Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Security Issue accessing AS400 from Create!Form

Posted on 2004-10-27
24
Medium Priority
?
564 Views
Last Modified: 2008-01-09
Currently i am trying to download a spool file from the as400 so that i can use it in a product call Create!Form, when i access the as400 from Create!Form i can scroll through the Libraries and Files on the as400 and select the spool file that i want to download when i select the GET button to actually transfer the spool file to the Create!Form application the application trys to connect to the AS400 then it fails displaying the message "The password was not allowed", we have found away around this by using the signon QSECOFR but as you would know we are not big fans of using this method.  We have assumed it is an object authority issue, would any one have any ideas of where we should be looking.
0
Comment
Question by:jdwan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
  • 4
  • +2
24 Comments
 
LVL 3

Expert Comment

by:Mind_nl
ID: 12433923
Normaly your user profile would only have access to it's own spooled files. if you issue the WRKUSRPRF command you can change your profile (option 2) and add *SPLCTL to the 'special authority' list, this should enable the profile to access all spooled files on the system. Good luck!
0
 
LVL 3

Expert Comment

by:Mind_nl
ID: 12433943
Oh, and press [F10] (additional parameters) in the 'Change User Profile' screen to get to the special authority field
0
 
LVL 27

Expert Comment

by:tliotta
ID: 12437377
jdwan:

Can you clarify? Do you get a prompt from Create!Forms that asks for user and password, and when you enter the password, you get an error message? Or does it simply try to connect using whatever profile you are logged on to the PC with without prompting? (Which would mean you have a QSECOFR profile on the PC/LAN.)

There have been problems with various remote connections, most often seen with DB2 Connect because it's used in a lot of products. Depending on the OS/400 VRM and the DB2 group PTF on the AS/400, the password may be interpreted in lower- or upper-case. By moving to a new DB2 group level, the password is often properly interpreted.

Or, it might be attempting to connect via SMB (Windows Network Neighborhood) and the Windows password on the AS/400 is disabled.

Or... lots of possibilities.

Can you give a more complete description of what you see? It doesn't sound as if special authority such as *SPLCTL is involved (and such authority should _only_ be given to a profile that _must_ be able to access any spooled file on the system if you want an auditor to be satisfied).

Tom
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 

Author Comment

by:jdwan
ID: 12439583
Basically the process is that you enter your AS400 logon details in a tcp/ip setup of the Create!Form application, i entered my own logon details here and the following happened.

A small box popped up with "Connecting to Host... Please Wait", then another box after this popped up saying "Running REXEC server... Please Wait", then finally a box pops up saying "Connection Successful", now i have established a connection with the as400 i can view each of the output queues on the as400 and are able to select the actual spool file i want to transfer to my local machine.

I then select the spool file and there is a button which says "Get" i click this button and it trys to transfer the spool file, a small box popped up with "Connecting to Host... Please Wait", then another box after this popped up saying "The password is not allowed".

If i go back into the tcp/ip setup and change the logon details from my userprofile to that of QSECOFR and then do the above again it all works fine. When I change these logon detail the program is not restarted, there is baiscally an option in the change TCP/IP setting in the Create!Form application. (ie .i am logged onto the network as myself and when trying to access the AS400 via Create!Form i enter the logon detail for the AS400 via Create!Form, it doesn't appear to use the Client Access login).

So basically in a nutshell, my userprofile can connect to view the spoolfiles, but cannot transfer anything, when i use the QSECOFR profile it can view and transfer user profiles.

I also tried logging on with use upper case and lower case passwords and this didn't seem to make any difference to the above problem.

Also i thought i would give the above comment about the *SPLCTL a go, and this didn't work either. Hope this is enough information for you.

Jon

0
 
LVL 3

Expert Comment

by:Mind_nl
ID: 12441911
if you log on with your own userprofile is the profile name for AS/400 the same as for windows/network? If so try changing both passwords to be the same. We have some client/server programs running here that will only work if the windows and AS/400 userid and passwords are identical. The software could be using your windows password to try to access the AS/400, when logging on as QSECOFR it sees that you are using a different userid as in windows and does use the correct password. This could be worth a try...
0
 
LVL 27

Expert Comment

by:tliotta
ID: 12447958
Well, the REXEC connection isn't a host server connection; REXEC is a standard TCP/IP server. For that, there'd be no likelihood that any Windows logon would be involved.

But the actual file transfer, either of a spooled file directly or a spooled file converted to a stream file, that seems to be a good candidate for a host server function or Netserver. Either of those can be tied to Windows logon.

First thing to verify -- Are your Windows profile and password the same on the AS/400? Next -- Is your Windows profile disabled on the AS/400?

You'll know the answer to the first. The answer to the second can be found through OpsNav:

My Connections->mysystem->Network->Servers->TCP/IP

Then right-click the iSeries Netserver item and select Disabled User IDs. See if you're on the list and enable if you are.

If neither is true, then you'll probably either need to synch up your Windows and AS/400 profile and password or create a Netserver guest profile that has authority to do what you need (but be aware that this opens a difficult security hole). You might also ask Create!Forms tech support for their suggestions; they might already have a feature you can enable or have directions you can use that minimize security risks.

Tom
0
 
LVL 4

Expert Comment

by:reginab
ID: 12493603
Exactly what is Create!Forms.  Is that something you purchased, you should be able to connect using an as400 driver in some kind of properties file, then you can pass user name and password, or though some kind of macro where you can pass it there.
0
 

Author Comment

by:jdwan
ID: 12552244
Create!From is a product which can be bought whcih bascially runs from a server and creates nicely formated reports by overlaying a form over the top of a spool file (report) generated from the AS400.

In addition to the above comments, as stated before i can connect to the as400 using the Create!form product using my own profile, however when i attempt to download a spool file from the as400 to the create!form product it displays an error message of "password in valid". To get around this it was tried by putting in the profile QSECOFR and then downloading the spoolfile - and this worked fine.

Since this has all happened, i tried an experiment by changing my profile to have exactly the same authority as QSECOFR and then trying to down load the spool file - this was to no avale. With this test it ha pretty much proved that the problem is not with the AS400 but with the product Create!Form, a set-up issue no doubt, with this in mind i see no further action required for this question.

Thankyou to all who tried to help me with this problem.

Jon
0
 
LVL 4

Expert Comment

by:reginab
ID: 12554329
well also it is very unlikely that you could manually adjust your account to match the qsecofr.  it is a failsafe account for the machine and has also advanced authority for all objects which would be very difficult to duplicate I think. good luck.
0
 
LVL 27

Expert Comment

by:tliotta
ID: 12558928
Jon:

I don't see how your last test eliminated the AS/400 and set the fault in Create!Forms. If this process relies upon Netserver and your Netserver access is disabled, then it won't matter if you have the same authority as QSECOFR. While you might have the "authority", you won't be able to "authenticate". Two very different concepts.

Tom
0
 

Author Comment

by:jdwan
ID: 12560355
The reason i beleive it is set-up in create!form is because i don't have any problems connecting to the as400 from create!form using my user profile, however when i try to connect to actually download the spoolfile it won't let me. (only allows QSECOFR to download spoolfiles - any profile can view the outq's). This has me think that there is an authority setting in create!form which needs to be set to allow certain users to be able to download spoolfiles. I just need to find this setting.
I don't beleive my netserver access is disabled, because if i want to view the outq's from create!form using my profile i can do so, therefore there is no problem actaully connecting with the as400 and my profile it is just when i am trying to download the spoolfile using my profile.
0
 
LVL 4

Expert Comment

by:reginab
ID: 12560430
are these spool files under your user profile. because if not you would have to go into the other users and allow access to your user from there, again an admin function on the 400. or you would have to send them to your user profile spool file.
0
 

Author Comment

by:jdwan
ID: 12560515
No the spool files are under all the available outq, you can view all spool files for each user for the outq aswell. Also do have *SPLCTL authority on my profile.
0
 
LVL 27

Expert Comment

by:tliotta
ID: 12569285
And that's my point. (1) You can create a connection under your profile, (2) you have *SPLCTL and (3) you can't download.

Therefore, (1) you are entering a valid profile and password. And (2) you have sufficient authority. But (3) your download capability has _possibly_ been disabled.

So, have you verified that your Netserver capability hasn't been disabled? Since the function works under QSECOFR, we know that at least one profile exists that has not been disabled for Netserver downloads if Netserver is the transport; and since QSECOFR is probably not defined for LAN/network logons, there might be a Netserver GUEST profile that can be used. But GUEST would not be used for a user who has matching Windows and AS/400 profiles.

Tom
0
 

Author Comment

by:jdwan
ID: 12677870
Contacted CREATE! International and they said to ensure that the user profile had Special Authority of *ALLOBJ and *SPLCTL;  however this did not solve the problem.

Also the netserver capability has not been disabled, still not sure what the problem is.
0
 
LVL 27

Expert Comment

by:tliotta
ID: 12678395
jdwan:

Next time you connect with your profile, before attempting to download, run a WRKOBJLCK command on the AS/400 for your user profile.

 ==>  wrkobjlck yourprofilename *usrprf

Please let us know what job names show a lock for you. This will give us an idea what server functions are being used. Apparently REXEC is being contacted, but that might just create some files for Create!Forms to access later or...

Do you know if there are any Create!Forms functions that get installed on the AS/400?

Tom
0
 

Author Comment

by:jdwan
ID: 12678502
When i do the wrkobjlck command the output is
                                                                           
Opt   Job                User                   Lock          Status          Scope     Thread  
        JMDPRD1        JMDWAN            *SHRRD     HELD           *JOB              
                                                      *SHRRD     HELD           *JOB              
                                                      *SHRRD     HELD           *JOB              
        QTRXC00070   QTCP                *SHRRD     HELD           *JOB              
                                                      *SHRRD     HELD           *JOB              
                                                      *SHRRD     HELD           *JOB              


However this is only when i connect to view, when i try to connect to actaully transfer the spool file it does actaully connect so a job doesn't appear.

Is this what you meant.
0
 
LVL 27

Expert Comment

by:tliotta
ID: 12679359
jdwan:

The QTRXCxxxxx job is the REXEC server. So far, so good. Now, we need a way to determine which job handles transfers. The easiest way is through your system audit journal, but you'll have to turn auditing on to do this if it's not already on.

In particular, I think you'll want your QAUDLVL system value to include *JOBDTA and *SECURITY. Also, of course, all the basic auditing configuration needs to be done. This is easiest through the CHGSECAUD command if needed. If auditing is active, then all you need is to set the system value.

Once set, you can review entries in the audit journal to see what actions happened. For us, we'll first be interested in which servers are accepting the logons and acting on behalf of Create!Forms. Or if a Create!Forms server was installed, we'll also see that it is acting on behalf of QSECOFR when it makes transfer requests.

The first reason we want to see this is because we want to see the joblog of the related server to see what errors it encounters. It says there's a problem with your password but includes no useful info. The audit journal will point us to the server and the server joblog will have clues.

(It might be necessary to change the server's settings so it logs the errors.)

Tom
0
 

Author Comment

by:jdwan
ID: 13009623
Have since found out that this only works with QSECOFR, as you would understand this is very frustrating to have to use this profile for this.

Thanks for you help.
0
 
LVL 27

Expert Comment

by:tliotta
ID: 13017146
jdwan:

In general, this would be possible _if_ a CreateForms application program was explicitly doing some kind of authority check outside of standard object authority under OS/400. For example, it _could_ have logic something like:

   if ( &user *eq 'QSECOFR )  +
        /* seton accessflag */ ...
   else do
        /* retrieve authority info */ ...
        if ( authority checks out ) +
            /* seton accessflag */ ...
   enddo

That is, when QSECOFR comes through the program, access is granted by the application. When some other profile comes through, the program looks in a file or retrieves some info from some object such as an authorization list, and decides whether to allow access. Only if the application's access flag is turned on will the program work.

Okay, that _can_ be done in program logic, but I would expect CreateForm's user guide or administrator guide to have a section on how to set up users.

If there is no such section, then CreateForm's support group needs to get on this. QSECOFR is ridiculous. Personally, I prefer writing applications that explicitly _exclude_ QSECOFR.

Whatever little detail is getting in the way, only CreateForm support can track down. It's their job and you've paid for it.

Tom
0
 
LVL 4

Expert Comment

by:reginab
ID: 13017770
amen tom, in fact I think the minimum it should do is auth list otherwise it is not really 400 compatible app. and then that means they took your money man. good luck :)
0
 
LVL 27

Accepted Solution

by:
tliotta earned 2000 total points
ID: 13019526
Clarification:

Authorization lists can be used (at least) two different ways. The first way is simply as intended. An authorization list is created, it is associated with a group of objects and users are added to the list. OS/400 object security handles pretty much everything from there.

The other way is more subtle though certainly valid. This is mostly what I referred to previously as a way an application can implement some security outside of normal object security. In this case, an authorization list is created and users are added to it but it's not associated with any objects.

The application programs would then explicitly verify authority via the Retrieve Users Authorized to an Object (QSYRTVUA) or Retrieve User Authority to Object (QSYRUSRA) APIs or something similar. If the user showed up as authorized, the program/application continues; otherwise it sends an *ESCAPE message or whatever.

In that scenario, the authorization list acts simply as an application data store for security info. It works well when properly implemented. It uses a standard OS/400 object, an *AUTL, that should be recognized by everyone. Interfaces to the application's security are the normal, everyday OS/400 interfaces to *AUTLs.

But it _can_ be screwed up by poor documentation or poor application logic. Because those are _possibilities_, it has to be considered for this question.

Tom

0
 
LVL 14

Expert Comment

by:daveslater
ID: 13175375
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

Accept tliotta comment as answer

Please leave any comments here within the next four days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
daveslater
Page Editor
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With its various features, Office 365 can not only help you with your day-to-day business tasks, it can also do wonders for your marketing campaign.
Working from home is a dream for many people who aren’t happy about getting up early, going to the office, and spending long hours at work. There are lots of benefits of remote work for employees.
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question