Exit points and Multi-Factor Authentication on IBMi
The Challenge
One of our customers had, many years ago, wanted to give a salesperson access to download data into Excel and interrogate it. A job was set up on their IBM system to populate a set of data files including stock, purchase orders, and sales orders. This was then made available via an ODBC connection to the salesperson.
The customer later became aware that, with no ill intent but a lax adherence to the rules, the salesperson had begun pulling from the live files instead. When the access was originally granted the customer did not consider how they would track usage.
The Requirements
After discussions with the customer, they wanted to lock this down and ensure that only the data they chose was available via the connection.
Previously the salesperson would use their own user profile for the connection, it was agreed that it would be better to have a new profile set up specifically to handle the data extract.
The Solution
The solution was to use the SQL exit points built into the IBMi to control access. In brief, exit points are included by IBM in the operating system but will normally need you to set up the programs to watch and control them. This is where the Exit Point Integrator (EPI) package came in.
EPI handles all major exit points on the IBMi, meaning that you don’t have to set up piecemeal systems over different exit points.
As agreed, a new profile was created to handle ODBC requests. Rather than relying only on a password, iGAT (IBMi Google Authenticator) was implemented to add multi-factor authentication.
iGAT is a utility to integrate with the Google Authenticator app available on Apple and Android app stores. It comes as part of the EPI package, meaning again we can use a single solution to cover all requirements.
To begin with the EPI software was run without blocking access, only gathering information for review. This identified another user who was running a file transfer which could be affected once the security was in place. The result was, when we went to go live, the customer had peace of mind that there would be no hidden surprises.
After the new user profile was created, the authenticator app was set up on authorised staff members mobile devices. The new profile was only authorised to the libraries required and did not have access to any other data.
To provide maximum usability, multiple options were made available for the user to enter their pin code. The first was a traditional 5250 screen, where the user could key in the code and confirm acceptance. A second option made available, was to have an application installed on the user’s computer. This would interface without having to sign into the IBMi system first.
The Benefits
Using this solution meant:
1. Minimal change was required to the sales staff user profiles, as simply they were not enrolled in iGAT and so could not access the SQL exit point. This meant that they could still access live data in other ways, such as through the programs/menus provided in 5250.
2. The customer could lock down access to the profile. While staff might share passwords, they couldn’t share their mobile devices. meaning peace of mind existed that only authorised users were active.
3. EPI handles most exit points, so once implemented we began discussions on locking down other data access routes such as FTP.
4. As an all-in-one solution, there was no risk of conflict between different packages.
For more information about how EPI could benefit your business you can either:
1. Read more details on the EPI software package
2. Watch videos detailing usage of EPI
3. Start a free 30-day trial of EPI
4. Contact us to discuss your specific needs
click to download this case study...