The Initialize Password tool is designed for Assistant Security
Officers to be able to reset a users password. The typical case for
this would be where the user has forgotten his password.
The INZPWD toolset actually consists of 5 commands:
INZPWD Change password to the user profile name or random value.
INZPWD2 Forces password to random value between 6-10 characters.
INZPWD3 Change password to random value between 5-75 characters.
SETINZPWD Schedule job to disable unchanged pwds set by INZPWD cmds
CHKINZPWD Disable unchanged passwords set by INZPWD commands.
INZPWD Command *CMD
-------------------------
The INZPWD command allows the new password to be either the user
profile name or a random value of 6 to 10 characters.
INZPWD command parameters are:
USRPRF The user profile to have its password initialized.
PASSWORD The password assigned to the user profile. *USRPRF
sets the password to the same name as the user
profile. *USRPRF is the default.
*RANDOM may be specified to generate a 6 - 10
character random password.
The random password will conform to the system
password rules or system password attributes which
are set.
See Restrictions section below for conflicts with
password rules length settings and possible invalid
results that can occur.
A typical command would be:
INZPWD USRPRF(JONES)
This would reset the users password to the same name as the profile.
The profile is set to PWDEXP(*YES) which forces a change of password
at the next signon.
Password length is set with an application value. See EDTAPPVAL
discussion below.
INZPWD2 Command *CMD
--------------------------
The INZPWD2 command forces a random value of 6 to 10 characters.
INZPWD2 command parameters are:
USRPRF The user profile will have its password initialized
to a random value, 6-10 characters in length.
The random password will conform to the system
password rules or system password attributes which
are set.
See Restrictions section below for conflicts with
password rules length settings and possible invalid
results that can occur.
TAAPWDARA A *YES/*NO value for whether the random password
should be placed in the TAAPWDARA *DTAARA in QTEMP.
*NO is the default. The TAAPWDARA *DTAARA will not
exist.
*YES may be specified to create the data area in
QTEMP. It is created as *CHAR LEN(20). The first
10 bytes will contain the user profile name. The
second 10 bytes will contain the randomly generated
password.
A typical command would be:
INZPWD2 USRPRF(JONES)
A random password will be set, 6 to 10 characters in length. The
default length is 6.
The completion message contains the password that is assigned.
The profile is set to PWDEXP(*YES) which forces a change of password
at the next signon.
Password length is set with an application value. See EDTAPPVAL
discussion below.
Password generation for INZPWD and INZPWD2
------------------------------------------
IBM introduced the *ALLCRTCHG rule for the QPWDRULES system value in
7.2 that forces passwords set with CRTUSRPRF and CHGUSRPRF to conform
to the password rules. Both INZPWD and INZPWD2 use CHGUSRPRF.
Accordingly, if *ALLCRTCHG is specified, the generated password will
meet those rules.
If *ALLCRTCHG is not specified, then the password rules can be
ignored. In this case, the first character of a randomly generated
password will be a letter (no vowels are used) and the remaining
characters will be in the range of A-Z (without vowels) and 1-9.
This makes setting temporary simple passwords possible from a help
desk while maintaining secure password rules for normal use.
Application value settings
(using EDTAPPVAL - applies to INZPWD and INZPWD2 only)
----------------------------------------------
Additional INZPWD features are available via the application
values INZPWD and INZPWD2:
- EDTAPPVAL APPVAL(TAASECURE/INZPWD) allows:
- STATUS parameter of the user profile to be set
when INZPWD run. Values are *SAME, *ENABLED or *DISABLED.
The default is *SAME which will leave the user profile
in it's current state.
To ensure the profile is enabled after the use of INZPWD,
set STATUS to *ENABLED.
- Allow INZPWD on SECOFR2 menu
- Allow INZPWD2 on SECORF2 menu
- EDTAPPVAL APPVAL (TAASECURE/INZPWD2) allows:
- Password length - length between 6-10 characters long
INZPWD3 Command *CMD
--------------------------
The INZPWD3 command forces a random value of 5 to 75 characters.
INZPWD3 command parameters are:
USRPRF The user profile will have its password initialized
to a random value, 5 to 75 characters in length.
The random password will conform to the system
password rules or system password attributes which
are set.
PWDLEN A pasword length between 5 and 75 can be set. The
default length is 8.
STATUS Status of the user profile can be set to *ENABLED,
*DISABLED, or *SAME. *SAME will leave the user
profile in it's current state. The default is
*ENABLED.
PWDEXP Password Expired determines whether the user must
change the password at the next signon. The default
is *NO.
A typical command would be:
INZPWD3 USRPRF(JONES)
A random password will be set, 5 to 75 characters in length. The
default length is 8.
The password will automatically be placed in the TAAPWDARA *DTAARA in
QTEMP. Upon completion of the command, the TAAPWDARA will display.
The first 10 bytes will contain the user profile name. The next 128
bytes will contain the randomly generated password.
Authority considerations
----------------------------------------------
The user of INZPWD, INZPWD2, INZPWD3 must be authorized to the
TAAINZPWD authorization list.
The QSECOFR profile cannot be changed nor can the current user.
Other profiles that cannot be changed are QSRV, QSRVBAS, and
TAAJOBCTL.
The INZPWD data area in TAASECURE can be used to specify a list of
additional profiles that cannot be changed using the command. The
Security Officer can use the following command to specify additional
user profiles:
EDTCONARR DTAARA(TAASECURE/INZPWD)
If the user entering INZPWD, INZPWD2, or INZPWD3 has *ALLOBJ special
authority, he can change any user profile except QSECOFR and those
specified in the INZPWD data area in TAASECURE. This allows the
simple INZPWD/INZPWD2/INZPWD3 commands to be used instead of the
CHGUSRPRF command.
If the user does not have *ALLOBJ authority, he cannot change:
** QSECOFR or any user in the list described by the INZPWD data
area in TAASECURE.
** Any user profile that has a special authority of *ALLOBJ,
*SECADM, or *SERVICE. These profiles have significant
security aspects to them and should be changed by the Security
Officer.
Use with the TAADPTSEC Authorization List --
An alternative approach is to allow for multiple assistant security
officers who can each manage a set of unique user profiles. This is
called a 'Departmental Security Officer'. See the discussion of the
TAADPTSEC authorization list in the SECOFR2 tool documentation.
Audit considerations
----------------------------------------------
To provide an audit trail of the use of this command, the following
occurs:
** If the QAUDJRN journal exists, an entry is sent to it
describing the use of INZPWD or INZPWD2, the profile that was
changed, and the user that made the change. The entry type is
IP.
** If the QAUDJRN journal does not exist, the same information as
described for the journal entry is sent as a message to QHST.
SETINZPWD / CHKINZPWD commands - Disabling unchanged passwords
-------------------------------------------------
A typical concern of many installations is to have user profiles in
existence that can be signed onto using the user profile name or have
been created and never signed onto.
An option can be set so that any use of INZPWD will cause a record to
be entered into a data base file that will be checked by a job
schedule job at 5 minutes after midnight. If the password has not
been changed, the profile is disabled.
To set the option, a user with *ALLOBJ and *SECADM authority must
enter the SETINZPWD command such as:
SETINZPWD DISABLE(*YES) JOBD(*USRPRF)
SETINZPWD sets a value in the SETINZPWD data area in TAASECURE. The
value is tested by the INZPWD commands and causes a record to be
written to the INZPWDP file in TAASECURE for each profile password
that is initialized.
SETINZPWD also adds a job schedule entry for the job CHKINZPWD to be
run at 5 minutes after midnight every day of the week. The CHKINZPWD
command is run which reads the records in the INZPWDP file and if the
user profile has not had its password changed since the use of INZPWD
(on a previous day), the profile is disabled.
A listing is output describing any actions taken. If the profile
password has been changed or if the profile is disabled, the record
is deleted from the file. The INZPWDP file is set to REUSEDLT(*YES)
so there is no reason to have to reorganize the file.
The CHKINZPWD job is set to RCYACN(*SBMRLS) so that if the system is
powered off, the job will be run when the system is powered on. If
your system is powered off for multiple days, multiple jobs will be
submitted when the system is powered on. This will not cause any
errors, but will produce a listing for each job.
If you used SETINZPWD to disable profiles and want to end the
function, specify:
SETINZPWD DISABLE(*NO)
This will reset the switch used by INZPWD and remove the job schedule
entry.
Note that only INZPWD and INZPWD2 cause cause records to be written
to the INZPWDP file. If you create a profile and want the same
function to occur, you must follow the CRTUSRPRF command with INZPWD.
SETINZPWD Command parameters *CMD
----------------------------
DISABLE A *YES/*NO parameter for whether to disable any
profiles that have not changed since the last use of
INZPWD. *YES is the default which causes a switch
to be set in the SETINZPWD data area in TAASECURE
and causes the CHKINZPWD to be added as a job
schedule entry to run at 5 minutes after midnight.
Any profiles that have not had their password
changed since the last use of INZPWD (on a previous
day) are disabled.
*NO may be specified to prevent the disabling
function. This resets the switch and removes the
job schedule entry.
JOBD The fully qualified job description that will be
used to run the CHKINZPWD job. The default is
*USRPRF.
A specific job description and library may be
entered.
Restrictions
------------
** The user of either INZPWD, INZPWD2, or INZPWD3 must be
authorized to the TAAINZPWD authorization list, or have
*ALLOBJ authority. To add a user to the TAAINZPWD
authorization list, use ADDAUTLE AUTL(TAAINZPWD) USER(xxx)
AUT(*USE)
** A user properly authorized to use INZPWD, INZPWD2, or INZPWD3
(see above) can change any user profile except QSECOFR and
those specified in the INZPWD data area in TAASECURE.
** A user without *ALLOBJ authority cannot change QSECOFR, a user
profile that is specified in the INZPWD data area in
TAASECURE, or a user profile that has a special authority of
*ALLOBJ, *SECADM, or *SERVICE.
** The user of SETINZPWD must have both *ALLOBJ and *SECADM
special authorities.
** An invalid random password could be generated due to length
conflicts. Since INZPWD and INZPWD2 only allow password
lengths of 6 to 10 characters, length conflicts with the
password rules can happen.
** For example, if INZPWD2 length = 6, but the MINLEN = 10, the
password generated would be invalid. Similarly, if INZPWD2
length =10, but DGTMIN = 6, LTRMIN = 4, and SPCCHRMIN = 2, the
password generated would be invalid.
** An invalid random password could be also be generated if a
password password validation program is used with rules
different from the system password rules.
Prerequisites
-------------
The following TAA Tools must be on your system:
ADDDAT Add date
CHKOBJ3 Check object 3
CONARR Constant array
GENRANNBR Generate random number
GENRANPWD2 Generate random password 2
RTVDAT Retrieve date
RTVPWDSTS Retrieve password status
RTVSPCAUT Retrieve special authority
RTVSYSVAL3 Retrieve system value 3
SNDCOMPMSG Send completion message
SNDESCMSG Send escape message
Implementation
--------------
The tool is ready to use, but a user must be be authorized to the
TAAINZPWD authorization list. For example,
ADDAUTLE AUTL(TAAINZPWD) USER(xxx) AUT(*USE)
The Security Officer may also specify certain user profiles that
cannot be changed by entering them into the INZPWD data area in
TAASECURE. To edit the list of invalid profiles, use the command:
EDTCONARR DTAARA(TAASECURE/INZPWD)
You do not need to enter QSECOFR as it is always prevented. You do
not need to add a user profile that has a special authority of
*ALLOBJ, *SECADM, or *SERVICE unless you do not want a user with
*ALLOBJ authority to be able to change these profiles. Any profile
with one or more of these special authorities will be prevented from
being changed by other code in the program.
Objects used by the tool
------------------------
Object Type Attribute Src member Src file
------ ---- --------- ---------- ----------
INZPWD *CMD TAASECX QATTCMD
INZPWD2 *CMD TAASECX2 QATTCMD
SETINZPWD *CMD TAASECX5 QATTCMD
CHKINZPWD *CMD TAASECX6 QATTCMD
TAASECXC *PGM CLP TAASECXC QATTCL
TAASECXC2 *PGM CLP TAASECXC2 QATTCL
TAASECXC3 *PGM CLP TAASECXC3 QATTCL
TAASECXC4 *PGM CLP TAASECXC4 QATTCL
TAASECXC5 *PGM CLP TAASECXC5 QATTCL
TAASECXC6 *PGM CLP TAASECXC6 QATTCL
TAASECXC16 *PGM CLP TAASECXC16 QATTCL
TAASECXR4 *PGM RPG TAASECXR4 QATTRPG
TAASECXR6 *PGM RPG TAASECXR6 QATTRPG
INZPWDP *FILE PF TAASECXP QATTDDS
INZPWD *DTAARA
SETINZPWD *DTAARA
SETINZPWD *USRSPC
INZPWD2 *USRSPC
The CL programs are created with USRPRF(*OWNER). The TAASECEC
program used is the CPP for RTVSPCAUT. It is called directly and
does not invoke any user commands.
The INZPWDP file, the SETINZPWD/INZPWD data areas, and the
INZPWD/INZPWD2 user spaces are in TAASECURE.
Structure
---------
INZPWD Cmd
TAASECXC CL pgm
TAASECXC4 CL pgm - Checks if record should occur to INZPWDP
TAASECXR4 RPG pgm - Adds information to INZPWDP file
INZPWD2 Cmd
TAASECXC2 CL pgm
TAASECXC4 CL pgm - Checks if record should occur to INZPWDP
TAASECXR4 RPG pgm - Adds information to INZPWDP file
INZPWD3 Cmd
TAASECXC3 CL pgm
TAASECXC4 CL pgm - Checks if record should occur to INZPWDP
TAASECXR4 RPG pgm - Adds information to INZPWDP file
SETINZPWD Cmd
TAASECXC5 CL pgm - Sets job schedule entry for CHKINZPWD
CHKINZPWD Cmd
TAASECXC6 CL pgm
TAASECXR6 RPG pgm - Reads INZPWDP and deletes some records
TAASECXC16 CL pgm - Does RTVPWDSTS and CHGUSRPRF
|
