Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5598
  • Last Modified:

iSeries user profiles get disabled.

I  have a very weird situation, because every day I receive calling asking me to enable some user profiles, and I have investigated in the history log and I haven't found anything why those user profiles get disabled. So I would like to know  what else I need to check in order to find out why these user profioles get disable.
0
Apolo Victores
Asked:
Apolo Victores
  • 3
  • 3
  • 3
  • +2
3 Solutions
 
Kent OlsenData Warehouse Architect / DBACommented:
Hi apolov,

Users can become disabled for almost any reason.  Check the system logs to see if the users have triggered an event that has been captured.


Kent
0
 
Dave FordSoftware Developer / Database AdministratorCommented:

Usually, user-profiles only become disabled when the user triesthe wrong password a few times. Try this command to print a spool-file of all unsuccessful log-in attempts:

DSPLOG OUTPUT(*PRINT) MSGID(CPF2234)

HTH,
DaveSlash
0
 
Kent OlsenData Warehouse Architect / DBACommented:
Badly stated on my part.  Thanks Dave....
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
Gary PattersonVP Technology / Senior Consultant Commented:
User profiles get disabled due to too many unauthorized signon attempts based on the settings of the QMAXSIGN and MAXSGNACN system values.  

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=%2Frzaii%2Frzaiimst26.htm

Possible causes:

1) The QMAXSIGN system value is set too low, and users that mis-type their passwords
2) Your system is under attack.
3) A user or a program has cached an old password and repeatedly disables the profile as it attempts to log on automatically.

Questions:

1) What are the current setting for QMAXSIGN and QMAXSGNACN?  (DSPSYSVAL command)
2) How may different profiles are involved?  
3) Is it always the same profiles?  
4) How many requests per day?
5) Has the frequency of these requests recently changed?  How so?

After you respond, I'll suggest some specific ways to diagnose and fix.

- Gary Patterson
0
 
tliottaCommented:
Assuming you have auditing active, look in QAUDJRN with DSPJRN that includes JRNCDE((T)) ENTTYP(CP) starting after the last time the profile was known to be *ENABLEd. A T/CP entry marks a 'C'hange to a 'P'rofile. When you see a matching journal entry, display the entry details to see what job disabled the profile.

Also, once you know when a profile was disabled, look at all audit journal entries in the seconds just before the T/CP entry. Commonly, there will be one or more T/PW entries showing that incorrect passwords were received by the system. (The job receiving the passwords will be in the entry details.) There may be entries other than T/PW if there were other causes.

Gary's questions are good ones to answer. The answers help guide actions you should take.

Tom
0
 
Apolo VictoresIT Infrastructure Supervisor and Networking Sp.3MAuthor Commented:
QMAXSIGN:  5
QMAXSGNACN  : Disable profile
The profiles that are disabled always are part of the administrators.
Usually are the same profiles, operators or administrators.
And  every day I receive the same petitons, 5 petitions to reset the user profile.
Recently I haven't seen  any change.

Iwould like to know how can I  check the journal entry? (I am so rroy because I am new in this topic) and which JRN RCV  should I check??
0
 
tliottaCommented:
The basic command to view journal entries is DSPJRN. There is a secondary command on most systems that can be easier (but it can have limitations that make this kind of work more difficult) -- DSPAUDJRNE.

An example of DSPJRN:
DSPJRN JRN(QAUDJRN) RCVRNG(*CURCHAIN) FROMTIME(092111 1000) JRNCDE((T)) ENTTYP(CP)

Open in new window

An example of DSPAUDJRNE:
DSPAUDJRNE ENTTYP(CP) JRNRCV(*CURCHAIN) FROMTIME(092111 1000) OUTPUT(*)

Open in new window

Both of those would list any journal entries from the QAUDJRN system audit journal that had code 'T' and type 'CP' in the current chain of receivers, starting on 09/21/2011 at 10:00 AM. The commands can be prompted to learn more about what parameters are available. The <help> text describes each parameter. The RCVRNG(*CURCHAIN) parameter was used in the examples, but it might select too many receivers. You could leave that parameter off to see entries that are only in the current receiver.

Usually, the only time you need to know which receivers to look at is when you have to restore old receivers to look at historical data. Sometimes you need to specify receivers because there is just too much data for the command to process quickly.

The DSPJRN command can be used for any kind of entry in any kind of journal. The DSPAUDJRNE command only works for the system audit journal (QAUDJRN in library QSYS).

Tom
0
 
Gary PattersonVP Technology / Senior Consultant Commented:
Well, that is definitely an "attack" signature.  Someone is trying to guess administrator's passwords, and is disabling the profiles by making too many attempts.

To supplement Tom's excellent advice regarding using auditing, here are a couple of good references that cover how to configure auditing and how to use the audit journals:

http://www.redbooks.ibm.com/abstracts/sg246668.html
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=%2Frzahg%2Frzahgsecref.htm

Both of these are V5R4.  You should use the Security Reference (second link) that matches the OS version that you are running on your system, as there have been minor enhancements to auditing from version to version.

- Gary Patterson
0
 
tliottaCommented:
Be aware that it could also be something like an automated script, e.g., a regular FTP process for administrators that tries to copy some file of system status info or whatever. If administrators regularly change passwords but the scripts don't get changed until after they fail a few times or if they're never changed because nobody remembers to check them, disabling will occur regularly.

Regardless, you definitely need to track the source and fix it. Gary will have good info on procedures to follow. Nothing much I need to add.

Tom
0
 
Gary PattersonVP Technology / Senior Consultant Commented:
I certainly agree with Tom that this could also be the result of cached passwords someplace, but when we see repeated disabling of privileged profiles (administrators) we treat it as an attack until we know otherwise.  I encourage you to do the same.

A few more questions:

How long has this been happening (how many days in a row?)
Is your AS/400 exposed directly to the internet?
Does your shop you require these users (the ones that have been getting repeatedly disabled) to change passwords regularly?  
If so,when was the last password change?  Does that password change date correspond to the start of the problem?

- Gary Patterson

0
 
Apolo VictoresIT Infrastructure Supervisor and Networking Sp.3MAuthor Commented:
Thank you!
0
 
Apolo VictoresIT Infrastructure Supervisor and Networking Sp.3MAuthor Commented:
Thank you !!!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 3
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now