Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

iSeries user profiles get disabled.

Posted on 2011-09-21
12
Medium Priority
?
5,126 Views
Last Modified: 2012-05-12
I  have a very weird situation, because every day I receive calling asking me to enable some user profiles, and I have investigated in the history log and I haven't found anything why those user profiles get disabled. So I would like to know  what else I need to check in order to find out why these user profioles get disable.
0
Comment
Question by:Apolo Victores
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +2
12 Comments
 
LVL 46

Expert Comment

by:Kent Olsen
ID: 36575952
Hi apolov,

Users can become disabled for almost any reason.  Check the system logs to see if the users have triggered an event that has been captured.


Kent
0
 
LVL 18

Expert Comment

by:Dave Ford
ID: 36576023

Usually, user-profiles only become disabled when the user triesthe wrong password a few times. Try this command to print a spool-file of all unsuccessful log-in attempts:

DSPLOG OUTPUT(*PRINT) MSGID(CPF2234)

HTH,
DaveSlash
0
 
LVL 46

Expert Comment

by:Kent Olsen
ID: 36576076
Badly stated on my part.  Thanks Dave....
0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 
LVL 35

Accepted Solution

by:
Gary Patterson earned 668 total points
ID: 36576165
User profiles get disabled due to too many unauthorized signon attempts based on the settings of the QMAXSIGN and MAXSGNACN system values.  

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=%2Frzaii%2Frzaiimst26.htm

Possible causes:

1) The QMAXSIGN system value is set too low, and users that mis-type their passwords
2) Your system is under attack.
3) A user or a program has cached an old password and repeatedly disables the profile as it attempts to log on automatically.

Questions:

1) What are the current setting for QMAXSIGN and QMAXSGNACN?  (DSPSYSVAL command)
2) How may different profiles are involved?  
3) Is it always the same profiles?  
4) How many requests per day?
5) Has the frequency of these requests recently changed?  How so?

After you respond, I'll suggest some specific ways to diagnose and fix.

- Gary Patterson
0
 
LVL 27

Assisted Solution

by:tliotta
tliotta earned 1332 total points
ID: 36576329
Assuming you have auditing active, look in QAUDJRN with DSPJRN that includes JRNCDE((T)) ENTTYP(CP) starting after the last time the profile was known to be *ENABLEd. A T/CP entry marks a 'C'hange to a 'P'rofile. When you see a matching journal entry, display the entry details to see what job disabled the profile.

Also, once you know when a profile was disabled, look at all audit journal entries in the seconds just before the T/CP entry. Commonly, there will be one or more T/PW entries showing that incorrect passwords were received by the system. (The job receiving the passwords will be in the entry details.) There may be entries other than T/PW if there were other causes.

Gary's questions are good ones to answer. The answers help guide actions you should take.

Tom
0
 

Author Comment

by:Apolo Victores
ID: 36576616
QMAXSIGN:  5
QMAXSGNACN  : Disable profile
The profiles that are disabled always are part of the administrators.
Usually are the same profiles, operators or administrators.
And  every day I receive the same petitons, 5 petitions to reset the user profile.
Recently I haven't seen  any change.

Iwould like to know how can I  check the journal entry? (I am so rroy because I am new in this topic) and which JRN RCV  should I check??
0
 
LVL 27

Assisted Solution

by:tliotta
tliotta earned 1332 total points
ID: 36577502
The basic command to view journal entries is DSPJRN. There is a secondary command on most systems that can be easier (but it can have limitations that make this kind of work more difficult) -- DSPAUDJRNE.

An example of DSPJRN:
DSPJRN JRN(QAUDJRN) RCVRNG(*CURCHAIN) FROMTIME(092111 1000) JRNCDE((T)) ENTTYP(CP)

Open in new window

An example of DSPAUDJRNE:
DSPAUDJRNE ENTTYP(CP) JRNRCV(*CURCHAIN) FROMTIME(092111 1000) OUTPUT(*)

Open in new window

Both of those would list any journal entries from the QAUDJRN system audit journal that had code 'T' and type 'CP' in the current chain of receivers, starting on 09/21/2011 at 10:00 AM. The commands can be prompted to learn more about what parameters are available. The <help> text describes each parameter. The RCVRNG(*CURCHAIN) parameter was used in the examples, but it might select too many receivers. You could leave that parameter off to see entries that are only in the current receiver.

Usually, the only time you need to know which receivers to look at is when you have to restore old receivers to look at historical data. Sometimes you need to specify receivers because there is just too much data for the command to process quickly.

The DSPJRN command can be used for any kind of entry in any kind of journal. The DSPAUDJRNE command only works for the system audit journal (QAUDJRN in library QSYS).

Tom
0
 
LVL 35

Expert Comment

by:Gary Patterson
ID: 36580816
Well, that is definitely an "attack" signature.  Someone is trying to guess administrator's passwords, and is disabling the profiles by making too many attempts.

To supplement Tom's excellent advice regarding using auditing, here are a couple of good references that cover how to configure auditing and how to use the audit journals:

http://www.redbooks.ibm.com/abstracts/sg246668.html
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=%2Frzahg%2Frzahgsecref.htm

Both of these are V5R4.  You should use the Security Reference (second link) that matches the OS version that you are running on your system, as there have been minor enhancements to auditing from version to version.

- Gary Patterson
0
 
LVL 27

Expert Comment

by:tliotta
ID: 36582654
Be aware that it could also be something like an automated script, e.g., a regular FTP process for administrators that tries to copy some file of system status info or whatever. If administrators regularly change passwords but the scripts don't get changed until after they fail a few times or if they're never changed because nobody remembers to check them, disabling will occur regularly.

Regardless, you definitely need to track the source and fix it. Gary will have good info on procedures to follow. Nothing much I need to add.

Tom
0
 
LVL 35

Expert Comment

by:Gary Patterson
ID: 36583546
I certainly agree with Tom that this could also be the result of cached passwords someplace, but when we see repeated disabling of privileged profiles (administrators) we treat it as an attack until we know otherwise.  I encourage you to do the same.

A few more questions:

How long has this been happening (how many days in a row?)
Is your AS/400 exposed directly to the internet?
Does your shop you require these users (the ones that have been getting repeatedly disabled) to change passwords regularly?  
If so,when was the last password change?  Does that password change date correspond to the start of the problem?

- Gary Patterson

0
 

Author Comment

by:Apolo Victores
ID: 36598804
Thank you!
0
 

Author Closing Comment

by:Apolo Victores
ID: 36903258
Thank you !!!
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question