Use Security and Job APIs with User Defined Servers

I have previously covered the Profile Handle APIs that let you change a job’s current user on the fly. Given the changes to the profile handle APIs that came with release 5.3, I’m revisiting this topic and adding a discussion of the server job concept. The profile-swapping technique that the Profile Handle APIs enable directly targets the requirement of server jobs being able to impersonate the user profiles on the behalf of which the server jobs perform their duties.

Combined with the ability to initialize certain critical job attributes to reflect the user profile being swapped to (and back), provided by the Change Job (QWTCHGJB) API, today’s example should arm you with the API knowledge and techniques required to program and build your own servers.

To demonstrate the API programming involved I’ve created the Override User Profile (OVRUSRPRF) command. And to set you up to configure and implement user-defined TCP/IP servers that let you control and manage your own server jobs using the same interfaces and commands as IBM’s TCP/IP servers, I’ve included links to a couple of excellent IBM articles discussing and demonstrating in great detail how this is done.

IBM added the ability to create user-defined servers with release 5.2, thereby offering in-house-developed servers the same facilities to control and manage your own server jobs as used for performing these tasks for IBM’s TCP/IP servers. This implies that you can use the Start TCP/IP Server (STRTCPSVR) and End TCP/IP Server (ENDTCPSVR) commands to start and end user-defined servers, respectively, and the Change TCP/IP Server (CHGTCPSVR) command to control whether the user-defined server should start automatically together with the other servers that have been configured with the AUTOSTART(*YES) attribute. Likewise, you can use all available Navigator for i facilities that provide management and monitoring interfaces to TCP/IP servers and server jobs.

As for green-screen facilities, I also need to mention the Add TCP/IP Server (ADDTCPSVR) and the Remove TCP/IP Server (RMVTCPSVR) commands that provide the actual means of creating and removing a user-defined server, respectively. Note that both commands require Input/Output System Configuration (*IOSYSCFG) and All Object (*ALLOBJ) special authorities.

For a user-defined server to be fully and safely operational, quite a few pieces need to be fitted correctly together. As I mentioned, I’ve included links (at the end of this article) to a couple of articles written by IBM experts revealing the facts of the matter. In one article, Dawn May discusses the requirements and considerations related to creating a user-defined server, and in another article Bob Bittner walks you through all the steps that need to be performed in the user-defined server configuration process and shows you how to set up the OpenSSH server that IBM offers as part of the free product 5733-SC1 IBM Portable Utilities for i5/OS, as a user-defined server.

Bittner’s article, however, doesn’t explain how the OpenSSH server itself is installed and configured, but as luck would have it Scott Klement, the editor of this newsletter, has previously written an article thoroughly explaining all the bits and parts involved in meeting this challenge, and I provide the link at the end of this article. So as a bonus, following the documentation and the instructions in the aforementioned articles you’ll be able to set up OpenSSH as a TCP/IP service on your system. Given the wealth of information available in said articles, the scope of this article will remain at the level of briefly describing the main considerations and efforts that are part of creating a user-defined server.

Download the save file containing the source code.

Read the entire article

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s