*/
*/
*/
*/

/* Program logic to cleanup. */


/* Call QWTSETP to swap back to the original profile. */
CALL QSYS/QWTSETP &DATA
/* Call QSYRSLPH to release the profile handle.
CALL QSYS/QSYRLSPH &DATA

*/

ENDPGM
61

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

User domain objects

Creating User Domain Objects


You are not guaranteed that you will be able to create user domain user objects
(*USRSPC, *USRIDX, and *USRQ) in any library
QALWUSRDMN system value controls into which libraries/directories the
objects can be created.
QTEMP only library that can always contain user domain versions of these
objects.

User domain objects are a security risk because they can be directly read on any
security level
62

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Summary

Run at security level 50


Set the security related System Values and lock them down
Use the Security Audit Journal
Protect your sensitive objects with object security
Use Firewalls and intrusion monitors

63

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Special notices
This document was developed for IBM offerings in the United States as of the date of publication. IBM may not make these offerings available in
other countries, and the information is subject to change without notice. Consult your local IBM business contact for information on the IBM
offerings available in your area.
Information in this document concerning non-IBM products was obtained from the suppliers of these products or other public sources. Questions
on the capabilities of non-IBM products should be addressed to the suppliers of those products.
IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give
you any license to these patents. Send license inquires, in writing, to IBM Director of Licensing, IBM Corporation, New Castle Drive, Armonk, NY
10504-1785 USA.
All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives
only.
The information contained in this document has not been submitted to any formal IBM test and is provided "AS IS" with no warranties or
guarantees either expressed or implied.
All examples cited or described in this document are presented as illustrations of the manner in which some IBM products can be used and the
results that may be achieved. Actual environmental costs and performance characteristics will vary depending on individual client configurations
and conditions.
IBM Global Financing offerings are provided through IBM Credit Corporation in the United States and other IBM subsidiaries and divisions
worldwide to qualified commercial and government clients. Rates are based on a client's credit rating, financing terms, offering type, equipment
type and options, and may vary by country. Other restrictions may apply. Rates and offerings are subject to change, extension or withdrawal
without notice.
IBM is not responsible for printing errors in this document that result in pricing or information inaccuracies.
All prices shown are IBM's United States suggested list prices and are subject to change without notice; reseller prices may vary.
IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply.
Any performance data contained in this document was determined in a controlled environment. Actual results may vary significantly and are
dependent on many factors including system hardware configuration and software design and configuration. Some measurements quoted in this
document may have been made on development-level systems. There is no guarantee these measurements will be the same on generallyavailable systems. Some measurements quoted in this document may have been estimated through extrapolation. Users of this document
should verify the applicable data for their specific environment.

Revised September 26, 2006


64

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Special notices (cont.)


IBM, the IBM logo, ibm.com AIX, AIX (logo), AIX 6 (logo), AS/400, Active Memory, BladeCenter, Blue Gene, CacheFlow, ClusterProven, DB2, ESCON, i5/OS, i5/OS
(logo), IBM Business Partner (logo), IntelliStation, LoadLeveler, Lotus, Lotus Notes, Notes, Operating System/400, OS/400, PartnerLink, PartnerWorld, PowerPC, pSeries,
Rational, RISC System/6000, RS/6000, THINK, Tivoli, Tivoli (logo), Tivoli Management Environment, WebSphere, xSeries, z/OS, zSeries, AIX 5L, Chiphopper, Chipkill,
Cloudscape, DB2 Universal Database, DS4000, DS6000, DS8000, EnergyScale, Enterprise Workload Manager, General Purpose File System, , GPFS, HACMP,
HACMP/6000, HASM, IBM Systems Director Active Energy Manager, iSeries, Micro-Partitioning, POWER, PowerExecutive, PowerVM, PowerVM (logo), PowerHA, Power
Architecture, Power Everywhere, Power Family, POWER Hypervisor, Power Systems, Power Systems (logo), Power Systems Software, Power Systems Software (logo),
POWER2, POWER3, POWER4, POWER4+, POWER5, POWER5+, POWER6, POWER7, pureScale, System i, System p, System p5, System Storage, System z, Tivoli
Enterprise, TME 10, TurboCore, Workload Partitions Manager and X-Architecture are trademarks or registered trademarks of International Business Machines Corporation
in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (
or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be
registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at
www.ibm.com/legal/copytrade.shtml
The Power Architecture and Power.org wordmarks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org.
UNIX is a registered trademark of The Open Group in the United States, other countries or both.
Linux is a registered trademark of Linus Torvalds in the United States, other countries or both.
Microsoft, Windows and the Windows logo are registered trademarks of Microsoft Corporation in the United States, other countries or both.
Intel, Itanium, Pentium are registered trademarks and Xeon is a trademark of Intel Corporation or its subsidiaries in the United States, other countries or both.
AMD Opteron is a trademark of Advanced Micro Devices, Inc.
Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. in the United States, other countries or both.
TPC-C and TPC-H are trademarks of the Transaction Performance Processing Council (TPPC).
SPECint, SPECfp, SPECjbb, SPECweb, SPECjAppServer, SPEC OMP, SPECviewperf, SPECapc, SPEChpc, SPECjvm, SPECmail, SPECimap and SPECsfs are
trademarks of the Standard Performance Evaluation Corp (SPEC).
NetBench is a registered trademark of Ziff Davis Media in the United States, other countries or both.
AltiVec is a trademark of Freescale Semiconductor, Inc.
Cell Broadband Engine is a trademark of Sony Computer Entertainment Inc.
InfiniBand, InfiniBand Trade Association and the InfiniBand design marks are trademarks and/or service marks of the InfiniBand Trade Association.
Other company, product and service names may be trademarks or service marks of others.

Revised February 9, 2010


65

2010 IBM Corporation

IBM Power Systems Technical University Las Vegas, NV

Trademarks and Disclaimers


Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other
countries, or both.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered
trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.
ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and are used under license
therefrom.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.
Information is provided "AS IS" without warranty of any kind.
The customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual
environmental costs and performance characteristics may vary by customer.
Information concerning non-IBM products was obtained from a supplier of these products, published announcement material, or other publicly available sources and does
not constitute an endorsement of such products by IBM. Sources for non-IBM list prices and performance numbers are taken from publicly available information,
including vendor announcements and vendor worldwide homepages. IBM has not tested these products and cannot confirm the accuracy of performance, capability, or
any other claims related to non-IBM products. Questions on the capability of non-IBM products should be addressed to the supplier of those products.
All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.
Some information addresses anticipated future capabilities. Such information is not intended as a definitive statement of a commitment to specific levels of performance,
function or delivery schedules with respect to any future products. Such commitments are only made in IBM product announcements. The information is presented here
to communicate IBM's current investment and development activities as a good faith effort to help with our customers' future planning.
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any
user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput or performance improvements
equivalent to the ratios stated here.
Prices are suggested U.S. list prices and are subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your
geography.

66

2010 IBM Corporation