RE: How SST user was disabled?

Those errors are logged in the LIC.

Start a console
Go to the HMC
Control Panel functions
Option 21: Activate Dedicated Storage tools
Option 6: Service tools Security Data
Option 3: Work with service tools security log

From there you can look at the log entries, IE I just did that and this is

the entry that shows I logged in:

Date/Time of activity . . : 05/03/17 23:01:27.689
Activity description . . : Check privilege conjunction
Affected ID . . . . . . . : JIM
Status . . . . . . . . . : Function allowed, privilege granted.
Description . . . . . . . : Service tool security

When you exit it will restart the console session.

You will turn on the Attention light for that partition when you do that.
The attention light will go off when you exit.

--
Jim Oberholtzer
Agile Technology Architects


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Evan
Harris
Sent: Wednesday, May 03, 2017 4:03 PM
To: Midrange Systems Technical Discussion
Subject: Re: How SST user was disabled?

Because the supporting services are not ready yet ?
The LAN Console can happen prior to the database being ready and therefore
journalling would not be "active"; I suppose it could be queued.
Just to clarofy, when you say LAN Console signon are you talking about the
SST/Console takeover function or the actual password user id entry at the
signon display.

On Thu, May 4, 2017 at 7:50 AM, Rob Berendt <rob@xxxxxxxxx> wrote:

In short, if it can log a failure when you do a STRSST and enter an
invalid password, why can't it log a failure when the lan console
enters an invalid password?


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: Evan Harris <auctionitis@xxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 05/03/2017 03:42 PM
Subject: Re: How SST user was disabled?
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



I don't really see how that of itself rules out the FSP, but I tend to
agree with you. Bigger factor for me is that as I recall SST passwords
and profiles come back when you do a recovery so I figure there is
something storage area defined in the LPAR and accessed via LIC.

I can see that SST log on attempts, particularly from the console
might not be in the journal. You can log onto SST (well I guess
technically it's
DST)
before the system is actually started or the OS is even installed, so
it must be quite separate from the OS.




On Thu, May 4, 2017 at 5:30 AM, Rob Berendt <rob@xxxxxxxxx> wrote:

Not the FSP. You can have a different password for QSECOFR in
STRSST

for

each different lpar.


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: Vernon Hamberg <vhamberg@xxxxxxxxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 05/03/2017 01:22 PM
Subject: Re: How SST user was disabled?
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



I'm kind of pulling this out of where the sun don't shine, but I
believe that the service tools authentication would be done in the
FSP or hypervisor or whatever now, not the OS, especially when
coming in from a console, which connects directly not to the OS but
to the - I'll say FSP again - it's been so long I'm not sure exactly
what touches what these days.

With STRSST, there IS a direct connection to the OS - your session -
so maybe that can percolate the error from the other side.

But let's see what IBM say - and maybe you have a good RFE
candidate, as I don't really think its' a bug.

Good luck
Vern

On 5/3/2017 10:34 AM, Justin Taylor wrote:

That was their initial response. They sent the issue to a
different

team, and I waiting for an answer.

-----Original Message-----
From: Rob Berendt [mailto:rob@xxxxxxxxx]
Sent: Wednesday, May 03, 2017 9:23 AM
To: Midrange Systems Technical Discussion
<midrange-l@xxxxxxxxxxxx>
Subject: RE: How SST user was disabled?

By this comment:
<snip>
They are logged only for sign-on to the OS itself.
</snip>
I suspect they are not aware that it logs for failures when trying

STRSST.

Push back. Or at least ask them about that.


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept
1600

Mail to: 2505 Dekko Drive

Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: Justin Taylor <JUSTIN@xxxxxxxxxxxxx>
To: Midrange Systems Technical Discussion

<midrange-l@xxxxxxxxxxxx>

Date: 05/03/2017 10:20 AM
Subject: RE: How SST user was disabled?
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



Well Vern, it appears that IBM agrees with you. Here's what they
sent

me:

there are no entries logged from *AUTFAIL in QUADJRN for failed

sign-on

attempts to the console. They are logged only for sign-on to the
OS itself.


From: Justin Taylor
Sent: Tuesday, May 02, 2017 7:00 PM
To: Midrange Systems Technical Discussion
<midrange-l@xxxxxxxxxxxx>
Subject: Re: How SST user was disabled?


It's a service tools user, so (AFAIK) the OS has to do the

authentication.

If I do the same thing in a 5250 STRSST, it gets logged.



________________________________
From: Vernon Hamberg <vhamberg@xxxxxxxxxxxxxxx<
mailto:vhamberg@xxxxxxxxxxxxxxx>>
Sent: Tuesday, May 2, 2017 5:07 PM
To: Midrange Systems Technical Discussion
Subject: Re: How SST user was disabled?

That makes sense, right? The console is not running on the OS,
IIRC,

so

the audit log is not in play, so far as I can tell.

Someone please verify - it's been forever since I played in that

world.

Vern

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD

--

Regards
Evan Harris
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD