On 12-Nov-2013 09:22 -0800, Matt Pryor wrote:
<<SNIP>>
If I pass in QSECOFR with password in args 2 and 3, I get a
connection. If I pass in the user profile I'd like to run as
(TLXDRIVER) I get "general security error" ConnectionPoolException.

The first thing I would check is for Authority Failure conditions, i.e. T-AF entries in the audit log, because the other user is unlikely to have the *ALLOBJ Special Authority. Another test with that other user temporarily having that special authority would confirm a lack of authority to /a resource/ but not be helpful to determine to which resource some\more authority is required... like the audit log would reveal.

The user id and password are valid (tested this by changing
them and got the expected error messages).

Not sure I understand what that means exactly. Signed on interactively and used CHGPWD to test the "Current password" and to reset to the "New password", or perhaps something else was done? What /password level/ is in effect for the server; then, was the password of the successful QSECOFR and the failing users effectively the same with regard in both how they were formed and passed as arguments [as in case: mixed, lower, upper]?

I infer that minimally, the intended implication is both that the UsrPrf is both *ENABLED and that the password for the user is not expired?

This is only happening on one customer site, never been a problem
before. Can anyone point me in the right direction on what to
suggest to the customer? I wasn't aware that there was any
particular permissions required to allow a user profile to connect
via the java toolkit and the IBM FAQs don't really help much.

What is the link to the FAQ so we know what not to suggest? Perhaps?:
www.ibm.com/systems/i/software/toolbox/troubleshooting.html#comm

Can the user signon interactively [at a 5250 workstation session] with that same password? Is the user properly authorized to itself and to any [supplemental] group profiles? Was the auditing enabled for just about everything, and the audit log checked for anything from just before the time of [until just after] the connection [and failure]; at least looking for T-AF and T-PW entries?

Is there an exit-program registered for the host Signon server feature, that perhaps is rejecting that user [see WRKREGINF for the QIBM_QZSO_SIGNONSRV]?
http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/topic/apis/ss1d.htm


As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.