The Optim Exit in UNIX

Optim™ includes a mechanism that allows you to use a custom exit to apply an additional layer of security to Optim, beyond the extensive security already included in the product, to meet any security requirements mandated by your company or government regulations. This additional security layer is accomplished through a client-supplied exit that identifies who can use Optim and which executables each user can run.

Client-supplied exits are called user-supplied exits in Optim to differentiate them from the default exit supplied with Optim. The Optim default exit allows all requests by all users, within the security limitations defined for each user or user group via the security functionality included in Optim.

The default exit is intended for clients who do not need to use a user-supplied exit, although it may also be used as a temporary solution while you create your own, customized exit. If you use the default exit, Optim user security will function as it did before release 6.5.

If you implement a user-supplied exit, that exit will augment the extensive security functionality already included in Optim.

Note: A user-supplied exit may also be used to perform other functions, such as manage user accounts, monitor user activity, force inactive sessions to timeout, audit product use, and override user authorization credentials.

Regardless of which exit you use (the default exit or your own exit), you must “sign” that exit before you can use Optim. After the exit is signed, Optim will invoke that exit at initialization and call it at various “exit points” in the program to determine whether Optim should continue with what it was about to do. An exit point is a point within a program at which an exit routine can take control to perform some external function. The exit allows you to

Optim will call the exit at each exit point to verify that the user's request meets your company standards, such as verifying that the user has permission to run a given executable. The first exit point occurs when the user launches Optim. If you use the exit to provide external security, that exit point determines whether the user has permission to access the product. If the user has the appropriate permissions, the user can continue; if not, Optim will terminate the user's session after displaying an appropriate error message. (See the Optim Initialization Exit Programmer's Guide for a complete list of the Optim exit points.)

Beginning with Optim release 6.5, a signed exit must exist to use Optim, whether the exit is the Optim default exit or a user-supplied exit. To sign an exit, you must specify the company credentials supplied to your organization when you received Optim. Your company credentials consist of your Optim-supplied company ID, Name, and Password. The Optim setup process will automatically request these credentials during installation, so you can sign an exit.

Note: If you have write access to the Optim bin directory and you have the appropriate company credentials, you can change from one exit to another at any time following installation by signing a new exit. You can change from using the default exit to a user-supplied exit (or vice versa), or you can change from one user-supplied exit to another. (If you are switching to user-supplied exit, you must compile, link, and copy that exit to the bin directory before you can sign it.)

In a UNIX environment, you can only sign the default exit during installation. If you want to sign a user-supplied exit, you must run an opmusign script file following installation. (Another script file is available to revert to the default exit from a user-supplied exit, if needed.) See Signing an Exit in UNIX - Red Hat Linux 3 or Solaris 8 for more information.

The Optim default exit is delivered unsigned to ensure the following:



Feedback