TAA Tools
CHG128PWD       CHANGE 128 PASSWORD                    TAASEKK

     *********************************************************
     *                                                       *
     *  The CHG128PWD tool has been created, but             *
     *    requires changes on your part. A test program      *
     *    is also created for demonstration purposes.        *
     *    See the implementation section.                    *
     *                                                       *
     *********************************************************

The Change  128  Password command  is intended  for those  environments
using 128  byte passwords where a  change to a user  password should be
replicated on one or more systems.

Instead  of using  the normal CHGUSRPRF  command to  change a password,
the change would  be made  using CHG128PWD.   This allows the  password
to be captured,  masked, and sent to a target system  where it would be
unmasked and applied by the companion command CHG128PWD2.

     *********************************************************
     *                                                       *
     *  You must have the TAA Productivity Tools product     *
     *    on each system that will either originate          *
     *    a password change or be the target system to       *
     *    be changed.                                        *
     *                                                       *
     *********************************************************

The  normal  method of  sending  the command  would  be by  the  use of
SBMRMTCMD which is part  of DDM support.   Other alternatives are  also
possible such as journaling and FTP.

A typical command on the originating system would be:

      CHG128PWD   USRPRF(xxxx) PASSWORD(yyyy) PWDEXP(*SAME)

The  change can  also  be  made using  the  CHGPWD  command.   See  the
special instructions for this.

The passwords are not shown in the job log.

The CL  programs must be modified to provide  a unique 'secret code' to
assist in  masking  the passwords  and  to remove  some  testing  code.
Once you have  made the modifications  and created your version  of the
programs,  the source  and  the programs  should  be kept  in  a secure
library.    See  the  later discussion  on  modifications  and security
considerations.

The password can  contain upper or  lower case and special  characters.
The  PASSWORD  parameter  is  defined  as 'mixed  case'.    Any  quotes
entered in the parameter are considered to be part of the password.

The  password must  meet the  password rules  assigned to  each system.
If not, CPI22AE is issued.  Use DSPPWDA to see the existing rules.

CHG128PWD Command parameters                         *CMD
----------------------------

The CHG128PWD  command should  be entered  on  the originating  system.
It will change the  password and use a user  specified method to submit
the CHG128PWD2  command to a target system.   A typical method would be
to use the DDM command SBMRMTCMD.

   USRPRF        The user profile to be modified.

   PASSWORD      The password to  be assigned.   A password  can be  up
                 to 128 characters  in length and can contain  upper or
                 lower  case  and  special  characters.   The  PASSWORD
                 parameter  is  defined as  'mixed  case'.   Any quotes
                 entered in  the parameter  are considered  to be  part
                 of the password.

   PWDEXP        Whether the  password should be  set to expired.   The
                 default  is  *SAME.    A  *YES  or  *NO  may  also  be
                 specified.

   CHGUSRPRF     A *YES/*NO parameter  for whether  to change the  user
                 profile on the source system.

                 *YES is the default to change the password.

                 *NO may  be specified  if a  different method  is used
                 for changing  the password.  For  example, *NO is used
                 when the  password is  changed  by the  system  CHGPWD
                 command and  the exit  program (TAASEKKC3) is  called.


CHG128PWD2 Command parameters                         *CMD
-----------------------------

The  CHG128PWD2  command  is  to  be  run  on  a target  system.    The
CHG128PWD  command  must  send  the CHG128PWD2  command  to  the target
system.  CHG128PWD2  should not be used  directly as it expects  masked
input for the password parameter.

   USRPRF        The user profile to be modified.

   MSKPWD        The  password   to  be  assigned.     As  passed  from
                 CHG128PWD,  the masked password is up  to 256 bytes of
                 hex data.

   PWDLEN        The length of  the masked  password.   This should  be
                 entered as a 3 byte character field.

   PWDEXP        Whether the  password should be  set to expired.   The
                 default  is  *SAME.    A  *YES  or  *NO  may  also  be
                 specified.


Restrictions
-------------

Capturing the password  to be  sent to  a target  system requires  that
you do not use  the system supplied CHGUSRPRF command.   Passwords must
be  changed by the  CHG128PWD command.   See also the  instructions for
allowing  the  user  to  change the  passwords  via  the  system CHGPWD
command.

Prerequisites
-------------

The following TAA Tools must be on your system:

     ADJAPOST     Adjust apostrophes
     CVTFRMHEX    Convert from hex
     CVTHEX       Convert to hex
     OR           Or bytes together
     SCNVARRGT    Scan variable right
     SCRAMBLE     Scramble bytes
     SNDCOMPMSG   Send completion message
     SNDDIAGMSG   Send diagnostic message
     SNDESCINF    Send escape information
     SNDESCMSG    Send escape message
     UNADOPT      Unadopt

Implementation
--------------

The tool  is created  so that  you can  test  the concept  on a  single
system.   You must  make changes  and re-create the  tool to  cause the
function  to  work  on a  target  system.   See  the  later  section on
modifying the CL programs.

If you are planning  to use the SBMRMTCMD,  you must also consider  DDM
security.  See the section on 'DDM Considerations.'

Demonstration and Testing
-------------------------

To demonstrate the function  and test it on a  single system, a special
program  is provided  to work  with the  code  as is  shipped.   Do the
following to test the tool before making any modifications:

  1.   Signon  as  the  Security  Officer   or  a  user  with   *ALLOBJ
       authority.

  2.   Use a test  profile and change  the password using the  TAA Tool
       CHG128PWD command:

           CHG128PWD   USRPRF(xxxx) PASSWORD(yyyy)

  3.   The  code  as  shipped  for  CHG128PWD  executes  the  CHGUSRPRF
       command  to  change the  specified parameters.   It  also builds
       the CHG128PWD2  command and  places  it in  the TSTCHG128P  data
       area in  TAASECURE.  The CHG128PWD2 command  includes the masked
       password  as hex data.  The data  is scrambled and combined with
       a 'secret code'.   You may  display the command  which has  been
       created by:

           DSPDTAARA   DTAARA(TAASECURE/TSTCHG128P)

  4.   Using the system  command CHGUSRPRF, change the  password of the
       same  profile to  some other value.   This  will allow  the next
       step to reset the password as entered on CHG128PWD.

           CHGUSRPRF   USRPRF(xxxx) PASSWORD(zzzz)

  5.   Call the test program in TAASECURE:

           CALL        PGM(TAASECURE/TAASEKKC8)

       The program  should  respond  with messages  that  describe  the
       previous steps  and a  completion message  that states that  the
       password has been changed by the TAA CHG128PWD2 command.

  6.   Signon  to the profile  with the  password that you  assigned in
       Step  2.   This  should  prove that  the  the password  is being
       properly unmasked and changed.

If you want  to change  the password using  the system CHGPWD  command,
there are  additional steps.  See  the section on 'Use  with the CHGPWD
command'.

You  may want  to use the  same approach  to test  the modifications to
the CL programs for  your 'secret code'  described in the next  section
before you  attempt to send the  CHG128PWD2 command to  another system.
This  will  ensure  that  the  same  'secret  code'  is  used  in  both
programs.  After this step is  working, you could modify the  TAASEKKC2
program to send  the CHG128PWD2 command  to a target system  and remove
the  special  test  code  that  updates  the TSTCHG128P  data  area  in
TAASECURE.  See the next section.

Modifying the CL programs
-------------------------

The   TAASEKKC  and  TAASEKKC2  programs  must  be  modified.    Before
modifying the  programs, it  is recommended  that you  create a  unique
library  for  the  source  that   will  be  modified.    Then  use  the
CRTTAASRCF command to create QATTxxx source files in the library:

       CRTTAASRCF   LIB(xxxx)

Use  the  CPYTAA2 command  to  copy the  source  for the  tool  to your
library.

       CPYTAA2    TOOL(CHG128PWD) TOLIB(xxx)

Both the CL programs  (TAASEKKC and TAASEKKC2) need  to be modified  to
supply your own unique version of the 'secret code'.

Use SEU to modify the source:

        STRSEU      SRCFILE(xxx/QATTCL) SRCMBR(TAASEKKC)

The SECRET  variable is  declared at  the beginning  of the program  as
128  bytes in  length.  Scan  for SECRETCODE  until you see  the CHGVAR
command that sets the value.

When the password is entered on  CHG128PWD, the length of the  password
value is determined.   Based on the length of the  password value, only
the first n  characters of the 'secret code' are  used to help mask the
data.    Therefore,  you need  only  make  changes within  the  first n
characters of  the 'secret code'  based on  a typical maximum  password
length that  is entered.  For  example, if a typical  maximum length of
your  passwords is  25  bytes, the  'secret code'  need not  be changed
after position 25.

Change one  or more  of the  secret code  characters.   After you  have
changed the value, end  SEU (do not attempt to  create anything at this
time).

Use SEU to modify the source for the second program:

        STRSEU      SRCFILE(xxx/QATTCL) SRCMBR(TAASEKKC2)

Since  both programs must agree  on the 'secret code'  a good technique
would be to use the  SEU split screen to  copy the CHGVAR command  from
TAASEKKC to TAASEKKC2.  After you have made the change, end SEU.

At  this point  it is  recommended  that you  create  the tool  without
making any  further modifications and try the  demonstration program as
described in the previous section.  Use CRTTAATOOL:

           CRTTAATOOL    TOOL(CHG128PWD)  SRCLIB(xxx)

Use  a  password that  will cover  what you  consider  to be  a typical
maximum length someone would  use.  This will ensure that  the programs
are both using the same 'secret code'.

Now try  the demonstration test  as described in the  previous section.

After  this test is complete,  you must modify the  TAASEKKC program to
send the CHG128PWD2 command to one  or more remote systems.  A  typical
solution would  be to use  DDM via  the SBMRMTCMD command.   If  DDM is
used (it  is not the only solution), the  TAASEKKC program must also be
modified to specify the DDM  file name to be  used for SBMRMTCMD.   Use
SEU as  described earlier  to TAASEKKC.   See the  discussion at  about
statement 180 of the TAASEKKC source member.

After you  have modified the  source, you should re-create  the tool as
follows:

           CRTTAATOOL    TOOL(CHG128PWD)  SRCLIB(xxx)

It  is important that you  protect your secret codes.   See the section
on Security considerations.

There is  no  reason for  you to  write  down your  secret  code in  an
offline place.   If you  have to recreate  the programs, you can  use a
different 'secret code'.

Good  practice would be to save your  secure library, secure the media,
and then delete  the secure  library.   This will provide  a backup  if
the objects are damaged.

You must have  the TAA Productivity Tools product on  the systems where
the change will originate from or be applied to a target system.

Use with CHGPWD command
-----------------------

The system  supports the CHGPWD command to allow  an end user to change
his password.   System support  allows an Fx  key to  access CHGCMD  on
some displays or  you may include the command  in a user program.   The
system may  also be used to  force a user to change  his password after
n  days.   See the  QPWDEXPITV system  value.  CHGUSRPRF  also supports
PWDEXP(*YES) which  can be  used  to force  a change  his password  the
next time he signs on.

When CHGPWD  is used, the system  supports an optional exit  program to
ensure  that the password meets  a specific system's rules.   This exit
program can  also be  used to  capture the  password to  send  it to  a
target system.

A  program  (TAASEKKC3) is  provided  to  do  this.   As  the  Security
Officer,  you must change the  system value QPWDVLDPGM  to specify that
the registration facility will be used to define the exit program:

           CHGSYSVAL     SYSVAL(QPWDVLDPGM) VALUE(*REGFAC)

Then use WRKREGINF.  When the screen appears, rollup to:

           QIBM_QSY_VLD_PASSWRD

Use option 8 (Work with exit programs).

When the display appears, enter:

             Option            1 (to add)
             Exit program      TAASEKKC3
             Library           TAATOOL

TAASEKKC3 exists in TAATOOL  and is owned by  the Security Officer  and
adopts his profile.  This allows access to the TAASECURE library.

When  the user  changes  his password  with  CHGPWD, the  exit  program
TAASEKKC3  will be  called.  It  invokes the  CHG128PWD command.   This
will  cause  the same  function as  if  CHG128PWD was  invoked directly
except that the  CHGUSRPRF function  is not done  (it has already  been
done by the system).

DDM considerations
------------------

The  DDM Users  Guide  describes  how the  SECURELOC  parameter in  the
remote  systems configuration  controls  who the  user profile  is that
will be used on  the remote system.   If SECURELOC(*YES) is  specified,
the  command will  be run  by the  same  user profile  and no  security
considerations should exist.

If  SECURELOC(*NO) is specified,  the command must  be run by  the user
specified for the DDM job.   To allow a  single user profile to  change
the passwords for  any user will  probably cause a  security violation.
A program  written to adopt  the security officers profile  can be used
to  accept  a string  and execute  it.   To  prevent this  program from
being used in an  non-secure manner, you should provide  some technique
to prevent misuse.

A  solution would  be to  use a  CALL command  to your  program  on the
target  system  instead of  the CHG128PWD2  with  SBMRMTCMD.   Pass the
same list of  values.  The  program on the  target system would  accept
the  parameters and  pass  the  same list  to  a  second program  which
adopts  the security  officer profile.   The  second program  could use
the TAA command  RTVPGMSTK and  ensure that  it is only  called by  the
program you intended.

Security considerations
-----------------------

The  code  is  written  to  attempt  to  minimize  security  exposures.
However,  because the programs  and the  submitted command are  the key
to determining what the passwords are, there is always an exposure.

For  example,  there  is nothing  to  prevent an  authorized  user from
saving the TAASECURE library and  taking it to another system  where he
can analyze  the information as the  Security Officer.   While it would
not  be  easy  to  determine  what  is  being  done,  it  would not  be
impossible.

There is  nothing to  prevent  an unauthorized  user from  reading  the
documentation about this tool.

Unless you are  willing to assume a  risk of this type,  you should not
implement CHG128PWD.

You can  reduce the risk somewhat by saving  the source files to secure
media and deleting them from the system.

The sensitive  objects  (the  CL  programs  which  contain  the  secret
codes)  are placed  in  the private  library  TAASECURE.   The  Product
Library  for the  CHG128PWD  and  CHG128PWD2 commands  is  specified as
TAASECURE.    Only  the security  officer  can  create the  tool.   The
commands  will  not execute  unless  the  user  is  authorized  to  the
TAASECURE library.

The validity  checking program (TAASEKKC3  in TAATOOL) must exist  in a
public  library (TAATOOL) so it can be  accessed when the user signs on
and the operating system is  validating a new password.  The  TAASEKKC3
program adopts  the user  profile of  its owner  so that  the user  can
access  the  secure library  TAASECURE.   The  CPP  (TAASEKKC)  for the
CHG128PWD command is called using a qualified name from TAASEKKC3.

Any TAA  Tool commands  that are  executed by  CHG128PWD or  CHG128PWD2
are done in a sub  program which is created as USEADPAUT(*NO).   The CL
programs  (as created by  CRTTAATOOL) are  created to  prevent logging,
retrieving of CL source and debugging.

While  the  TAASEKKC3  program attempts  to  block  security exposures,
there is  nothing to  prevent a normal  user from  calling the  program
during the  day (e.g.  after signing  on).  The program  will perform a
SBMRMTCMD  as if the  user had done  CHGPWD.  This will  cause a change
on the other system  without making the  change on the current  system.

Backup of TAASECURE Library
---------------------------

For  the CHG128PWD  tool,  the TAASECURE  library  contains source  and
object for  CHG128PWD.  However, other tools  may also use this library
(e.g.   DSPPWD)  and you  should  consider  the overall  use.    Normal
backup should be done.

A new release of the TAA Tools
------------------------------

When a  new release of  TAA Tools is  shipped, the install  code checks
the  TAASEKKC  and  TAASEKKC2 programs  in  TAASECURE.    If they  were
created  on a system  with a name  that begins with  TAASYS, the object
programs are replaced.   If they  were created on  a system other  than
TAASYSxx, they  are left  intact.  Therefore,  if you created  the tool
on  your  system,  the  install code  will  not  replace  your modified
version.

The objects in TAATOOL related  to CHG128PWD (command and CL  programs)
are replaced on  each release, but this  should not impact your  use of
CHG128PWD unless you have made additional modifications.

You  should read the information  member from the HELPTAA  menu on each
release regarding 'changes in  the release' to  determine if there  any
changes to  the CHG128PWD tool  that will require  you to recreate  the
programs.   If so,  you must repeat  the process described  earlier and
recreate the tool.

Objects used by the tool
------------------------

   Object        Type        Attribute      Src member    Src file
   ------        ----        ---------      ----------    ----------

   CHG128PWD     *CMD                       TAASEKK       QATTCMD
   CHG128PWD2    *CMD                       TAASEKK2      QATTCMD
*  TAASEKKC      *PGM           CLP         TAASEKKC      QATTCL
*  TAASEKKC2     *PGM           CLP         TAASEKKC2     QATTCL
   TAASEKKC3     *PGM           CLP         TAASEKKC3     QATTCL
*  TAASEKKC8     *PGM           CLP         TAASEKKC8     QATTCL
*  TAASEKKC9     *PGM           CLP         TAASEKKC9     QATTCL
** TSTCHG128P    *DTAARA

     * These objects are located in the TAASECURE library.

    ** The data area is created by test instructions in TAASEKKC.

Structure
---------

CHG128PWD  Cmd
  TAASEKKC   CL
    TAASEKKC9   CL

CHG128PWD2  Cmd
  TAASEKKC2   CL
    TAASEKKC9   CL

Other programs

  TAASEKKC3   CL  - Used as the exit program for QPWDVLDPGM
  TAASEKKC8   CL  - Used as a demonstration/test program
					

Added to TAA Productivity tools January 15, 2012


Home Page Up to Top