TAA Tools
INZPWD          INITIALIZE PASSWORD                    TAASECX

The  Initialize  Password  tool  is  designed  for  Assistant  Security
Officers to  be able to reset  a users password.  The  typical case for
this would be where the user has forgotten his password.

The INZPWD toolset actually consists of 5 commands:

  INZPWD    Change password to the user profile name or random value.
  INZPWD2   Forces password to random value between 6-10 characters.
  INZPWD3   Change password to random value between 5-75 characters.
  SETINZPWD Schedule job to disable unchanged pwds set by INZPWD cmds
  CHKINZPWD Disable unchanged passwords set by INZPWD commands.

INZPWD Command                                       *CMD
-------------------------
The  INZPWD  command allows  the  new password  to  be either  the user
profile name or a random value of 6 to 10 characters.

INZPWD command parameters are:

   USRPRF        The user profile to have its password initialized.

   PASSWORD      The password assigned  to the  user profile.   *USRPRF
                 sets  the  password  to  the  same name  as  the  user
                 profile.  *USRPRF is the default.

                 *RANDOM  may  be  specified  to  generate  a  6  -  10
                 character random password.

                 The  random  password  will  conform  to  the   system
                 password  rules or  system  password attributes  which
                 are set.

                 See  Restrictions  section  below  for conflicts  with
                 password rules  length settings  and possible  invalid
                 results that can occur.

A typical command would be:

           INZPWD   USRPRF(JONES)

This would reset  the users password to  the same name as  the profile.

The profile  is set to  PWDEXP(*YES) which forces a  change of password
at the next signon.

Password  length  is  set with  an  application value.    See EDTAPPVAL
discussion below.

INZPWD2 Command                                       *CMD
--------------------------
The INZPWD2 command forces a random value of 6 to 10 characters.

INZPWD2 command parameters are:

   USRPRF        The user  profile will  have its password  initialized
                 to a random value, 6-10 characters in length.

                 The  random  password  will   conform  to  the  system
                 password  rules  or system  password  attributes which
                 are set.

                 See Restrictions  section  below  for  conflicts  with
                 password rules  length settings  and possible  invalid
                 results that can occur.

   TAAPWDARA     A  *YES/*NO  value  for  whether  the random  password
                 should be placed  in the TAAPWDARA  *DTAARA in  QTEMP.

                 *NO is  the default.   The TAAPWDARA *DTAARA  will not
                 exist.

                 *YES  may  be specified  to  create the  data  area in
                 QTEMP.   It  is created as  *CHAR LEN(20).   The first
                 10 bytes  will contain  the  user profile  name.   The
                 second  10 bytes will  contain the  randomly generated
                 password.

A typical command would be:

           INZPWD2  USRPRF(JONES)

A  random password  will be  set, 6  to 10 characters  in length.   The
default length is 6.

The completion message contains the password that is assigned.

The profile is set  to PWDEXP(*YES) which  forces a change of  password
at the next signon.

Password  length is  set  with an  application  value.   See  EDTAPPVAL
discussion below.

Password generation for INZPWD and INZPWD2
------------------------------------------
IBM  introduced the *ALLCRTCHG rule  for the QPWDRULES  system value in
7.2 that forces passwords set  with CRTUSRPRF and CHGUSRPRF to  conform
to  the  password  rules.   Both  INZPWD  and  INZPWD2  use  CHGUSRPRF.
Accordingly,  if *ALLCRTCHG is  specified, the generated  password will
meet those rules.

If  *ALLCRTCHG  is  not  specified,  then  the  password  rules  can be
ignored.   In this case,  the first character  of a randomly  generated
password  will be  a  letter (no  vowels  are used)  and the  remaining
characters  will  be in  the  range of  A-Z (without  vowels)  and 1-9.
This makes  setting temporary  simple passwords  possible  from a  help
desk while maintaining secure password rules for normal use.


Application value settings
(using EDTAPPVAL - applies to INZPWD and INZPWD2 only)
----------------------------------------------
 Additional INZPWD features are available via the application
 values INZPWD and INZPWD2:
  - EDTAPPVAL   APPVAL(TAASECURE/INZPWD) allows:
        - STATUS parameter of the user profile to be set
          when INZPWD run. Values are *SAME, *ENABLED or *DISABLED.
          The default is *SAME which will leave the user profile
          in it's current state.
          To ensure the profile is enabled after the use of INZPWD,
          set STATUS to *ENABLED.
        - Allow INZPWD on SECOFR2 menu
        - Allow INZPWD2 on SECORF2 menu
  - EDTAPPVAL   APPVAL (TAASECURE/INZPWD2) allows:
        - Password length - length between 6-10 characters long


INZPWD3 Command                                       *CMD
--------------------------
The INZPWD3 command forces a random value of 5 to 75 characters.

INZPWD3 command parameters are:

   USRPRF        The user  profile will  have its  password initialized
                 to a random value, 5 to 75 characters in length.

                 The  random   password  will  conform  to  the  system
                 password rules  or  system password  attributes  which
                 are set.

   PWDLEN        A pasword  length between 5  and 75 can  be set.   The
                 default length is 8.

   STATUS        Status  of the user  profile can  be set  to *ENABLED,
                 *DISABLED,  or  *SAME.    *SAME  will  leave  the user
                 profile  in  it's  current  state.    The  default  is
                 *ENABLED.

   PWDEXP        Password  Expired  determines  whether the  user  must
                 change  the password at the next  signon.  The default
                 is *NO.

A typical command would be:

           INZPWD3  USRPRF(JONES)

A random  password will be  set, 5  to 75  characters in  length.   The
default length is 8.

The password will  automatically be placed in the  TAAPWDARA *DTAARA in
QTEMP.   Upon completion  of the  command, the TAAPWDARA  will display.
The first 10 bytes will  contain the user profile  name.  The next  128
bytes will contain the randomly generated password.

Authority considerations
----------------------------------------------
The  user  of  INZPWD, INZPWD2,  INZPWD3  must  be  authorized  to  the
TAAINZPWD authorization list.

The  QSECOFR  profile  cannot be  changed  nor  can  the current  user.
Other   profiles  that  cannot  be   changed  are  QSRV,  QSRVBAS,  and
TAAJOBCTL.

The INZPWD  data area in  TAASECURE can be  used to  specify a list  of
additional  profiles that  cannot be  changed using  the command.   The
Security  Officer can use  the following command  to specify additional
user profiles:

        EDTCONARR     DTAARA(TAASECURE/INZPWD)

If the user  entering INZPWD, INZPWD2, or  INZPWD3 has *ALLOBJ  special
authority, he  can change  any user  profile except  QSECOFR and  those
specified  in  the INZPWD  data area  in  TAASECURE.   This  allows the
simple INZPWD/INZPWD2/INZPWD3  commands  to  be  used  instead  of  the
CHGUSRPRF command.

If the user does not have *ALLOBJ authority, he cannot change:

  **   QSECOFR or  any user in  the list described  by the INZPWD  data
       area in TAASECURE.

  **   Any  user  profile  that has  a  special  authority of  *ALLOBJ,
       *SECADM,   or  *SERVICE.     These   profiles  have  significant
       security aspects to them  and should be changed by  the Security
       Officer.

Use with the TAADPTSEC Authorization List --

An  alternative approach is  to allow  for multiple  assistant security
officers  who can each manage a  set of unique user  profiles.  This is
called a 'Departmental  Security Officer'.  See  the discussion of  the
TAADPTSEC authorization list in the SECOFR2 tool documentation.

Audit considerations
----------------------------------------------
To provide  an audit trail  of the use  of this command,  the following
occurs:

  **   If  the  QAUDJRN   journal  exists,  an  entry  is  sent  to  it
       describing the use of  INZPWD or INZPWD2,  the profile that  was
       changed, and the user  that made the change.  The  entry type is
       IP.

  **   If the  QAUDJRN journal does not exist,  the same information as
       described  for the journal  entry is sent as  a message to QHST.


SETINZPWD / CHKINZPWD commands - Disabling unchanged passwords
-------------------------------------------------

A typical  concern of many  installations is to  have user profiles  in
existence that can  be signed onto using the user  profile name or have
been created and never signed onto.

An option  can be set so that any use  of INZPWD will cause a record to
be entered  into  a data  base  file that  will  be  checked by  a  job
schedule job  at 5  minutes after midnight.   If  the password  has not
been changed, the profile is disabled.

To  set the  option, a  user  with *ALLOBJ  and *SECADM  authority must
enter the SETINZPWD command such as:

             SETINZPWD   DISABLE(*YES) JOBD(*USRPRF)

SETINZPWD sets a value  in the SETINZPWD data  area in TAASECURE.   The
value is  tested  by the  INZPWD commands  and  causes a  record to  be
written  to the  INZPWDP file  in TAASECURE  for each  profile password
that is initialized.

SETINZPWD  also adds a job  schedule entry for the  job CHKINZPWD to be
run at 5 minutes after midnight  every day of the week.   The CHKINZPWD
command is run  which reads the records in the INZPWDP  file and if the
user  profile has not had its password  changed since the use of INZPWD
(on a previous day), the profile is disabled.

A listing  is output  describing any  actions taken.    If the  profile
password has  been changed or  if the  profile is disabled,  the record
is  deleted from the file.   The INZPWDP file  is set to REUSEDLT(*YES)
so there is no reason to have to reorganize the file.

The CHKINZPWD job is  set to RCYACN(*SBMRLS) so  that if the system  is
powered off, the  job will be  run when the system  is powered on.   If
your  system is powered  off for multiple  days, multiple jobs  will be
submitted  when the  system is  powered on.   This  will not  cause any
errors, but will produce a listing for each job.

If  you  used  SETINZPWD to  disable  profiles  and  want  to  end  the
function, specify:

            SETINZPWD   DISABLE(*NO)

This will reset  the switch used by INZPWD and  remove the job schedule
entry.

Note  that only INZPWD  and INZPWD2 cause  cause records  to be written
to the  INZPWDP file.    If you  create  a profile  and want  the  same
function to occur,  you must follow the CRTUSRPRF  command with INZPWD.

SETINZPWD Command parameters                          *CMD
----------------------------

   DISABLE       A  *YES/*NO  parameter  for  whether  to  disable  any
                 profiles that have not changed  since the last use  of
                 INZPWD.   *YES is  the default  which causes a  switch
                 to  be set  in the  SETINZPWD  data area  in TAASECURE
                 and  causes  the  CHKINZPWD  to  be  added  as  a  job
                 schedule entry  to run  at 5  minutes after  midnight.
                 Any  profiles   that  have  not   had  their  password
                 changed  since the last  use of INZPWD  (on a previous
                 day) are disabled.

                 *NO  may  be  specified   to  prevent  the   disabling
                 function.   This  resets  the switch  and removes  the
                 job schedule entry.

   JOBD          The  fully  qualified  job  description  that will  be
                 used to  run  the  CHKINZPWD  job.    The  default  is
                 *USRPRF.

                 A  specific  job   description  and  library   may  be
                 entered.

Restrictions
------------

  **   The  user  of  either   INZPWD,  INZPWD2,  or  INZPWD3  must  be
       authorized   to  the  TAAINZPWD   authorization  list,  or  have
       *ALLOBJ  authority.     To   add   a  user   to  the   TAAINZPWD
       authorization  list,  use   ADDAUTLE  AUTL(TAAINZPWD)  USER(xxx)
       AUT(*USE)

  **   A  user properly authorized  to use INZPWD,  INZPWD2, or INZPWD3
       (see above)  can  change any  user  profile except  QSECOFR  and
       those specified in the INZPWD data area in TAASECURE.

  **   A user without  *ALLOBJ authority cannot change  QSECOFR, a user
       profile   that  is  specified   in  the  INZPWD   data  area  in
       TAASECURE, or a  user profile  that has a  special authority  of
       *ALLOBJ, *SECADM, or *SERVICE.

  **   The  user  of  SETINZPWD must  have  both  *ALLOBJ  and  *SECADM
       special authorities.

  **   An  invalid random  password could  be  generated due  to length
       conflicts.    Since  INZPWD  and  INZPWD2  only  allow  password
       lengths  of 6  to  10  characters,  length  conflicts  with  the
       password rules can happen.

  **   For example,  if INZPWD2 length  = 6, but  the MINLEN =  10, the
       password  generated  would be  invalid.   Similarly,  if INZPWD2
       length =10, but DGTMIN = 6,  LTRMIN = 4, and SPCCHRMIN = 2,  the
       password generated would be invalid.

  **   An  invalid random  password could  be  also be  generated if  a
       password   password  validation  program  is   used  with  rules
       different from the system password rules.

Prerequisites
-------------

The following TAA Tools must be on your system:

     ADDDAT       Add date
     CHKOBJ3      Check object 3
     CONARR       Constant array
     GENRANNBR    Generate random number
     GENRANPWD2   Generate random password 2
     RTVDAT       Retrieve date
     RTVPWDSTS    Retrieve password status
     RTVSPCAUT    Retrieve special authority
     RTVSYSVAL3   Retrieve system value 3
     SNDCOMPMSG   Send completion message
     SNDESCMSG    Send escape message

Implementation
--------------

The tool is  ready to  use, but  a user must  be be  authorized to  the
TAAINZPWD authorization list.  For example,

      ADDAUTLE   AUTL(TAAINZPWD) USER(xxx) AUT(*USE)

The  Security Officer  may  also  specify  certain user  profiles  that
cannot  be  changed by  entering  them  into the  INZPWD  data area  in
TAASECURE.  To edit the list of invalid profiles, use the command:

        EDTCONARR    DTAARA(TAASECURE/INZPWD)

You  do not need  to enter QSECOFR as  it is always  prevented.  You do
not  need to  add  a  user profile  that  has  a special  authority  of
*ALLOBJ,  *SECADM, or  *SERVICE  unless you  do  not want  a user  with
*ALLOBJ  authority to be  able to change  these profiles.   Any profile
with one or more  of these special authorities  will be prevented  from
being changed by other code in the program.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   INZPWD        *CMD                   TAASECX       QATTCMD
   INZPWD2       *CMD                   TAASECX2      QATTCMD
   SETINZPWD     *CMD                   TAASECX5      QATTCMD
   CHKINZPWD     *CMD                   TAASECX6      QATTCMD
   TAASECXC      *PGM       CLP         TAASECXC      QATTCL
   TAASECXC2     *PGM       CLP         TAASECXC2     QATTCL
   TAASECXC3     *PGM       CLP         TAASECXC3     QATTCL
   TAASECXC4     *PGM       CLP         TAASECXC4     QATTCL
   TAASECXC5     *PGM       CLP         TAASECXC5     QATTCL
   TAASECXC6     *PGM       CLP         TAASECXC6     QATTCL
   TAASECXC16    *PGM       CLP         TAASECXC16    QATTCL
   TAASECXR4     *PGM       RPG         TAASECXR4     QATTRPG
   TAASECXR6     *PGM       RPG         TAASECXR6     QATTRPG
   INZPWDP       *FILE      PF          TAASECXP      QATTDDS
   INZPWD        *DTAARA
   SETINZPWD     *DTAARA
   SETINZPWD     *USRSPC
   INZPWD2       *USRSPC

The  CL  programs  are  created  with  USRPRF(*OWNER).    The  TAASECEC
program  used is  the CPP  for RTVSPCAUT.   It  is called  directly and
does not invoke any user commands.

The  INZPWDP   file,  the   SETINZPWD/INZPWD   data  areas,   and   the
INZPWD/INZPWD2 user spaces are in TAASECURE.

Structure
---------

INZPWD      Cmd
   TAASECXC   CL pgm
      TAASECXC4  CL pgm  - Checks if record should occur to INZPWDP
        TAASECXR4  RPG pgm - Adds information to INZPWDP file

INZPWD2     Cmd
   TAASECXC2  CL pgm
      TAASECXC4  CL pgm  - Checks if record should occur to INZPWDP
        TAASECXR4  RPG pgm - Adds information to INZPWDP file
INZPWD3     Cmd
   TAASECXC3  CL pgm
      TAASECXC4  CL pgm  - Checks if record should occur to INZPWDP
        TAASECXR4  RPG pgm - Adds information to INZPWDP file

SETINZPWD   Cmd
   TAASECXC5  CL pgm - Sets job schedule entry for CHKINZPWD

CHKINZPWD   Cmd
   TAASECXC6  CL pgm
     TAASECXR6  RPG pgm - Reads INZPWDP and deletes some records
       TAASECXC16  CL pgm - Does RTVPWDSTS and CHGUSRPRF
					

Added to TAA Productivity tools April 1, 1995


Home Page Up to Top