Question: All the Exit Program examples I see are in the C Language. Is it possible to write Exit Programs in RPG?

Answer: Yes, but you must write a data structure as same as it in the C header file. The C header file is H/QSYSINC. This include is also available for other languages in QSYSINC/QRPGSRC, QSYSINC/QRPGLESRC, QSYSINC/QLBLSRC, and QSYSINC/QCBLLESRC.

Question: I have been asked to find out how AS/400 users can change their passwords using a web browser application.  We will synch user info to the NT Domain server to enable validation and signon.  The AS/400 passwords expire every 30 days.  The users must be able to maintain their passwords without leaving the web application (a combination of Cold Fusion, Javascript and HTML).  Off the shelf packages are OK, or IBM supplied API that support some sort of encryption (we don't want passwords xmitted over the internet in the clear.)  Any and all suggestions are appreciated. (12/99)

Answer 1:  If Java is an option then you can use the Java ToolKit for AS/400.  The code used to exchange and/or change passwords is encrypted out the wazoo before it is sent over the net. Unless you are going to use some sort of strong encryption for sending the password from the browser (implemented in an applet) to the http server I would suggest supporting SSL on the www server.

Answer 2. There are two API's, from V3R7 that allow you to send encrypted passwords form one machine to another. QSYRUPWD (retrieve encrypted password) and QSYSUPWD (set encrypted password). These two API's can (and are meant to) be used together to sync passwords between AS/400s

QSYRUPWD retrieves the DES5 encrypted version of the password from the user password table. This value is already encrypted.

QSYSUPWD sets a users password (using an encrypted value retrieved by QSYRUPWD) in the table to the supplied value. At no point is the password decrypted in to the plain text form.

Passing this encrypted value over the net work should be fairly safe (as safe as passing any encrypted data can be) I my self would probably double encrypt it with another public domain routine (such as Blowfish) just to obscure the data even more.

One thing however, is to ensure that the multiple systems that you are trying to sync passwords between are using the same password limiting system values, to ensure that the passwords can be sync'ed.

 Audit Trails 

Question We are getting the following authorization failures in our audit journal:

1. PRFMON is getting a Authorization Failure (code A = Unauthorized Object Access Attempt) accessing the library ODS400. What functions does PFRMON access individual libraries for?

2. Another Job is getting an Authorization Failure (code D = A program accessed an object through an unsupported interface or callable program not listed as a callable API). We are getting _flooded_ with these in QAUDJRN. QAUDJRN is about a GB/day. This is a vendor program, we have no source, and no response from the vendor yet.

Answer 1. Some programs try to get authority to every library in your library list. This is true with IBM's program when you STRTCPSVR (either *DNS or *DHCP - I forget which one) as an example.

The work around was to make sure there are no user libraries the job's library list.

Answer 2. Item 2 looks like you are running at level 40/50 with 3rd party software that does not support that level.

Question: I have some programs that are doing security like functions. To stay ahead of the auditors I would like to write entries to the security journal.
1.) Can a user application write to QUADJRN?
2.) If so, how?

Answer 1. Any user can basically write to any IBM journal. All journals are the same object type. However, the security audit journal (AUDJRN) is one that contains basic security information based on how the values and auditing levels are set.

You can write to a journal (including QAUDJRN) through the basic IBM command of SNDJRNE. Be aware that any entry you write in this fashion is always a "U" code entry (user entry). You can include any type code you desire.

Answer 2. The Send Journal Entry (QJOSJRNE) API can do this. It is documented in the Journal and Commit APIs chapter of the System API Reference.

A sample insertion from the command line would be:

call qjosjrne ('QAUDJRN   *LIBL' x'00000000' 'User test' x'00000009' x'00
000000')

which with DSPJRN JRN(QAUDJRN) FROMTIME('1998/12/09') shows:

      91179   U     00                           QPADEV0025  10:24:54

and

  Column      *...+....1....+....2....+....3....+....4....+....5
  00001      'User test'

See the API documentation for more options that the API provides.

Question: I have a requirement to audit particular OS400 commands - across all users. Is there any simple way to do this?

Answer: By doing a CHGOBJAUD on the commands you are interested in, and then turning on system value QAUDCTL.

Question: My company is considering buying some application for auditing our AS/400 systems. Can you share your opinions about available products, any cons or pros for using given/any at all third party solution (vs. just copying security journal to database files and querying them...).(6/2000)

Answer 1: Pentasafe is an AS/400 product that could be used to do a variety of things. It has basically automated everything that you could check. One problem however, is that it is very steep price-wise.

I would recommend doing it in house unless you get a lot of pressure from up above to secure your environment.   Exit points, journalling, etc. can be used to monitor and maintain security.

Answer 2: For a proven and cost effective solution, check out Rapport Software's Audit Master ( www.rapportsoftware.com).  They've been selling AS/400 auditing software in Europe since the beginning of the AS/400.

If you're also interested in auditing network traffic into your AS/400, checkout our PowerLock Network Security software.  The audit portion is free, and can be downloaded from our website at www.400security.com.  It also interfaces nicely with Rapport's Audit Master.

Question: What AS/400 Journals, programs or methods, if any, will audit programmer jobs? (12/99)

Answer : Have you tried walking past the person's desk to see what they're up to?