|
For the green screen I suppose an "Initial Program" or INLPGM from the user profile, could then activate any extraneous authorization methods; up to, and including, retinal scanning. And it could use the swap profile api's, if need be. I know there is an api that will retrieve the IP address of the 5250 session being used. Quite Easily Done or QED. The hard part is matching the physical retinal scan to a known database. But that, I assume we are using a canned package for. That's the "standing on the shoulders of giants" part. Rob Berendt -- Group Dekko Services, LLC Dept 01.073 PO Box 2000 Dock 108 6928N 400E Kendallville, IN 46755 http://www.dekko.com |-----------------------------+-------------------------------------------| | Patrick Botz | | | <botz@xxxxxxxxxx> | | | Sent by: | To| | midrange-l-bounces@midrang| Midra| | e.com | nge | | | Syste| | 08/05/2004 02:50 PM | ms | | | Techn| | Please respond to | ical | | Midrange Systems | Discu| | Technical Discussion | ssion| | <midrange-l@xxxxxxxxxxx| <midr| | m> | ange-| | | l@mid| | | range| | | .com>| | | cc| | | | | | Subject| | | Re: | | | Repla| | | cing | | | the | | | AS400| | | signo| | | n | | | manag| | | er? | | | | | | | | | | | | | | | | | | | |-----------------------------+-------------------------------------------| Depending on the interfaces you want to enable for this, it may be possible. What you are asking is for two different things. First, you want to authenticate with -- what to OS/400 is -- a "foreign" authentication mechanism. Second, based on the ID in this other authentication mechanism you want to choose the appropriate "local" user profile to run under. As long as you control the interfaces (cleint and server) that are doing the authentication, then you can make this work. You have to change the client side that actually prompts the user for authentication (e.g. the FTP client, or the Telnet Client) and provide an exit point for the server side that verifies the authetication mechanism provided by the client. This is exactly what we did to enable SSO with Windows Domain sign-on to many of the OS owned interfaces. To get the second part, you would include in your exit point program a call to EIM to map from the ID provided by the user to an ID you wanted that user to use for that specific application. I won't go into all of the possible ways you could configure the info in EIM to do what you want, suffice it to say that you could make it do what you have stated below. The reality of the situation is that you probably don't own the client-side code for at least some of the interfaces you would want to enable to use a different authentication mechanism. Also, there is no approach that will work today for changing the behavior of a green screen sign-on from a dumb terminal. Patrick Botz Senior Technical Staff Member eServer Security Architect (507) 253-0917, T/L 553-0917 email: botz@xxxxxxxxxx jared <jhunter@xxxxxxxx .edu> To Sent by: Midrange Systems Technical midrange-l-bounce Discussion s@xxxxxxxxxxxx <midrange-l@xxxxxxxxxxxx> cc 08/05/2004 02:24 Subject PM Re: Replacing the AS400 signon manager? Please respond to Midrange Systems Technical Discussion > Others have responded more clearly than me. > > What "very strong authentication" may mean can differ from one to > another. For example, how would one stop and prompt for a retinal scan > during the middle of a ftp session, versus during the middle of a 5250 > signon? That's actually a lot closer to what I'm asking. How can I start an out-of-band authentication protocol with the client host (based on retinal scans, or cryptographic certificates, or midi keyboards, whatever) and use the result of that conversation to either allow or disallow signon? And maybe I want to let the connection proceed, but under a different user profile...is that possible? -Jared -- This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/midrange-l or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.