
APAR= II09334
CA400WIN-CA400OPT-ODBC SECURITY ISSUES WITH CLIENT ACCESS/400
AND ODBC

*** This is a continuation of II09333 ***

-ODBC User Exit (Database Server User Exit)
 Client Access ODBC requests use the IBM supplied
 Database server's four user exit points.
  To allow read only access to data, QIBM_QZDA_NB1 and
  QIBM_QZDA_SQLI  must be monitored.

  QIBM_QZDA_INIT
  This is called once at server initialization: i.e. an ODBC
  connect.  Obviously, this is the ideal exit to use for a
  query governor or to completely reject incoming requests.

  QIBM_QZDA_NB1
  This exit is called for 'native' database requests.   An exit
  program should monitor this exit point to block or restrict
  database dile functions such as Delete file, Clear file (erase
  all data), certain create file commands, etc.

 QIBM_QZDA_SQL1
 This exit point processes the data related to SQL requests.
 The first 512 bytes of the SQL statement are passed to the
 exit program.  NO PARSING OR PREPROCESSING OF THE
 STATEMENT IS DONE.  The programmer writing the exit program
 must parse the statement and interrpret it's content.  For
 example to limit certain users to read only access, the exit
 program would have to scan each string for any SQL function
 that can update, delete, or insert data into a file.  There
 is significant overhead associated with using this exit point
 since it is called for each SQL request.  Object level
 security should be considered first.

 QIBM_QZDA_ROI1
 This exit point is called for requests that retrieve
 information about objects on the data base server (catalog
 requests). Information can only be retrieved.

 CAUTION:  Different ODBC drivers use different servers.  You
 may secure the IBM Database Server via a user exit but other
 ODBC drivers may not use this.  Some of the AS/400 ODBC
 drivers use the remote SQL server.  Many OEM ODBC drivers
supply their own server program on the AS/400 or use DRDA
or DDM.

 DRDA (a type of DDM request) uses the SQL Client Integration
 exit point.  This exit point was not documented in R310.
 See a R360 or later System API Reference (SC41-4801),
 the chapter on File APIs for details.

 DDM user exits are documented in the DDM manual.  See
 the Distributed Data Management under the references.

  For detailed information reference the manual OS/400 Server
  Concepts & Administration or your OEM ODBC driver
  documentation.

- ODBC INI file restrictions
  ODBC supports a query timeout that can be set via ODBC api
 call.  Release R311 or later of Client Access for
 Windows 95/NT implements this function.


  Some ODBC drivers support a 'read only' ini file setting.
  Although not secure, this setting can assist in preventing
 'accidental' delete or update operations.  The R320 of
 Client Access for windows 95/NT ODBC driver supports
 this function.


SECURITY TOOLS
--------------
  IBM has a Security Toolkit available for V2R3 and above system
  to assist in analysing system security.  At the time of the
  last update for this apar, it was available for free from
  IBM DIRECT.
  Call 1-800-426-2255 and request THE SECURITY TOOLKIT
  FOR OS/400.
  PRPQ's:
  R230 and R305 - PRPQ P84277, LP 5799-XDH
  R310          - PRPQ P84280, LP 5799-XJD
  R360          - PRPQ P84281, LP 5799-XDK

ADDITIONAL ASSISTANCE
---------------------
  In depth security reviews and assistance implementing the
  the strategies above is available through IBM Consultline
  1-800-274-0015.
  Please consult the following manuals for in depth information
  on specific topics:
  SC41-3740   OS/400 Server Concepts and Administration
  SC41-3302   AS/400 Security - Reference
  SG24-4526   AS/400 Client/Server Performance using the
              Windows 3.1 Client (redbook)
  SC41-3533   Client Access Windows 3.1 Client for OS/400
              ODBC User's Guide
  GG24-4249   DATABASE 2/400 Advanced Database Functions
              (rebook)
  SC41-9609   AS/400 DB2/400 Database Programming
  SC41-3443   Advanced Program-to-Program Communications
              Programming
  SC41-3307   Distributed Data Management
  SC41-3305   OS/400 Backup and Recovery - Advanced


PROBLEM SUMMARY:
PROBLEM CONCLUSION:
TEMPORARY FIX:
COMMENTS:
close
MODULES/MACROS:
SRLS:
RTN CODES:
APPLICABLE COMPONENT LEVEL/SU:
CIRCUMVENTION:
MESSAGE TO SUBMITTER:









CUST NAME= IBM INTERNAL                       CUST NO= 9999999
   STREET=                                    PROB NO= 99999
     CITY=                                    LICENSE=
      ZIP=

IBM REP= DAVID DILLING                   PH#= 999-9999
ADDRESS= IBM ROCHESTER                   REGION = AR#99
         3605 HWY 52 N                   B.O. NO= B999
         ROCHESTER , MN                  COUNTRY= C000
         USA                              55901
           PIN INFO-AS-400-349 II09334-DD-DOC
F   -     -     -
CA400WIN-CA400OPT-ODBC SECURITY ISSUES WITH CLIENT ACCESS/400
AND ODBC
END OF ABSTRACT   FESN5NFO000-000
REPORTED RELEASE    R310
