Solved

iSeries Access for Windows - 2 phase authentication

Posted on 2010-09-15
7
817 Views
Last Modified: 2012-06-27
I'm using the iSeries Access for Windows for connection my AS400 machine.
I wanted to know - since the emulator is configured (on the Signon info) to "prompt always", I'm asked for a password first time via the iSeries (some messagebox...) and when getting to the AS400 machine, I get the the login page mode.
so... what is the purpose of the fist authentication? on wc3270 I don't need this authentication phase but I want to know if I miss something.
tx,
s
0
Comment
Question by:Cyber-EE
  • 4
  • 2
7 Comments
 
LVL 34

Expert Comment

by:Gary Patterson
Comment Utility
The iSeries Access prompts for a password on the initial connection to the AS/400, and it caches this connection information.  

If the system is configured to allow users to "bypass logon", and the user's emulator session is similarly configured, then users can be automatically logged on without seeing a green-screen logon screen.

This cached logon information is also used for other purposes, including NetServer access, Navigator access, etc.

Other emulation products don't perform this initial authentication - it is unique to iSeries Access.

- Gary Patterson
0
 
LVL 27

Expert Comment

by:tliotta
Comment Utility
Although the "initial authorization" might not be done, bypassing the "login page" is done by other emulators. The open source TN5250 project will 'bypass signon' if you configure the connection to do so.

The IBM intended purpose of 'bypass signon' is to avoid sending the password in clear-text through the "login page" which, after all, is just a normal display file. The password is instead sent in an encrypted/encoded form to the telnet server. The rise in popularity of ssl or VPN connections has somewhat reduced that issue.

The iSeries Access connection can be configured to 'bypass signon'. However, some sites still force entry through the "login page" which effectively cancels the setting from the PC.

Tom
0
 

Author Comment

by:Cyber-EE
Comment Utility
Hi Gary,
Tx for the good answer.
can you pls give me some more details for how to do what you mentioned:
"If the system is configured to allow users to "bypass logon", and the user's emulator session is similarly configured..."
1. how do i configure the system to allow bypass logon? I'm using the iSeries navigator...
2. how do i allow bypass from the emulator? can I do it from the "Configure PC5250" dialog (when I'm creating new session?) - just check the "bypass signon"?

tx a lot,
s
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 34

Accepted Solution

by:
Gary Patterson earned 500 total points
Comment Utility
Set the Qrmtsign system value to *verify and tick the "bypass signon" button on the emilation session.

Many shops prohibit this practice, since accss to an unlocked workstation allows a user access to the as400 without the need for a user I'd or password.  Use with caution.

http://www.itjungle.com/tfh/tfh081803-story04.html

Gary Patterson
0
 

Author Comment

by:Cyber-EE
Comment Utility
since I'm not familier with the AS400 at all - I just need to know how to set the Qrmtsign system value to *verify.
tx,
s
0
 

Author Comment

by:Cyber-EE
Comment Utility
I found the way to do it...
to whom it may concern:
1. logon to the AS400
2. write the following command: WRKSYSVAL
3. if you have the permissions you will see the system vals...
=> select "QRMTSIGN" and change its value to *VERIFY


see http://www.sans.org/reading_room/whitepapers/basics/as-400-iseries-comprehensive-guide-setting-system-values-common-practice-securi_425
0
 

Author Closing Comment

by:Cyber-EE
Comment Utility
see the last commnet I added - since I know nothing about as400 I only missed how to change system values
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Hello I read in a discussion about a person who configured a very simple mirror RAID with two hard drives; the system and data were on the same partition. He asked how to repair the system as it was not booting up anymore. In his case running …
Windows 10 is here and for most admins this means frustration and challenges getting that first working Windows 10 image. As in my previous sysprep articles, I've put together a simple help guide to get you through this process. The aim is to achiev…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now