Look at the journal code T entry type PW. Use DSPJRN against journal QAUDJRN to an outfile using outfile format *TYPE5. If you have FIXLENDTA( *RMTADR) set you will see the client IP address if it was available. Use WRKJRNA JRN(QAUDJRN) to see what fixed length data you are collecting for each journal entry.
Query the outfile by and the first character in the JOESD field and creation timestamp. Look for a P in the first position of the JOESD field. P is set for password not valid.
Here are the values for position 1. You can find the entire layout in the Security Reference manual.
A APPC bind failure.
C User authentication with the CHKPWD command failed.
D Service tools user ID name not valid. E Service tools user ID password not valid.
P Password not valid.
Q Attempted signon (user authentication) failed because user profile is disabled.
R Attempted signon (user authentication) failed because password was expired. This audit record might not occur for some user authentication mechanisms.
Some authentication mechanisms do not check for expired passwords.
S SQL Decryption password is not valid.
U User name not valid. X Service tools user ID is disabled.
Y Service tools user ID not valid.
Z Service tools user ID password not valid.
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Paul Therrien
Sent: Wednesday, May 16, 2012 2:01 PM
Subject: RVI Client with invalid password disables common user - how can we find the culprit?
We use RVI (Real Vision) for our imaging package to image IBM I spool files and other documents.
We have a single client profile that all users use to view images. Each RVI client connects with the same user profile and password.
One of our client machines seems to have a bad password as the user profile was disabled yesterday afternoon.
This did not affect anyone until this morning when people began signing in again with their RVI Clients.
I can see in the QHST log that the user profile was disabled, but I cannot see what job or connection caused the failure.
Is there a way I can find this information out? I guess I want the IP address of the PC that initiated the connection that caused the user profile to get disabled.
We have security auditing '*SECURITY' on, but this doesn't seem to give us what we want.
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l
As an Amazon Associate we earn from qualifying purchases.