DRDA server access control exit programs

 

A security feature of the Distributed Relational Database Architecture™ (DRDA®) server, for use with both Advanced Program-to-Program Communication (APPC) and TCP/IP, extends the use of the DDMACC parameter of the Change Network Attributes (CHGNETA) command to DRDA.

The parameter previously applied only to DDM file I/O access. The DRDA usage of the function is limited to connection requests, however, and not to requests for data after the connection is made.

If you do not choose to use this security function, you normally do not need to do anything. The only exception is if you are currently using a DDM exit program that is coded to reject operations if an unknown function code is received, and you are also using DRDA to access data on that system. In this case, change your exit program so that a '1' is returned to allow DRDA access if the function code is 'SQLCNN '.

To use the exit program for blocking or filtering DRDA connections, create a new DRDA exit program, or change an existing one.

If your system is configured with multiple databases (ASP groups), the exit program must reside in a library in the system database (on an auxiliary storage pool in the range 1-32).

You can find general instructions for creating a DRDA exit program in the Distributed data management topic.

This security feature adds a DRDA function code to the list of request functions that can be input to the program in the input parameter structure. The function code, named 'SQLCNN ' (SQL connect request), indicates that a DRDA connection request is being processed (see the FUNC parameter in Example: DRDA server access control exit program). The APP (application) input parameter is set to '*DRDA ' instead of '*DDM ' for DRDA connection request calls.

When you code exit programs for DRDA, the following fields in the parameter structure might be useful:

If the exit program returns a RTNCODE value of 0, and the connection request came from an i5/OS® client, then the message indicating the connection failure to the user will be SQ30060, User is not authorized to relational database ... In general, the response to a denial of access by the exit program is the DRDA RDBATHRM reply message, which indicates that the user is not authorized to the relational database. Different client platforms might report the error differently to the user.

 

Restrictions:

 

Parent topic:

Security

 

Related concepts


Object-related security for DRDA
Distributed data management

 

Related reference


Reclaim Activation Group (RCLACTGRP) command
Change Network Attributes (CHGNETA) command