Support Bulletin

Strategi User and iSeries 400 User Profile Information Synchronization

Product:	Strategi
Modified Date:

Overview
Strategi administrators have the ability to configure each remote client with respect to which iSeries 400 user profile to use to obtain a session on the iSeries 400. This option allows both flexibility and security dependent on how it is implemented.

There are multiple scenarios in which the maintenance of Strategi user information must coincide with iSeries 400 user profile maintenance. Corporate policy of maintaining a single signon solution is a prime example where procedures must be put in place to maintain consistency between Strategi users and their iSeries 400 user profile relationship. The goal of this document is to describe the relationship between a Strategi user and iSeries 400 user profile and provide options that the iSeries 400 systems administrator may implement to ensure a consistent Strategi and iSeries 400 user base. The topics discussed here are meant to illustrate possible options only and exact implementation will depend on specific customer requirements.

Strategi User and iSeries 400 User Profile Relationship
When a Strategi user is created or changed, the administrator has the option of specifying a host user name and password for each individual user. This is done under the emulation heading of each Strategi user and is illustrated below.

The Host user name and host password correspond to the iSeries 400 user profile and password associated with the Strategi user. The sequence of events that occurs once a user loads the Strategi applet in a web browser is follows:

The remote client enters their Strategi user access name and passphrase.

Strategi checks to see if the user has specific iSeries 400 information specified for host user and password.

If the host user and password information is set to '*MUSTKEY', the user is displayed an iSeries 400 signon screen and they must manually enter both iSeries 400 profile and password information before signing on to the iSeries 400.

If only the host user name is specified, the user is displayed an iSeries 400 signon screen with the profile name locked. The iSeries 400 password must be entered manually before signing on to the iSeries 400.

If both the host user name and host password is specified, Strategi will attempt to automatically sign the user on to the iSeries 400 bypassing the requirement for the remote client to enter any iSeries 400 user profile information.

There are three different scenarios that will dictate the requirement for Strategi and iSeries 400 user synchronization. A brief explanation of each is as follows:

Scenario 1 - Host User and Password not Specified
Leaving the host user and password information set to the default '*MUSTKEY' allows the Strategi user to enter any iSeries 400 user profile and password combination once the iSeries 400 signon screen is displayed. Since the profile is not set for the Strategi user, the requirement to update Strategi host user and password information is not required in this case as changing of an iSeries 400 user profile will have no effect on the Strategi user. In this scenario, the user will have to authenticate twice before logging on to the iSeries 400.

Scenario 2 - Host User Specified Only
Specifying a user profile name in the host user field will lock the Strategi user into signing on to the iSeries 400 using only that profile. The password will have to be keyed manually. Similar to the above scenario, a change in the iSeries 400 user password will not directly affect the Strategi user as they must manually key the iSeries 400 password every time they are presented with an iSeries 400 signon screen. In this case the user will also have to authenticate twice before signing on to the iSeries 400.

Scenario 3 - Host User and Password Specified
Specifying both host user and password values for a Strategi user enables the Strategi user to be automatically signed on to the iSeries 400 once they have been validated by the initial Strategi authentication window. This feature enables a site to employ a single signon solution where a Strategi user will only have to authenticate once before being signed on to the iSeries 400. This scenario requires that the host profile and password for a Strategi user remain in sync with the iSeries 400 user profile information. For example, if a user signs on to the iSeries 400 and is prompted to change their password due to standard iSeries 400 password expiry rules, the Strategi user information is not updated by default. This can result in a user being denied access the next signon attempt due to the fact that their Strategi user has dated host password information.

Methods of Synchronizing Strategi User and iSeries 400 User Profile Information
Method 1 - Password Validation Program

When the host user and password are specified for a Strategi user, the most common problem occurs when the iSeries 400 password has expired. This condition forces the user to change their password via the 'CHGPWD' iSeries 400 command. The iSeries 400 offers the security officer the ability to provide a password validation program to perform any post processing requirements after the user has entered their new password information.

The iSeries 400 system value 'QPWDVLDPGM' is used to define a program that can be used for such a purpose. Although its primary role is to perform additional password validation that standard system values cannot, you can include the Strategi user maintenance commands to update Strategi users accordingly. Below is an example source member that will change a Strategi user's signon information whenever the user profile password is changed as a result of the 'CHGPWD' command.


	** PARAMETER DESCRIPTIONS **

	+------------------------------------------------------------------------¦
	¦ Position    ¦ Type        ¦     Length    ¦ Description                ¦
	+-------------+-------------+---------------+----------------------------¦
	¦      1      ¦ *CHAR       ¦       10      ¦ The new password entered   ¦
	¦             ¦             ¦               ¦ by the user.               ¦
	+-------------+-------------+---------------+----------------------------¦
	¦      2      ¦ *CHAR       ¦       10      ¦ The user's old password.   ¦
	+-------------+-------------+---------------+----------------------------¦
	¦      3      ¦ *CHAR       ¦       1       ¦ Return code: 0 for valid   ¦
	¦             ¦             ¦               ¦ password Not 0 for         ¦
	¦             ¦             ¦               ¦ incorrect password         ¦
	+-------------+-------------+---------------+----------------------------¦
	¦      4      ¦ *CHAR       ¦       10      ¦ The name of the user.      ¦
	+------------------------------------------------------------------------¦

    100 /* -------------------------------------------------------------------------- */
    200 /* Description : Example Password Validation Program                          */
    300 /* -------------------------------------------------------------------------- */
    400 /* Author      : John P. Noble                                                */
    500 /* Date        : 11 APR 2000                                                  */
    600 /* Origin OS   : iSeries 400                                                  */
    700 /* -------------------------------------------------------------------------- */
    800 /* Copyright (c)  1990 Advanced BusinessLink Australia Pty/Ltd                */
    900 /*                                                                            */
   1000 /* Licensed Material. Source and all derived objects/programs remain the      */
   1100 /* property of Advanced BusinessLink Australia Pty/Ltd                        */
   1200 /* -------------------------------------------------------------------------- */
   1300 /* Purpose     : Perform update of Strategi user information when iSeries 400 */
   1400 /*               command CHGPWD is executed either interactively or forced    */
   1500 /*               due to iSeries 400 password expiry rules. Refer to IBM       */
   1600 /*               documentation for further description and usage of password  */
   1700 /*               validation programs on the iSeries 400 if required.          */
   1800 /*                                                                            */
   1900 /* Notes       : 1. Program should be executed under owner authority with     */
   2000 /*                  the owner having *SECADM equivalent authority.            */
   2100 /*               2. The new and old password is sent in the clear by OS/400.  */
   2200 /*                  Precautions should be made to avoid this information from */
   2300 /*                  being used improperly and program code should be reviewed */
   2400 /*                  by the iSeries 400 security officer.                      */
   2500 /* -------------------------------------------------------------------------- */
   2600 /* Revision(s) :                                                              */
   2700 /* -------------------------------------------------------------------------- */
   2800
   2900 PGM (&NEWPAS &OLDPAS &RTNCDE &USRPRF)
   3000
   3100 DCL      &NEWPAS   *CHAR     10
   3200 DCL      &OLDPAS   *CHAR     10
   3300 DCL      &RTNCDE   *CHAR      1
   3400 DCL      &USRPRF   *CHAR     10
   3500 DCL      &SGIUSR   *DEC      (9 0)
   3600 DCL      &EMUNAM   *CHAR     10
   3700
   3800 /* Add Strategi library to library list for access to Strategi user           */
   3900 /* maintenance commands. This assumes that Strategi was installed to library  */
   4000 /* 'STRATEGI'. Modify source appropriately if this is not the case.           */
   4100
   4200 ADDLIBLE STRATEGI
   4300 MONMSG CPF0000
   4400
   4500 /* Determine if a Strategi user exists whose access name is the same as the   */
   4600 /* user profile being changed. If the user does not exist, exit normally.     */
   4700
   4800 CHKSGIUSR NAME(&USRPRF) USER(&SGIUSR)
   4900 MONMSG CPF9898 EXEC(DO)
   5000    RCVMSG MSGTYPE(*LAST)
   5100    GOTO END
   5200    ENDDO
   5300
   5400 /* Set the Strategi user host password only if the current profile name is    */
   5500 /* not set to '*MUSTKEY'. This protects Strategi users that do not implement  */
   5600 /* forced signon.                                                             */
   5700
   5800 RTVSGIUSR USER(&SGIUSR) EMUNAM(&EMUNAM)
   5900 IF (%SST(&EMUNAM 1 8) = '*MUSTKEY') (DO)
   6000    STRATEGI/CHGSGIUSR USER(&SGIUSR) &PASS(&NEWPAS) &EMU(&USRPRF &NEWPAS)
   6100    ENDDO
   6200
   6300 END:
   6400 CHGVAR &RTNCDE '0'
   6500 ENDPGM

This example assumes that a 'single signon solution' is being employed where the Strategi access name, passphrase, host name, and host password is the same as the iSeries 400 user profile name and password. Appropriate modifications to this program can be made to suit other situations if required and this code may be imported into an existing password validation program if one already exists. The following notes should be taken into consideration if this method is to be used:

The current and new password are passed to the validation program without encryption. The validation program could store passwords in a database file and compromise security on the system. Make sure the functions of the validation program are reviewed by the security officer and that changes to the program are strictly controlled.

In case it is necessary to recover your system from a disk failure, place the password validation program in library QSYS. This way the password approval program is loaded when you restore library QSYS.

The program should be owned by QSECOFR or equivalent profile and run at owner authority to prevent access issues with any Strategi user maintenance commands.

The password validation program will not be called if the iSeries 400 user profile is changed via the CHGUSRPRF command. The use of exit programs will be required if this ability is needed.

Method 2 - Exit Programs

On the iSeries 400 there are what are called exit programs and exit points for a select group of iSeries 400 commands and services. The commands CHGUSRPRF, CRTUSRPRF, DLTUSRPRF and RSTUSRPRF are all supported. When these commands are changed to support user written exit programs, once each command completes normal iSeries 400 processing the iSeries 400 will check to see if an exit program exists for the command. If an exit program exists, that program is called to perform any additional processing required and is passed a unique structure of information containing the exit point for the command, data format name, and user profile. If the exit program doesn't exist but is specified, it will silently fail causing no adverse effects.

In an ideal scenario, the exit program would be passed the user profile's password as well as the profile name. The problem arises in that the password is not passed (only profile). Not only that, but the only available security APIs which are used to retrieve the password for a user will return the password in "encrypted" form which is useless for our Strategi user maintenance commands which require the host password be specified in clear text form. There is a reciprocal "set" encrypted password iSeries 400 security API which is used in combination with the retrieve to set iSeries 400 user profiles across many 400's.

To summarize, the following series of events would happen after a 400 user profile is modified:

A user profile is created, changed, or deleted

After the 400 has completed its normal profile function, it sees that an exit program exists for the command and calls that program.

If a CHGUSRPRF or CHGPWD was executed, the CHGSGIUSR command is then prompted if there exists a Strategi user with the access name being that for the profile name being changed. If a user exists, the user must again set the host password on the Strategi user (careful to get correct). If a Strategi user does not exist, control is returned to command line just as in normal operation without prompt of CHGSGIUSR.

If a CRTUSRPRF was executed as a result of explicit command entry or via "copy" from the work with user profiles screen, the CRTSGIUSR command is prompted only if the Strategi user doesn't already exist. If the Strategi user already exists, the CHGSGIUSR command is prompted to allow for consistency.

If a DLTUSRPRF was executed, the exit program command is executed if there is a matching Strategi user. Otherwise, no other action is taken.

The actual setup of this feature will require *SECOFR authority to add the following exit points and programs:

As an example, given that the user created exit programs all reside in the library 'QSYS' and were called EXITCHGUSR, EXITCRTUSR, and EXITDLTUSR for the CHGUSRPRF, CRTUSRPRF and DLTUSRPRF iSeries 400 commands respectively, the following sequence of events would put the exit programs in effect.

==> ADDEXITPGM  EXITPNT(QIBM_QSY_CHG_PROFILE)
        FORMAT(CHGP0100)
        PGMNBR(1)
        PGM(QSYS/EXITCHGUSR)
        TEXT('Exit Program - Change Strategi User')

==> ADDEXITPGM  EXITPNT(QIBM_QSY_CRT_PROFILE)
        FORMAT(CRTP0100)
        PGMNBR(1)
        PGM(QSYS/EXITCRTUSR)
        TEXT('Exit Program - Create Strategi User')

==> ADDEXITPGM  EXITPNT(QIBM_QSY_DLT_PROFILE)
        FORMAT(DLTP0200)
        PGMNBR(1)
        PGM(QSYS/EXITDLTUSR)
        TEXT('Exit Program - Delete Strategi User')

Summary
As you can see, there are many ways to keep Strategi user information in sync with iSeries 400 user profile updates and this information should help determine the best method to use. If the Strategi release is V1R6M0 or greater, the source file SGIEXAMPLE in the Strategi library will contain examples of these exit programs as well as the password validation program described above. Contact BusinessLink Technical Services if you have implementation questions about any of the information discussed here.

** End of Technical Support Bulletin **