×

Good News Everybody!

The new search engine is LIVE!

Please report any problems to david (at) midrange.com.



  1.  Home
  2. SECURITY400
  3. May 2007

Re: Security400 Digest, Vol 5, Issue 16

Steve
Since you are using the profiles for batch only jobs, what you
need to do is have the Password set to *NONE this will stop the user
profile from accidently getting *Disabled.
If the above solution will not work, you could write a Password
Validation Program to handle this scenario. add the validation program to
system value QPWDVLDPGM or you could attach exit program to
QIBM_QSY_VLD_PASSWRD Exit Point


Hope this helps

Tony

----------------------------------------------------------------------

From: security400-request@xxxxxxxxxxxx
Reply-To: security400@xxxxxxxxxxxx
To: security400@xxxxxxxxxxxx
Subject: Security400 Digest, Vol 5, Issue 16
Date: Wed, 09 May 2007 12:00:10 -0500
>Send Security400 mailing list submissions to
> security400@xxxxxxxxxxxx
>
>To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.midrange.com/mailman/listinfo/security400
>or, via email, send a message with subject or body 'help' to
> security400-request@xxxxxxxxxxxx
>
>You can reach the person managing the list at
> security400-owner@xxxxxxxxxxxx
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Security400 digest..."
>
>
>Today's Topics:
>
> 1. Disabled Userids (Neeland, Steve)
> 2. Re: Disabled Userids (Turnidge, Dave)
> 3. Re: Disabled Userids (Jim Franz)
> 4. Re: Disabled Userids (Jones, John (US))
> 5. Re: Disabled Userids (Bruce Vining)
> 6. Re: Disabled Userids (Neeland, Steve)
> 7. Re: Disabled Userids (Mark S. Waterbury)
> 8. Re: Disabled Userids (Wayne McAlpine)
>
>
>----------------------------------------------------------------------
>
>message: 1
>date: Wed, 9 May 2007 08:14:20 -0500
>from: "Neeland, Steve" <Steve.Neeland@xxxxxxxxxxxxxx>
>subject: [Security400] Disabled Userids
>
>Is anyone aware if a way exists to exempt a userid profile from
>switching to a *DISABLED status when too many invalid passwords may be
>entered? We have some special userids used for batch-only applications,
>and if they happened to get disabled the applications would return
>abends.
>
>Thanks!
>Steve
>
>
>
>------------------------------
>
>message: 2
>date: Wed, 9 May 2007 08:17:23 -0500
>from: "Turnidge, Dave" <DTurnidge@xxxxxxxxxxxxxxxxxxxx>
>subject: Re: [Security400] Disabled Userids
>
><confused> You should ALWAYS disable a profile if an INVALID password
is
>entered... Do you mean "Password Expiration"? If so, GO SECTOOLS option
>3 will resolve your problem.
>
>-----Original Message-----
>From: security400-bounces@xxxxxxxxxxxx
>[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Neeland, Steve
>Sent: Wednesday, May 09, 2007 8:14 AM
>To: Security Administration on the AS400 / iSeries
>Subject: [Security400] Disabled Userids
>
>Is anyone aware if a way exists to exempt a userid profile from
>switching to a *DISABLED status when too many invalid passwords may be
>entered? We have some special userids used for batch-only applications,
>and if they happened to get disabled the applications would return
>abends.
>
>Thanks!
>Steve
>
>_______________________________________________
>This is the Security Administration on the AS400 / iSeries
(Security400)
>mailing list To post a message email: Security400@xxxxxxxxxxxx To
>subscribe, unsubscribe, or change list options,
>visit: http://lists.midrange.com/mailman/listinfo/security400
>or email: Security400-request@xxxxxxxxxxxx Before posting, please take
a
>moment to review the archives at
>http://archive.midrange.com/security400.
>
>
>
>
>------------------------------
>
>message: 3
>date: Wed, 9 May 2007 09:23:34 -0400
>from: "Jim Franz" <franz400@xxxxxxxxxxxx>
>subject: Re: [Security400] Disabled Userids
>
>The system value rules for # times bad password and what action
>are global. But you can in the profile set this "batch-only" profile
>to not expire to avoid an expire problem.
>Set password to expired . . . . *NO
>If it is "batch-only", then how did you hit this problem?
>jim
>
>----- Original Message -----
>From: "Neeland, Steve" <Steve.Neeland@xxxxxxxxxxxxxx>
>To: "Security Administration on the AS400 / iSeries"
><security400@xxxxxxxxxxxx>
>Sent: Wednesday, May 09, 2007 9:14 AM
>Subject: [Security400] Disabled Userids
>
>
> > Is anyone aware if a way exists to exempt a userid profile from
> > switching to a *DISABLED status when too many invalid passwords may
be
> > entered? We have some special userids used for batch-only
applications,
> > and if they happened to get disabled the applications would return
> > abends.
> >
> > Thanks!
> > Steve
> >
> > _______________________________________________
> > This is the Security Administration on the AS400 / iSeries
(Security400)
> > mailing list
> > To post a message email: Security400@xxxxxxxxxxxx
> > To subscribe, unsubscribe, or change list options,
> > visit: http://lists.midrange.com/mailman/listinfo/security400
> > or email: Security400-request@xxxxxxxxxxxx
> > Before posting, please take a moment to review the archives
> > at http://archive.midrange.com/security400.
> >
>
>
>
>
>------------------------------
>
>message: 4
>date: Wed, 9 May 2007 09:15:13 -0500
>from: "Jones, John \(US\)" <John.Jones@xxxxxxxxxx>
>subject: Re: [Security400] Disabled Userids
>
>I agree with the others .. Profiles used exclusively for batch
>processing shouldn't be getting disabled unless someone is mis-using
>them or you have some external process that's disabling them [like
>ANZDFTPWD ACTION(*DISABLE)].
>
>That said there are workarounds. A band aid would be to have your batch
>PGM call a PGM that adopts authority to a SECADM-level account and does
>a CHGUSRPRF XXXXX STATUS(*ENABLED) PASSWORD(YYYYY) before the profile
is
>needed. Or put that code in some PGM that runs each day.
>
>But the real fix is to find what's disabling the profile and take care
>of that. For instance, with the ANZDFTPWD command you can create a list
>of profiles for the command to ignore. Or, if you see invalid signon
>attempts for the profile, track down who is trying to use the batch
>profile interactively.
>
>--
>John A. Jones, CISSP
>Americas Information Security Officer
>Jones Lang LaSalle, Inc.
>V: +1-630-455-2787 F: +1-312-601-1782
>john.jones@xxxxxxxxxx
>
>-----Original Message-----
>From: security400-bounces@xxxxxxxxxxxx
>[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Jim Franz
>Sent: Wednesday, May 09, 2007 8:24 AM
>To: Security Administration on the AS400 / iSeries
>Subject: Re: [Security400] Disabled Userids
>
>The system value rules for # times bad password and what action are
>global. But you can in the profile set this "batch-only" profile to not
>expire to avoid an expire problem.
>Set password to expired . . . . *NO
>If it is "batch-only", then how did you hit this problem?
>jim
>
>----- Original Message -----
>From: "Neeland, Steve" <Steve.Neeland@xxxxxxxxxxxxxx>
>To: "Security Administration on the AS400 / iSeries"
><security400@xxxxxxxxxxxx>
>Sent: Wednesday, May 09, 2007 9:14 AM
>Subject: [Security400] Disabled Userids
>
>
> > Is anyone aware if a way exists to exempt a userid profile from
> > switching to a *DISABLED status when too many invalid passwords may
be
> > entered? We have some special userids used for batch-only
>applications,
> > and if they happened to get disabled the applications would return
> > abends.
> >
> > Thanks!
> > Steve
> >
> > _______________________________________________
> > This is the Security Administration on the AS400 / iSeries
>(Security400)
> > mailing list
> > To post a message email: Security400@xxxxxxxxxxxx
> > To subscribe, unsubscribe, or change list options,
> > visit: http://lists.midrange.com/mailman/listinfo/security400
> > or email: Security400-request@xxxxxxxxxxxx
> > Before posting, please take a moment to review the archives
> > at http://archive.midrange.com/security400.
> >
>
>
>_______________________________________________
>This is the Security Administration on the AS400 / iSeries
(Security400)
>mailing list
>To post a message email: Security400@xxxxxxxxxxxx
>To subscribe, unsubscribe, or change list options,
>visit: http://lists.midrange.com/mailman/listinfo/security400
>or email: Security400-request@xxxxxxxxxxxx
>Before posting, please take a moment to review the archives
>at http://archive.midrange.com/security400.
>
>
>This email is for the use of the intended recipient(s) only. If you
have
>received this email in error, please notify the sender immediately and
then
>delete it. If you are not the intended recipient, you must not keep,
use,
>disclose, copy or distribute this email without the author's prior
>permission. We have taken precautions to minimize the risk of
transmitting
>software viruses, but we advise you to carry out your own virus checks
on
>any attachment to this message. We cannot accept liability for any loss
>or damage caused by software viruses. The information contained in this
>communication may be confidential and may be subject to the
attorney-client
>privilege. If you are the intended recipient and you do not wish to
receive
>similar electronic messages from us in the future then please respond
to the
>sender to this effect.
>
>
>
>------------------------------
>
>message: 5
>date: Wed, 9 May 2007 09:16:22 -0500
>from: Bruce Vining <bvining@xxxxxxxxxx>
>subject: Re: [Security400] Disabled Userids
>
>In the July 2006 issue of System iNews there was an article "Watching
for
>Messages Made Easy" which monitored for a specific user profile being
>disabled due to the number of invalid password attempts, and then
>re-enabling that specific user profile. The article provided examples
in
>CL, RPG, COBOL, and C. The article is based on the V5R4 message watch
>capability of i5/OS.
>
>Bruce Vining
>
>
>
>
>"Jim Franz" <franz400@xxxxxxxxxxxx>
>Sent by: security400-bounces@xxxxxxxxxxxx
>05/09/2007 08:23 AM
>Please respond to
>Security Administration on the AS400 / iSeries
<security400@xxxxxxxxxxxx>
>
>
>To
>"Security Administration on the AS400 / iSeries"
><security400@xxxxxxxxxxxx>
>cc
>
>Subject
>Re: [Security400] Disabled Userids
>
>
>
>
>
>
>The system value rules for # times bad password and what action
>are global. But you can in the profile set this "batch-only" profile
>to not expire to avoid an expire problem.
>Set password to expired . . . . *NO
>If it is "batch-only", then how did you hit this problem?
>jim
>
>----- Original Message -----
>From: "Neeland, Steve" <Steve.Neeland@xxxxxxxxxxxxxx>
>To: "Security Administration on the AS400 / iSeries"
><security400@xxxxxxxxxxxx>
>Sent: Wednesday, May 09, 2007 9:14 AM
>Subject: [Security400] Disabled Userids
>
>
> > Is anyone aware if a way exists to exempt a userid profile from
> > switching to a *DISABLED status when too many invalid passwords may
be
> > entered? We have some special userids used for batch-only
applications,
> > and if they happened to get disabled the applications would return
> > abends.
> >
> > Thanks!
> > Steve
> >
> > _______________________________________________
> > This is the Security Administration on the AS400 / iSeries
(Security400)
>
> > mailing list
> > To post a message email: Security400@xxxxxxxxxxxx
> > To subscribe, unsubscribe, or change list options,
> > visit: http://lists.midrange.com/mailman/listinfo/security400
> > or email: Security400-request@xxxxxxxxxxxx
> > Before posting, please take a moment to review the archives
> > at http://archive.midrange.com/security400.
> >
>
>
>_______________________________________________
>This is the Security Administration on the AS400 / iSeries
(Security400)
>mailing list
>To post a message email: Security400@xxxxxxxxxxxx
>To subscribe, unsubscribe, or change list options,
>visit: http://lists.midrange.com/mailman/listinfo/security400
>or email: Security400-request@xxxxxxxxxxxx
>Before posting, please take a moment to review the archives
>at http://archive.midrange.com/security400.
>
>
>
>
>------------------------------
>
>message: 6
>date: Wed, 9 May 2007 09:21:53 -0500
>from: "Neeland, Steve" <Steve.Neeland@xxxxxxxxxxxxxx>
>subject: Re: [Security400] Disabled Userids
>
>Haven't hit it yet - The application is being migrated from mainframe
to
>iSeries and they are concerned that their application will go down if
>these two specific non-interactive userids get disabled somehow. I need
>to check the effect of setting the password to *NONE on the batch
>process and also the invalid password attempts. I've told them I doubt
>there is a solution to this inquiry, but I needed to say I've
researched
>it.
>
>Like they say on the TV show The Office, "I'll check wikipedia.com. If
>everyone in the world can contribute to it, you know you're only
getting
>the best answers...."
>
>
>
>-----Original Message-----
>From: security400-bounces@xxxxxxxxxxxx
>[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Jim Franz
>Sent: Wednesday, May 09, 2007 8:24 AM
>To: Security Administration on the AS400 / iSeries
>Subject: Re: [Security400] Disabled Userids
>
>The system value rules for # times bad password and what action
>are global. But you can in the profile set this "batch-only" profile
>to not expire to avoid an expire problem.
>Set password to expired . . . . *NO
>If it is "batch-only", then how did you hit this problem?
>jim
>
>----- Original Message -----
>From: "Neeland, Steve" <Steve.Neeland@xxxxxxxxxxxxxx>
>To: "Security Administration on the AS400 / iSeries"
><security400@xxxxxxxxxxxx>
>Sent: Wednesday, May 09, 2007 9:14 AM
>Subject: [Security400] Disabled Userids
>
>
> > Is anyone aware if a way exists to exempt a userid profile from
> > switching to a *DISABLED status when too many invalid passwords may
be
> > entered? We have some special userids used for batch-only
>applications,
> > and if they happened to get disabled the applications would return
> > abends.
> >
> > Thanks!
> > Steve
> >
> > _______________________________________________
> > This is the Security Administration on the AS400 / iSeries
>(Security400)
> > mailing list
> > To post a message email: Security400@xxxxxxxxxxxx
> > To subscribe, unsubscribe, or change list options,
> > visit: http://lists.midrange.com/mailman/listinfo/security400
> > or email: Security400-request@xxxxxxxxxxxx
> > Before posting, please take a moment to review the archives
> > at http://archive.midrange.com/security400.
> >
>
>
>_______________________________________________
>This is the Security Administration on the AS400 / iSeries
(Security400)
>mailing list
>To post a message email: Security400@xxxxxxxxxxxx
>To subscribe, unsubscribe, or change list options,
>visit: http://lists.midrange.com/mailman/listinfo/security400
>or email: Security400-request@xxxxxxxxxxxx
>Before posting, please take a moment to review the archives
>at http://archive.midrange.com/security400.
>
>
>
>
>------------------------------
>
>message: 7
>date: Wed, 09 May 2007 10:57:04 -0400
>from: "Mark S. Waterbury" <mark.s.waterbury@xxxxxxx>
>subject: Re: [Security400] Disabled Userids
>
>Hi, Steve:
>
>What about:
> CHGUSRPRF USRPRF(xxxxxxxx) PWDEXPITV(*NOMAX)
>
>Regards,
>
>Mark S. Waterbury
>
> > Neeland, Steve wrote:
> > Is anyone aware if a way exists to exempt a userid profile from
> > switching to a *DISABLED status when too many invalid passwords may
be
> > entered? We have some special userids used for batch-only
applications,
> > and if they happened to get disabled the applications would return
> > abends.
> >
> > Thanks!
> > Steve
>
>
>------------------------------
>
>message: 8
>date: Wed, 09 May 2007 11:03:35 -0500
>from: Wayne McAlpine <wayne.mcalpine@xxxxxxxxxxxxxxxxx>
>subject: Re: [Security400] Disabled Userids
>
>Change the password to *NONE. You can still submit jobs to batch using
>this profile, but it will never be disabled.
>
>Neeland, Steve wrote:
> > Is anyone aware if a way exists to exempt a userid profile from
> > switching to a *DISABLED status when too many invalid passwords may
be
> > entered? We have some special userids used for batch-only
applications,
> > and if they happened to get disabled the applications would return
> > abends.
> >
> > Thanks!
> > Steve
> >
>
>
>------------------------------
>
>_______________________________________________
>This is the Security Administration on the AS400 / iSeries
(Security400) digest list
>To post a message email: Security400@xxxxxxxxxxxx
>To subscribe, unsubscribe, or change list options,
>visit: http://lists.midrange.com/mailman/listinfo/security400
>or email: Security400-request@xxxxxxxxxxxx
>Before posting, please take a moment to review the archives
>at http://archive.midrange.com/security400.
>
>
>
>End of Security400 Digest, Vol 5, Issue 16
>******************************************

----------------------------------------------------------------------

Catch suspicious messages before you open them*with Windows Live Hotmail.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2026 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.