|
Well, I had done something of this nature myself, but I never felt it was that secure because it didn't use encryption. Basically, I created an RPG program on the AS/400 that accepted two parameters, the users current password, and the password they wanted to change it to. The RPG program then called two APIs. The first API checked that their current password was correct. If the password was not correct, a return value was sent indicating incorrect password and the program terminated. If the password was correct, another API was called that changed the password to the second parameter. If any errors occurred, a return value indicating the error was returned, otherwise 0 was returned. There was another RPG program that accepted two parameters (current and new passwords) and called the first RPG program. Depending on the return value different HTML pages would be built indicating the return value. Then, on the AS/400, a web page was written that would call the RPG program with the two entered values in a POST type form. This allowed the user to change their password from a browser. We also decided to write a front end for this. It was a simple Delphi program with one edit window with current password, and 2 fields for new password, one for comfirmation. The Delphi program would check that the 2 new passwords were the same before calling the web page. The Delphi program would then look at the returned page and display a certain line on it as the result. The thing I did not like about this was that the current and new passwords had to move unencrypted over the network to reach the AS/400. A solution to this would be to encrypt the plain text passwords before they were sent in the Delphi or other program and de-crypt them on the AS/400, but anything that can be decrypted is not that secure. The maximum length of an AS/400 password is 10 characters. A 10 character encrypted string can be decrypted using a brute force manner in a short period of time. I do not think there is anyway around this, however, and any password that goes to the AS/400, even through client access, is going to be visible on the wire, even though encrypted. And any such password can be decrypted through brute force. Regards, Jim Langston Wayne Capwell wrote: > Hello to all, > I have been asked to find out how AS/400 users can change their > passwords using a web browser application. We will synch user info to > the NT Domain server to enable validation and signon. The AS/400 > passwords expire every 30 days. The users must be able to maintain > their passwords without leaving the web application (a combination of > Cold Fusion, Javascript and HTML). Off the shelf packages are OK, or > IBM supplied API that support some sort of encryption (we don't want > passwords xmitted over the internet in the clear.) > Any and all suggestions are appreciated. > TIA and happy new year to all. > Wayne > -- +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
