24
Sun, Nov
1 New Articles

Case Study: Implementing Application-only Access

Case Studies
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Previous Midrange Computing articles have introduced and described a new security model called application-only access. (For more information, see "Application-only Access: Implementing the Strategy," MC, February 1996 and "Application-only Access: Security Exposures Revealed," MC, January 1996.) Security expert Wayne O. Evans developed application-only access after realizing that most existing security methods were inadequate in the face of networked tools and utilities such as ODBC and FTP. This month, I'm going to focus on how one company, Joseph E. Seagram and Sons, implemented application-only access.

Seagram, an international beverage and entertainment company, is in the process of a financial systems consolidation. Six business units across North America currently use different mainframe financial systems that will migrate to a single AS/400 running JD Edwards (JDE) software. Seagram has a worldwide network of systems, including 50 AS/400s running V2R3 and V3R1, a handful of mainframes, and thousands of PCs and UNIX systems. With all the different systems worldwide, security of data has become a greater concern for management.

The JDE application provides green-screen security but has never integrated or supported any other types of security in the application. The JDE security mechanism is implemented through a customized data access routine, leaving all other access methods wide open. This means that if a JDE user accesses the JDE data outside of the JDE application, he has complete access to the data. Take this problem to the next level, and that user could download the balances file, modify a certain account balance, and upload the changed file. No one would know the file was modified because that user is authorized to the file and no audit trail would have been created.

MIS notified management of this security hole and filled it by adding an exit program to the OS/400 registration database using the Work with Registration Information (WRKREGINF) command. That single change prevented all users from using any PC Support-based or Client Access-based (original or optimized) file transfer program to upload anything to the system. This strategy provides excellent security from file transfer uploads, but since IBM has yet to address the security of certain TCP/IP programs to the AS/400 and Seagram is migrating to TCP/IP, any user with access to FTP (TCP/IP's file transfer program) could circumvent the Registration Database Exit program. Seagram's MIS wanted a secure environment and did not want to have to worry about every back door into the system. So they decided to implement application-only access.

After it was determined to implement application-only access, the implementation team (which consisted of Wayne O. Evans, Jeffrey Hare from JDE, and me) faced many challenges, but we were determined to make it work because we felt that the benefits of limiting user access exceeded the effort to hurdle the challenges. As the methodology for application-only access states, program and data objects should be secured from the user community unless a user is in the application.

We created the group profile GRPJDE for all JDE users in order to simplify security administration. The JDE data and program libraries and the objects in those libraries were secured from the group GRPJDE and from *PUBLIC. Only the owner of the objects, user profile JDE, had access. We modified the initial JDE program, J98INITA, to adopt the authority of user profile JDE.

Now, the group profile GRPJDE has *USE authority to the program J98INITA, and *PUBLIC has *EXCLUDE in order to ensure that only those users in group profile GRPJDE can run the application. (JDE has a second entry program, J98INIT, but the Seagram installation is using J98INITA exclusively. If Seagram were using this second entry program, we would have granted *USE access to the group profile GRPJDE.)

Once interactive users were able to gain access to JDE through adopted authority from the J98INITA program, batch reporting presented the following two problems.

Problem: Users were not authorized to libraries on the library list.

When a user profile adopts authority, batch jobs initiated by that user have the authority that the user profile had before that profile adopted. The adopted authority is not propagated to the batch job.

Solution: We granted *USE access of the JDE library objects (not the objects in the library) to the group GRPJDE. This change allowed the batch job to start running.

Problem: Users were not authorized to objects referenced by job.

Although the batch job started running, it ended abnormally because of the lack of authority to the objects the application referenced. (The batch job does not inherit the adopted authority of the user profile that initiated the job.)

Solution: We created a new subsystem, JDEBATCH, from a copy of QBATCH and modified it to route all requests to program JDEADOPT (see 1). The QBATCH subsystem's default routing data entry, QCMDI, calls program QCMD. Program JDEADOPT calls QCMD but also adopts the authority of user profile JDE. All jobs running through JDEBATCH adopt the authority. The JDEADOPT routing entry program allows access to the JDE programs and data.

Solution: We created a new subsystem, JDEBATCH, from a copy of QBATCH and modified it to route all requests to program JDEADOPT (see Figure 1). The QBATCH subsystem's default routing data entry, QCMDI, calls program QCMD. Program JDEADOPT calls QCMD but also adopts the authority of user profile JDE. All jobs running through JDEBATCH adopt the authority. The JDEADOPT routing entry program allows access to the JDE programs and data.

To secure the subsystem, we modified the authority for the single job queue (a JDE requirement) for JDEBATCH so that *PUBLIC is *EXCLUDE and GRPJDE is *CHANGE. Only user profiles in the group GRPJDE can add jobs to the job queue and, therefore, run batch jobs through JDEBATCH. To prevent other users from using the JDEADOPT program, the *PUBLIC authority is *EXCLUDE and only the GRPJDE group profile has access. We created additional protection by storing the JDEADOPT program in a library that is authorized only to the users of the GRPJDE group profile. This does allow users of the group GRPJDE to perform SBMJOB to the JDEBATCH subsystem, but end users have LMTCPB *YES and do not have access to a command line to submit a job. A registration database entry was added to prevent users from executing a remote command.

Once the users could sign on to the system, run JDE interactively, and submit reports, all was complete except for one minor detail. The JDE implementation team had suggested World VISTA, the JDE modified ShowCase VISTA product, as the end-user reporting tool that would satisfy end-user reporting requirements. With application-only access, we eliminated the end user's ability to access the data outside of JDE. We had to allow the users read-only access to the data. So we changed all of the JDE data objects to allow GRPJDE *USE access to the data, ensuring that they could use World VISTA to report.

While we were developing this security schema, the end users were live on a separate AS/400 (a 300 series), and we were preparing a new AS/400 320 in anticipation of many more sites and users. We set up the 320 with the application-only access in order to limit the capabilities of the end users when they signed on to the new system.

We could have implemented application-only access on the 300 without interfering with the end users, but we would have had to be careful regarding the subsystem JDEBATCH. As stated earlier, JDE requires a single-threaded job queue and subsystem. To implement application-only access on a live system, we would have had to migrate all the end users from QBATCH to JDEBATCH at one time.

Some minor issues related to PC access have come up, and we will solve them using other group profiles and exit programs. Uploading data to the AS/400 from a PC requires two things. The first requirement is an interface from an existing PC system. The Client Access exit program can be modified so that only one specific PC is able to upload particular data.

The second requirement is that some of our marketing users use a custom Excel application that interacts with one or two JDE data files through ODBC. These users will have GRPMKT as a supplemental group, along with GRPJDE as their primary group. GRPMKT will have *CHANGE access to those specific objects that the ODBC application interacts with.

Application-only access has some opponents, especially those who feel that the poor performance of object-authority checking outweighs the benefits. However, security on any system is vital for protection not only from hackers, but from errant employees, renegade consultants, and simple end-user accidents.

Also, the Primary Group Profile (PGP) authority that V3R1 added to objects speeds up authority checks if the job accessing the object has the authority of the object's owner. We used the PGP authority to grant the group profile GRPJDE *USE access to production data files, so the authority check is quick.

In summary, the system is very secure, security was greatly enhanced, and, most importantly, the end users have noticed no difference in their day-to-day interactions with the AS/400 and the JDE application.

William C. Rausch is a JDE and AS/400 technical specialist on the Global Reporting Team at Joseph E. Seagram and Sons, based in New York City. He holds a BA in Computer Science from Rutgers University. You can contact him at 212-572-7840 or by E-mail at This email address is being protected from spambots. You need JavaScript enabled to view it..

Implementing Application-only Access: A Case Study

Figure 1: Application-only Access Batch Environment


BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: