Link to home
Start Free TrialLog in
Avatar of sultan666
sultan666

asked on

call exe program on a remote windows PC from AS400

HI all,

we are trying to call an EXE program on a remote windows PC from AS400.
the PC has client access v2r5.

i need to know the steps on what to do about that.
sorry for the beiggners question
Avatar of FarWest
FarWest

you can start telnet service on your PC and use normal telnet access and command from AS400
this is for interactive execution
Avatar of sultan666

ASKER

Thanks for the reply, but we want to use client access for single commands requests
I don't know if the client access has 2 way, I mean you maybe you can execute AS400 commands from the PC but not vice versa.
sory I dont have much information on that, I hope someone else can help
good luck
 
Avatar of Gary Patterson, CISSP
Use RUNRMTCMD CL command with Client Access Incoming Remote Command Service (a REXEC service) for "batch" command execution that does not require a user to be logged on with and active 5250 session from the PC.  Remote Command Service is an optionally-installable component of Client Access, and is documented in the Help files that come with Client Access.  Note that REXEC is an insecure protocol, and user IDs, passwords, and command sent over this service are sent in the clear.

http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/cl/runrmtcmd.htm
http://www-01.ibm.com/support/docview.wss?uid=nas1ac233372383251e886256d98004cb733

You can use the STRPCCMD CL command command from an interactive 5250 session to execute a command on the PC of the current connected user:

http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/cl/strpccmd.htm

- Gary Patterson
I opened 5250 and logged to AS400 but i couldnt get the remote command.
are there any settings on client access for that?
I used the same command line the PC name is PC1 and i have put my shared program on a shared directory on the PC

i ran the follwing from 5250

RUNRMTCMD CMD('\\PC1\shared\print\Release\print.exe')              
       RMTLOCNAME('10.1.119.1' *IP)RMTUSER('faleh') RMTPWD('abkkba00')
                                 
                                                                       
but nothing happened                                                                        
also when the program runs it needs to access an as400 folder
how can i give aspnet account or iuser account on as400 folder????
Is the Incoming Remote Command Service installed and running on the pc 10.1.119.1?  (Administrative Tools - Services)
Is the user id FALEH, password abkkba00 a valid local user ID / password on that PC?

If so, perform this test:

RUNRMTCMD CMD('dir c:\ > c:\rmtcmd.txt') RMTLOCNAME('10.1.119.1' *IP)RMTUSER('faleh') RMTPWD('abkkba00')
and check to see if the file c:\rmtcmd.txt exists.

If it does, then incoming remove command service is up and working.

If you have trouble, you can turn on Incoming Remote Command Tracing in the Client Access For Windows Control Panel application.  On the Diagnostic Tools tab, select 'Detail Trace", and press Properties.  Note the location of the trace file, uncheck "WRAP", and under Components, check "Filtered", press Set FIlter, and select the Incoming Remote Command from the list.  

Once you get back to the Diagnostic Tools tab, select "Start Diagnostic Tools".  This will start Diagnostic Tools in the System Tray.  Right Click the systray icon to see a menu that will allow you to start, stop, and view traces.  Try to run a sample command, and review the trace.  Post the trace results here if you need help. (Edit passwords and user profiles so you don't give away confidential information.)

Once you've confirmed that a basic command works, we now know that you can attach to the PC as local user faleh and run a local command.  

Is PC1 the same machine (10.1.119.1) or a different machine?  If it is the same machine, use a local path:

c:\...\print\Release\print.exe
If it is a different machine, then you probably have an authority problem on PC1.  

Does local user faleh on 10.1.119.1 have rights to this share, and rights to this EXE?  Usually, you'll want to run commands that are local to the system that is running the Incoming Remote Command service.  If these are two different machines, I suggest that you install this PRINT.EXE utility on 10.1.119.1, and try running it locally.  This will eliminate a lot of complexities.

If that is not possible, log onto 10.1.119.1 as local user faleh, open a Command Prompt, and try running

\\PC1\shared\print\Release\print.exe
If it works, then you should be able to get it to work using the Incoming Remote Command service.  If not, you'll need to resolve any authority problems until you can run this manually.  Once it runs manually, try running it through RUNRMTCMD.

As far as authority goes, the easiest way to do this is to create an AS/400 user profile that is the same as the windows profile, and set the password the same on both accounts.  Then grant the desired rights to the AS/400 profile.  When a Windows client connects to the AS/400 Netserver, it will pass the Windows user ID that the process is logged in under to the AS/400.  If an AS/400 profile is found that matches the Windows profile, the password will be passed to Netserver.  If the password matches, access to the NetServer share will be granted.  You have to remember to keep these passwords in sync.

Another alternative is to use NetServer "Guest" support, but this will allow anonymous access to the share, and this may not be acceptable from a security standpoint.

You can find NetServer documentation here:  

http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzahl/rzahlusergoal.htm

- Gary Patterson



Many thanks Gary for the information. the Incoming Remote Command service is working fine and the command works but am getting an error when the program runs about permission of the folder in AS400.

Is user FALEH a valid AS/400 user with the same password on Windows and AS/400?
Does user FALEH have appropriate rights to the AS/400 directory and file to perform whatever operation is required?

Needless to say, if the profile that you are using to execute the remote command doesn't have rights, then you're going to have problems.

Easy to test:

Log on to PC as FALEH, start iSeries Navigator, navigate to AS/400 folder in question, and open or update a file in that folder to verify authority.

- Gary Patterson

faleh is an admin on the PC not on AS400, when launching 5250 the user ID used to execute the command is K111, launches but when trying to read the file from AS400 directory it gives a message that it can not read, i searched the net for the error and it looks like that ASPNET user needs access to the AS400 folder and that can not be done.

i was wondering what user ID is used when the remote command is received from AS400?

do you have another solution?

what i need basically is to launch the EXE program on the windows client machine from AS400 and the EXE program to print a text file from AS400 folder (IFS)
anybody?
anyone can help please about this issue???
¿¿¿¿¿ ¿¿ ¿¿¿¿¿ ¿¿ ¿¿¿¿¿ ¿¿¿ ¿¿¿ "¿¿¿¿" ¿¿¿¿ ¿¿¿¿ ¿¿¿¿¿¿¿ (¿¿ ¿¿¿¿ ¿¿¿¿¿ ¿¿¿ ¿¿¿¿ ¿¿¿¿ ¿¿¿¿ ¿¿¿¿ ¿¿ ¿¿¿¿¿¿ ¿¿¿¿¿ :(
for none Arabic viewers, to add a sense of humor since nobody can help, I just suggested to change FALEH name , it has a  meaning in Arabic which is  like "successful"
 
When you use RUNRMTCMD, the remote (Windows, in this case) user and password specified on the RMTUSR / RMTPWD parameters is used to execute the command.

If the command needs to access an AS/400 IFS directory, then that Windows user will need the ability to access your IFS folder.

There are lots of alternatives:

1) Add a user with the same name (faleh) and password to the AS/400, and grant rights to the needed IFS folder to that user.  Client Access will automatically try to authenticate using the same credentials.

2) Create a BAT file that maps a network drive to the IFS folder that you need to use, followed by the command you want to run.  On the NET USE command, specify a valid AS/400 user ID and password with access to the IFS folder that you want to access.  Good idea to then delete the drive letter you assigned.

NET USE somedrive: \\AS400\sharename\foldername as400password /USER:as400username
c:\somepath\PRINT somedrive:\myfile.txt
NET USE somedrive: /DELETE
Where "somedrive" is a valid, unused drive letter.

3) You can create a NetServer guest profile, and grant that profile rights to the IFS share.  Note that this means that anyone on your network can access this share, so this might not be a good solution of the data needs to be secure.

http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzahq/rzahqguspi.htm

4) Configure the QNTC file system (NetClient) onthe AS/400, and push your file to a Windows share instead of an IFS share.  You can grant whatever rights your Windows users need to the windows folder.

http://www.itjungle.com/fhg/fhg031704-story04.html
http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/ifs/rzaaxqntcfs.htm

- Gary Patterson

Hi,
When i write the command on 5250, i get nothing except the following error appears in event viewer:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          29/03/2010 11:08:10
Event ID:      4776
Task Category: Credential Validation
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      dev-lab.abkuwait.com
Description:
The computer attempted to validate the credentials for an account.

Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:      FALEH
Source Workstation:      DEV-LAB
Error Code:      0xc0000234

although am logged on as domain user with local admin on the same PC
The RUNRMTCMD command executes commands through the Client Access Incoming Remote Command service, which runs as a service, generally under it's own credentials that are generally separate from any interactive user (as a matter of fact, you don't need to have a user signed on in most configurations to use Incoming Remote Command).

There are a number of options, however, and you'll need to take a look at the Incoming Remote Command security settings on your system to understand the various security settings that are available.

(Control Panel - IBM Client Access - Incoming Remote Command tab)
Of course, you'll need to specify your correct Windows password for the FALEH account.  If FALEH is a domain account, you may need to specify:

RMTUSER('domainname\FALEH')
The audit failure could be from several causes.  First verify that you can execute a simple test command like the one I provided before trying to execute a command the accesses network resources or AS/400 IFS resources.

For example, you could be getting an audit failure when the Remove Command service tries to log you in to the local PC with the credentials you supplied.

Or, that could be succeeding (assuming it is a valid local account), and you could be getting an audit failure when trying to access a network resource using local credentials.

Either way, the user ID FALEH is either invalid, or the password you supplied is bad (Windows passwords are case-sensitive.  Did you pass it all in upper case, for example?

- Gary Patterson


are the following configurations right for incoming remote command on IBM client access:
- command mode = normal
- security options = allow generic secuirty

command context options = run as system

when i include the domain in the command it throws an error (error found on RUNRMTCMD command)
am sure of the password supplied

RMTUSER ('Domain\Faleh') RMTPWD ('123123')
What is the specific command that you are running?
ASKER CERTIFIED SOLUTION
Avatar of Gary Patterson, CISSP
Gary Patterson, CISSP
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Gary
many thanks for your help,

it works now, but running in teh background i dont know why??
Glad it is working.

"...it works now, but running in teh background i dont know why??"
I don't understand what you mean by that.

- Gary


i mean the exe program is not appearing on as a form, its working silent.
Yes - that is by design.  That's the way that Incoming Remote Command works - it runs as a service, and spawns incoming commands under the service or in their own hidden window.

That's what I meant earlier when I said:

... The RUNRMTCMD command executes commands through the Client Access  Incoming Remote Command service, which runs as a service, generally  under it's own credentials that are generally separate from any  interactive user (as a matter of fact, you don't need to have a user  signed on in most configurations to use Incoming Remote Command)...
If you want to start an interactive program with a user that is signed onto a green-screen session, you'd typically use STRPCO + STRPCCMD.

RUNRMTCMD is mainly for "batch" Windows commands and scripts.

STRPCO + STRPCCMD is for "interactive" Windows commands when the user is also running an interactive Client Access green-screen session.

- Gary
many thanks my friend
when i use STRPCO i get the following:

client access/400 organizer is already active for device ...

when i use STRPCCMD i get an error box which says:
PCSPCO002 - PCo command processor fails - return code - 740
You can only invoke STRPCO once per login session, after that you get an error.  Always put a MONMSG after STRPCO to trap this error.  Here's a code example:

PCSPPCO002 is thrown when Windows returns an error.  

The Windows return code "740" means "Elevation required":

This is probably a product of Vista's User Access Control (UAC) feature - assuming this is a Vista client.  The command that you are running needs to run under administrative privileges.  Either the Windows account doesn't have local admin rights, or UAC is blocking admin rights.

Either way, you can try running your command from STRPCCMD by wrapping the Windows RUNAS command around your command.  If you have trouble with this approach, you might want to look at this article, and install and use the Elevate Command PowerToy for Vista:

http://technet.microsoft.com/en-us/magazine/2007.06.utilityspotlight.aspx

- Gary Patterson
thanks for the help again