× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. May 2017

Re: How SST user was disabled?

Because the supporting services are not ready yet ?
The LAN Console can happen prior to the database being ready and therefore
journalling would not be "active"; I suppose it could be queued.
Just to clarofy, when you say LAN Console signon are you talking about the
SST/Console takeover function or the actual password user id entry at the
signon display.

On Thu, May 4, 2017 at 7:50 AM, Rob Berendt <rob@xxxxxxxxx> wrote:

In short, if it can log a failure when you do a STRSST and enter an
invalid password, why can't it log a failure when the lan console enters
an invalid password?


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: Evan Harris <auctionitis@xxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 05/03/2017 03:42 PM
Subject: Re: How SST user was disabled?
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



I don't really see how that of itself rules out the FSP, but I tend to
agree with you. Bigger factor for me is that as I recall SST passwords and
profiles come back when you do a recovery so I figure there is something
storage area defined in the LPAR and accessed via LIC.

I can see that SST log on attempts, particularly from the console might
not
be in the journal. You can log onto SST (well I guess technically it's
DST)
before the system is actually started or the OS is even installed, so it
must be quite separate from the OS.




On Thu, May 4, 2017 at 5:30 AM, Rob Berendt <rob@xxxxxxxxx> wrote:

Not the FSP. You can have a different password for QSECOFR in STRSST
for
each different lpar.


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: Vernon Hamberg <vhamberg@xxxxxxxxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 05/03/2017 01:22 PM
Subject: Re: How SST user was disabled?
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



I'm kind of pulling this out of where the sun don't shine, but I believe
that the service tools authentication would be done in the FSP or
hypervisor or whatever now, not the OS, especially when coming in from a
console, which connects directly not to the OS but to the - I'll say FSP
again - it's been so long I'm not sure exactly what touches what these
days.

With STRSST, there IS a direct connection to the OS - your session - so
maybe that can percolate the error from the other side.

But let's see what IBM say - and maybe you have a good RFE candidate, as
I don't really think its' a bug.

Good luck
Vern

On 5/3/2017 10:34 AM, Justin Taylor wrote:
That was their initial response. They sent the issue to a different
team, and I waiting for an answer.

-----Original Message-----
From: Rob Berendt [mailto:rob@xxxxxxxxx]
Sent: Wednesday, May 03, 2017 9:23 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Subject: RE: How SST user was disabled?

By this comment:
<snip>
They are logged only for sign-on to the OS itself.
</snip>
I suspect they are not aware that it logs for failures when trying
STRSST.
Push back. Or at least ask them about that.


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: Justin Taylor <JUSTIN@xxxxxxxxxxxxx>
To: Midrange Systems Technical Discussion
<midrange-l@xxxxxxxxxxxx>
Date: 05/03/2017 10:20 AM
Subject: RE: How SST user was disabled?
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



Well Vern, it appears that IBM agrees with you. Here's what they sent
me:

there are no entries logged from *AUTFAIL in QUADJRN for failed
sign-on
attempts to the console. They are logged only for sign-on to the OS
itself.


From: Justin Taylor
Sent: Tuesday, May 02, 2017 7:00 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Subject: Re: How SST user was disabled?


It's a service tools user, so (AFAIK) the OS has to do the
authentication.
If I do the same thing in a 5250 STRSST, it gets logged.



________________________________
From: Vernon Hamberg <vhamberg@xxxxxxxxxxxxxxx<
mailto:vhamberg@xxxxxxxxxxxxxxx>>
Sent: Tuesday, May 2, 2017 5:07 PM
To: Midrange Systems Technical Discussion
Subject: Re: How SST user was disabled?

That makes sense, right? The console is not running on the OS, IIRC,
so
the audit log is not in play, so far as I can tell.

Someone please verify - it's been forever since I played in that
world.

Vern


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD




--

Regards
Evan Harris
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD





As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.