Case Studies

Stay connected with us!

stay connected with us !

Exit points and Multi-Factor Authentication on IBMi

EPI logo

The Challenge

One of our customers had, many years ago, granted ODBC access to their IBM Power server to one of their salespeople. The reason for this was so that a library (DATAEXT) would be populated each morning with data from the stock, purchase order, and sales order files. The salesperson then designed a spreadsheet to pull this data down into a format he preferred to allow optimal allocation of stock. The customer later became aware that, with no ill intent but perhaps a lax adherence to the rules, the salesperson had begun pulling from the live files rather than the DATAEXT library. They wanted to shut this down and ensure that only the data they chose was available via ODBC.

The Solution

The solution was to use the SQL exit points built into the Power server to control access. A new profile would be created to handle ODBC requests, but the customer also wanted to know that whoever was in front of the screen was authorised to the user.

Rather than relying on a password, MNIS implemented iGAT (IBMi Google Authenticator) to add multi-factor authentication. This is a utility developed to integrate with the Google Authenticator app available on apple and android app stores. It is part of the Exit Point Integrator (EPI) package, which handles all the major exit points on IBMi. Using the whole package meant the solution could be self-contained, no need to jerry rig two packages together. 

To begin with the EPI software was run without blocking access, only gathering information. This identified another user who was running a file transfer which could be affected once the security was in place. The result was the customer had peace of mind that, when we began implementing security, there would be no hidden surprises. A new user profile was created and the google authenticator was set up on authorised staff members mobile devices. This then meant that they could sign onto the IBMi system, enter the pin code provided by the app, then run their data extracts much as they had before. The new profile was only authorised to the libraries required and did not have access to the live data.

To provide maximum usability, multiple options were made available for the user to enter their pin code. The first was a traditional 5250 screen, where the user could key in the code and confirm acceptance. A second option made available, was to have an application installed on the users computer. This would interface without having to sign into the IBMi system first.

The Benefits

Using this solution meant:

1. Minimal change was required to the sales staff user profiles, as simply they were not enrolled in iGAT and so could not access the SQL exit point. This meant that they could still access live data in other ways, such as through the programs/menus provided in 5250.
2. The customer could lock down access to the profile. While staff might share passwords, they couldn’t share their mobile devices. meaning peace of mind existed that only authorised users were active.
3. EPI handles a large number of exit points, so once implemented we began discussions on locking down other data access routes such as FTP.