Solved

Security Issue accessing AS400 from Create!Form

Posted on 2004-10-27
526 Views
Last Modified: 2008-01-09
Currently i am trying to download a spool file from the as400 so that i can use it in a product call Create!Form, when i access the as400 from Create!Form i can scroll through the Libraries and Files on the as400 and select the spool file that i want to download when i select the GET button to actually transfer the spool file to the Create!Form application the application trys to connect to the AS400 then it fails displaying the message "The password was not allowed", we have found away around this by using the signon QSECOFR but as you would know we are not big fans of using this method.  We have assumed it is an object authority issue, would any one have any ideas of where we should be looking.
0
Question by:jdwan
    23 Comments
     
    LVL 3

    Expert Comment

    by:Mind_nl
    Normaly your user profile would only have access to it's own spooled files. if you issue the WRKUSRPRF command you can change your profile (option 2) and add *SPLCTL to the 'special authority' list, this should enable the profile to access all spooled files on the system. Good luck!
    0
     
    LVL 3

    Expert Comment

    by:Mind_nl
    Oh, and press [F10] (additional parameters) in the 'Change User Profile' screen to get to the special authority field
    0
     
    LVL 26

    Expert Comment

    by:tliotta
    jdwan:

    Can you clarify? Do you get a prompt from Create!Forms that asks for user and password, and when you enter the password, you get an error message? Or does it simply try to connect using whatever profile you are logged on to the PC with without prompting? (Which would mean you have a QSECOFR profile on the PC/LAN.)

    There have been problems with various remote connections, most often seen with DB2 Connect because it's used in a lot of products. Depending on the OS/400 VRM and the DB2 group PTF on the AS/400, the password may be interpreted in lower- or upper-case. By moving to a new DB2 group level, the password is often properly interpreted.

    Or, it might be attempting to connect via SMB (Windows Network Neighborhood) and the Windows password on the AS/400 is disabled.

    Or... lots of possibilities.

    Can you give a more complete description of what you see? It doesn't sound as if special authority such as *SPLCTL is involved (and such authority should _only_ be given to a profile that _must_ be able to access any spooled file on the system if you want an auditor to be satisfied).

    Tom
    0
     

    Author Comment

    by:jdwan
    Basically the process is that you enter your AS400 logon details in a tcp/ip setup of the Create!Form application, i entered my own logon details here and the following happened.

    A small box popped up with "Connecting to Host... Please Wait", then another box after this popped up saying "Running REXEC server... Please Wait", then finally a box pops up saying "Connection Successful", now i have established a connection with the as400 i can view each of the output queues on the as400 and are able to select the actual spool file i want to transfer to my local machine.

    I then select the spool file and there is a button which says "Get" i click this button and it trys to transfer the spool file, a small box popped up with "Connecting to Host... Please Wait", then another box after this popped up saying "The password is not allowed".

    If i go back into the tcp/ip setup and change the logon details from my userprofile to that of QSECOFR and then do the above again it all works fine. When I change these logon detail the program is not restarted, there is baiscally an option in the change TCP/IP setting in the Create!Form application. (ie .i am logged onto the network as myself and when trying to access the AS400 via Create!Form i enter the logon detail for the AS400 via Create!Form, it doesn't appear to use the Client Access login).

    So basically in a nutshell, my userprofile can connect to view the spoolfiles, but cannot transfer anything, when i use the QSECOFR profile it can view and transfer user profiles.

    I also tried logging on with use upper case and lower case passwords and this didn't seem to make any difference to the above problem.

    Also i thought i would give the above comment about the *SPLCTL a go, and this didn't work either. Hope this is enough information for you.

    Jon

    0
     
    LVL 3

    Expert Comment

    by:Mind_nl
    if you log on with your own userprofile is the profile name for AS/400 the same as for windows/network? If so try changing both passwords to be the same. We have some client/server programs running here that will only work if the windows and AS/400 userid and passwords are identical. The software could be using your windows password to try to access the AS/400, when logging on as QSECOFR it sees that you are using a different userid as in windows and does use the correct password. This could be worth a try...
    0
     
    LVL 26

    Expert Comment

    by:tliotta
    Well, the REXEC connection isn't a host server connection; REXEC is a standard TCP/IP server. For that, there'd be no likelihood that any Windows logon would be involved.

    But the actual file transfer, either of a spooled file directly or a spooled file converted to a stream file, that seems to be a good candidate for a host server function or Netserver. Either of those can be tied to Windows logon.

    First thing to verify -- Are your Windows profile and password the same on the AS/400? Next -- Is your Windows profile disabled on the AS/400?

    You'll know the answer to the first. The answer to the second can be found through OpsNav:

    My Connections->mysystem->Network->Servers->TCP/IP

    Then right-click the iSeries Netserver item and select Disabled User IDs. See if you're on the list and enable if you are.

    If neither is true, then you'll probably either need to synch up your Windows and AS/400 profile and password or create a Netserver guest profile that has authority to do what you need (but be aware that this opens a difficult security hole). You might also ask Create!Forms tech support for their suggestions; they might already have a feature you can enable or have directions you can use that minimize security risks.

    Tom
    0
     
    LVL 4

    Expert Comment

    by:reginab
    Exactly what is Create!Forms.  Is that something you purchased, you should be able to connect using an as400 driver in some kind of properties file, then you can pass user name and password, or though some kind of macro where you can pass it there.
    0
     

    Author Comment

    by:jdwan
    Create!From is a product which can be bought whcih bascially runs from a server and creates nicely formated reports by overlaying a form over the top of a spool file (report) generated from the AS400.

    In addition to the above comments, as stated before i can connect to the as400 using the Create!form product using my own profile, however when i attempt to download a spool file from the as400 to the create!form product it displays an error message of "password in valid". To get around this it was tried by putting in the profile QSECOFR and then downloading the spoolfile - and this worked fine.

    Since this has all happened, i tried an experiment by changing my profile to have exactly the same authority as QSECOFR and then trying to down load the spool file - this was to no avale. With this test it ha pretty much proved that the problem is not with the AS400 but with the product Create!Form, a set-up issue no doubt, with this in mind i see no further action required for this question.

    Thankyou to all who tried to help me with this problem.

    Jon
    0
     
    LVL 4

    Expert Comment

    by:reginab
    well also it is very unlikely that you could manually adjust your account to match the qsecofr.  it is a failsafe account for the machine and has also advanced authority for all objects which would be very difficult to duplicate I think. good luck.
    0
     
    LVL 26

    Expert Comment

    by:tliotta
    Jon:

    I don't see how your last test eliminated the AS/400 and set the fault in Create!Forms. If this process relies upon Netserver and your Netserver access is disabled, then it won't matter if you have the same authority as QSECOFR. While you might have the "authority", you won't be able to "authenticate". Two very different concepts.

    Tom
    0
     

    Author Comment

    by:jdwan
    The reason i beleive it is set-up in create!form is because i don't have any problems connecting to the as400 from create!form using my user profile, however when i try to connect to actually download the spoolfile it won't let me. (only allows QSECOFR to download spoolfiles - any profile can view the outq's). This has me think that there is an authority setting in create!form which needs to be set to allow certain users to be able to download spoolfiles. I just need to find this setting.
    I don't beleive my netserver access is disabled, because if i want to view the outq's from create!form using my profile i can do so, therefore there is no problem actaully connecting with the as400 and my profile it is just when i am trying to download the spoolfile using my profile.
    0
     
    LVL 4

    Expert Comment

    by:reginab
    are these spool files under your user profile. because if not you would have to go into the other users and allow access to your user from there, again an admin function on the 400. or you would have to send them to your user profile spool file.
    0
     

    Author Comment

    by:jdwan
    No the spool files are under all the available outq, you can view all spool files for each user for the outq aswell. Also do have *SPLCTL authority on my profile.
    0
     
    LVL 26

    Expert Comment

    by:tliotta
    And that's my point. (1) You can create a connection under your profile, (2) you have *SPLCTL and (3) you can't download.

    Therefore, (1) you are entering a valid profile and password. And (2) you have sufficient authority. But (3) your download capability has _possibly_ been disabled.

    So, have you verified that your Netserver capability hasn't been disabled? Since the function works under QSECOFR, we know that at least one profile exists that has not been disabled for Netserver downloads if Netserver is the transport; and since QSECOFR is probably not defined for LAN/network logons, there might be a Netserver GUEST profile that can be used. But GUEST would not be used for a user who has matching Windows and AS/400 profiles.

    Tom
    0
     

    Author Comment

    by:jdwan
    Contacted CREATE! International and they said to ensure that the user profile had Special Authority of *ALLOBJ and *SPLCTL;  however this did not solve the problem.

    Also the netserver capability has not been disabled, still not sure what the problem is.
    0
     
    LVL 26

    Expert Comment

    by:tliotta
    jdwan:

    Next time you connect with your profile, before attempting to download, run a WRKOBJLCK command on the AS/400 for your user profile.

     ==>  wrkobjlck yourprofilename *usrprf

    Please let us know what job names show a lock for you. This will give us an idea what server functions are being used. Apparently REXEC is being contacted, but that might just create some files for Create!Forms to access later or...

    Do you know if there are any Create!Forms functions that get installed on the AS/400?

    Tom
    0
     

    Author Comment

    by:jdwan
    When i do the wrkobjlck command the output is
                                                                               
    Opt   Job                User                   Lock          Status          Scope     Thread  
            JMDPRD1        JMDWAN            *SHRRD     HELD           *JOB              
                                                          *SHRRD     HELD           *JOB              
                                                          *SHRRD     HELD           *JOB              
            QTRXC00070   QTCP                *SHRRD     HELD           *JOB              
                                                          *SHRRD     HELD           *JOB              
                                                          *SHRRD     HELD           *JOB              


    However this is only when i connect to view, when i try to connect to actaully transfer the spool file it does actaully connect so a job doesn't appear.

    Is this what you meant.
    0
     
    LVL 26

    Expert Comment

    by:tliotta
    jdwan:

    The QTRXCxxxxx job is the REXEC server. So far, so good. Now, we need a way to determine which job handles transfers. The easiest way is through your system audit journal, but you'll have to turn auditing on to do this if it's not already on.

    In particular, I think you'll want your QAUDLVL system value to include *JOBDTA and *SECURITY. Also, of course, all the basic auditing configuration needs to be done. This is easiest through the CHGSECAUD command if needed. If auditing is active, then all you need is to set the system value.

    Once set, you can review entries in the audit journal to see what actions happened. For us, we'll first be interested in which servers are accepting the logons and acting on behalf of Create!Forms. Or if a Create!Forms server was installed, we'll also see that it is acting on behalf of QSECOFR when it makes transfer requests.

    The first reason we want to see this is because we want to see the joblog of the related server to see what errors it encounters. It says there's a problem with your password but includes no useful info. The audit journal will point us to the server and the server joblog will have clues.

    (It might be necessary to change the server's settings so it logs the errors.)

    Tom
    0
     

    Author Comment

    by:jdwan
    Have since found out that this only works with QSECOFR, as you would understand this is very frustrating to have to use this profile for this.

    Thanks for you help.
    0
     
    LVL 26

    Expert Comment

    by:tliotta
    jdwan:

    In general, this would be possible _if_ a CreateForms application program was explicitly doing some kind of authority check outside of standard object authority under OS/400. For example, it _could_ have logic something like:

       if ( &user *eq 'QSECOFR )  +
            /* seton accessflag */ ...
       else do
            /* retrieve authority info */ ...
            if ( authority checks out ) +
                /* seton accessflag */ ...
       enddo

    That is, when QSECOFR comes through the program, access is granted by the application. When some other profile comes through, the program looks in a file or retrieves some info from some object such as an authorization list, and decides whether to allow access. Only if the application's access flag is turned on will the program work.

    Okay, that _can_ be done in program logic, but I would expect CreateForm's user guide or administrator guide to have a section on how to set up users.

    If there is no such section, then CreateForm's support group needs to get on this. QSECOFR is ridiculous. Personally, I prefer writing applications that explicitly _exclude_ QSECOFR.

    Whatever little detail is getting in the way, only CreateForm support can track down. It's their job and you've paid for it.

    Tom
    0
     
    LVL 4

    Expert Comment

    by:reginab
    amen tom, in fact I think the minimum it should do is auth list otherwise it is not really 400 compatible app. and then that means they took your money man. good luck :)
    0
     
    LVL 26

    Accepted Solution

    by:
    Clarification:

    Authorization lists can be used (at least) two different ways. The first way is simply as intended. An authorization list is created, it is associated with a group of objects and users are added to the list. OS/400 object security handles pretty much everything from there.

    The other way is more subtle though certainly valid. This is mostly what I referred to previously as a way an application can implement some security outside of normal object security. In this case, an authorization list is created and users are added to it but it's not associated with any objects.

    The application programs would then explicitly verify authority via the Retrieve Users Authorized to an Object (QSYRTVUA) or Retrieve User Authority to Object (QSYRUSRA) APIs or something similar. If the user showed up as authorized, the program/application continues; otherwise it sends an *ESCAPE message or whatever.

    In that scenario, the authorization list acts simply as an application data store for security info. It works well when properly implemented. It uses a standard OS/400 object, an *AUTL, that should be recognized by everyone. Interfaces to the application's security are the normal, everyday OS/400 interfaces to *AUTLs.

    But it _can_ be screwed up by poor documentation or poor application logic. Because those are _possibilities_, it has to be considered for this question.

    Tom

    0
     
    LVL 14

    Expert Comment

    by:daveslater
    No comment has been added lately, so it's time to clean up this TA.
    I will leave a recommendation in the Cleanup topic area that this question is:

    Accept tliotta comment as answer

    Please leave any comments here within the next four days.

    PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
    daveslater
    Page Editor
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    Anonabox PRO Tor & VPN Router

    PRO is the most advanced way to fortify your privacy and online anonymity by layering the Tor network with VPN services. Use both together or separately, and without needing to download software onto your devices.

    Before you start a podcast of your own, you’ll need to get the right equipment. To help you get started off on the right foot, here’s a list of the four critical items you’ll need to start your own podcast.
    Are you using email marketing software? If not, you're missing out on effortless marketing and the reaching of desired conversion rates through email marketing software.
    This video is in connection to the article "The case of a missing mobile phone (https://www.experts-exchange.com/articles/28474/The-Case-of-a-Missing-Mobile-Phone.html)". It will help one to understand clearly the steps to track a lost android phone.
    Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

    875 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now