Solved

iSeries user profiles get disabled.

Posted on 2011-09-21
12
3,949 Views
Last Modified: 2012-05-12
I  have a very weird situation, because every day I receive calling asking me to enable some user profiles, and I have investigated in the history log and I haven't found anything why those user profiles get disabled. So I would like to know  what else I need to check in order to find out why these user profioles get disable.
0
Comment
Question by:Apolo Victores
  • 3
  • 3
  • 3
  • +2
12 Comments
 
LVL 45

Expert Comment

by:Kdo
ID: 36575952
Hi apolov,

Users can become disabled for almost any reason.  Check the system logs to see if the users have triggered an event that has been captured.


Kent
0
 
LVL 18

Expert Comment

by:daveslash
ID: 36576023

Usually, user-profiles only become disabled when the user triesthe wrong password a few times. Try this command to print a spool-file of all unsuccessful log-in attempts:

DSPLOG OUTPUT(*PRINT) MSGID(CPF2234)

HTH,
DaveSlash
0
 
LVL 45

Expert Comment

by:Kdo
ID: 36576076
Badly stated on my part.  Thanks Dave....
0
 
LVL 34

Accepted Solution

by:
Gary Patterson earned 167 total points
ID: 36576165
User profiles get disabled due to too many unauthorized signon attempts based on the settings of the QMAXSIGN and MAXSGNACN system values.  

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=%2Frzaii%2Frzaiimst26.htm

Possible causes:

1) The QMAXSIGN system value is set too low, and users that mis-type their passwords
2) Your system is under attack.
3) A user or a program has cached an old password and repeatedly disables the profile as it attempts to log on automatically.

Questions:

1) What are the current setting for QMAXSIGN and QMAXSGNACN?  (DSPSYSVAL command)
2) How may different profiles are involved?  
3) Is it always the same profiles?  
4) How many requests per day?
5) Has the frequency of these requests recently changed?  How so?

After you respond, I'll suggest some specific ways to diagnose and fix.

- Gary Patterson
0
 
LVL 27

Assisted Solution

by:tliotta
tliotta earned 333 total points
ID: 36576329
Assuming you have auditing active, look in QAUDJRN with DSPJRN that includes JRNCDE((T)) ENTTYP(CP) starting after the last time the profile was known to be *ENABLEd. A T/CP entry marks a 'C'hange to a 'P'rofile. When you see a matching journal entry, display the entry details to see what job disabled the profile.

Also, once you know when a profile was disabled, look at all audit journal entries in the seconds just before the T/CP entry. Commonly, there will be one or more T/PW entries showing that incorrect passwords were received by the system. (The job receiving the passwords will be in the entry details.) There may be entries other than T/PW if there were other causes.

Gary's questions are good ones to answer. The answers help guide actions you should take.

Tom
0
 

Author Comment

by:Apolo Victores
ID: 36576616
QMAXSIGN:  5
QMAXSGNACN  : Disable profile
The profiles that are disabled always are part of the administrators.
Usually are the same profiles, operators or administrators.
And  every day I receive the same petitons, 5 petitions to reset the user profile.
Recently I haven't seen  any change.

Iwould like to know how can I  check the journal entry? (I am so rroy because I am new in this topic) and which JRN RCV  should I check??
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 27

Assisted Solution

by:tliotta
tliotta earned 333 total points
ID: 36577502
The basic command to view journal entries is DSPJRN. There is a secondary command on most systems that can be easier (but it can have limitations that make this kind of work more difficult) -- DSPAUDJRNE.

An example of DSPJRN:
DSPJRN JRN(QAUDJRN) RCVRNG(*CURCHAIN) FROMTIME(092111 1000) JRNCDE((T)) ENTTYP(CP)

Open in new window

An example of DSPAUDJRNE:
DSPAUDJRNE ENTTYP(CP) JRNRCV(*CURCHAIN) FROMTIME(092111 1000) OUTPUT(*)

Open in new window

Both of those would list any journal entries from the QAUDJRN system audit journal that had code 'T' and type 'CP' in the current chain of receivers, starting on 09/21/2011 at 10:00 AM. The commands can be prompted to learn more about what parameters are available. The <help> text describes each parameter. The RCVRNG(*CURCHAIN) parameter was used in the examples, but it might select too many receivers. You could leave that parameter off to see entries that are only in the current receiver.

Usually, the only time you need to know which receivers to look at is when you have to restore old receivers to look at historical data. Sometimes you need to specify receivers because there is just too much data for the command to process quickly.

The DSPJRN command can be used for any kind of entry in any kind of journal. The DSPAUDJRNE command only works for the system audit journal (QAUDJRN in library QSYS).

Tom
0
 
LVL 34

Expert Comment

by:Gary Patterson
ID: 36580816
Well, that is definitely an "attack" signature.  Someone is trying to guess administrator's passwords, and is disabling the profiles by making too many attempts.

To supplement Tom's excellent advice regarding using auditing, here are a couple of good references that cover how to configure auditing and how to use the audit journals:

http://www.redbooks.ibm.com/abstracts/sg246668.html
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=%2Frzahg%2Frzahgsecref.htm

Both of these are V5R4.  You should use the Security Reference (second link) that matches the OS version that you are running on your system, as there have been minor enhancements to auditing from version to version.

- Gary Patterson
0
 
LVL 27

Expert Comment

by:tliotta
ID: 36582654
Be aware that it could also be something like an automated script, e.g., a regular FTP process for administrators that tries to copy some file of system status info or whatever. If administrators regularly change passwords but the scripts don't get changed until after they fail a few times or if they're never changed because nobody remembers to check them, disabling will occur regularly.

Regardless, you definitely need to track the source and fix it. Gary will have good info on procedures to follow. Nothing much I need to add.

Tom
0
 
LVL 34

Expert Comment

by:Gary Patterson
ID: 36583546
I certainly agree with Tom that this could also be the result of cached passwords someplace, but when we see repeated disabling of privileged profiles (administrators) we treat it as an attack until we know otherwise.  I encourage you to do the same.

A few more questions:

How long has this been happening (how many days in a row?)
Is your AS/400 exposed directly to the internet?
Does your shop you require these users (the ones that have been getting repeatedly disabled) to change passwords regularly?  
If so,when was the last password change?  Does that password change date correspond to the start of the problem?

- Gary Patterson

0
 

Author Comment

by:Apolo Victores
ID: 36598804
Thank you!
0
 

Author Closing Comment

by:Apolo Victores
ID: 36903258
Thank you !!!
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now