Solved

iSeries user profiles get disabled.

Posted on 2011-09-21
12
4,584 Views
Last Modified: 2012-05-12
I  have a very weird situation, because every day I receive calling asking me to enable some user profiles, and I have investigated in the history log and I haven't found anything why those user profiles get disabled. So I would like to know  what else I need to check in order to find out why these user profioles get disable.
0
Comment
Question by:Apolo Victores
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +2
12 Comments
 
LVL 45

Expert Comment

by:Kent Olsen
ID: 36575952
Hi apolov,

Users can become disabled for almost any reason.  Check the system logs to see if the users have triggered an event that has been captured.


Kent
0
 
LVL 18

Expert Comment

by:Dave Ford
ID: 36576023

Usually, user-profiles only become disabled when the user triesthe wrong password a few times. Try this command to print a spool-file of all unsuccessful log-in attempts:

DSPLOG OUTPUT(*PRINT) MSGID(CPF2234)

HTH,
DaveSlash
0
 
LVL 45

Expert Comment

by:Kent Olsen
ID: 36576076
Badly stated on my part.  Thanks Dave....
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 35

Accepted Solution

by:
Gary Patterson earned 167 total points
ID: 36576165
User profiles get disabled due to too many unauthorized signon attempts based on the settings of the QMAXSIGN and MAXSGNACN system values.  

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=%2Frzaii%2Frzaiimst26.htm

Possible causes:

1) The QMAXSIGN system value is set too low, and users that mis-type their passwords
2) Your system is under attack.
3) A user or a program has cached an old password and repeatedly disables the profile as it attempts to log on automatically.

Questions:

1) What are the current setting for QMAXSIGN and QMAXSGNACN?  (DSPSYSVAL command)
2) How may different profiles are involved?  
3) Is it always the same profiles?  
4) How many requests per day?
5) Has the frequency of these requests recently changed?  How so?

After you respond, I'll suggest some specific ways to diagnose and fix.

- Gary Patterson
0
 
LVL 27

Assisted Solution

by:tliotta
tliotta earned 333 total points
ID: 36576329
Assuming you have auditing active, look in QAUDJRN with DSPJRN that includes JRNCDE((T)) ENTTYP(CP) starting after the last time the profile was known to be *ENABLEd. A T/CP entry marks a 'C'hange to a 'P'rofile. When you see a matching journal entry, display the entry details to see what job disabled the profile.

Also, once you know when a profile was disabled, look at all audit journal entries in the seconds just before the T/CP entry. Commonly, there will be one or more T/PW entries showing that incorrect passwords were received by the system. (The job receiving the passwords will be in the entry details.) There may be entries other than T/PW if there were other causes.

Gary's questions are good ones to answer. The answers help guide actions you should take.

Tom
0
 

Author Comment

by:Apolo Victores
ID: 36576616
QMAXSIGN:  5
QMAXSGNACN  : Disable profile
The profiles that are disabled always are part of the administrators.
Usually are the same profiles, operators or administrators.
And  every day I receive the same petitons, 5 petitions to reset the user profile.
Recently I haven't seen  any change.

Iwould like to know how can I  check the journal entry? (I am so rroy because I am new in this topic) and which JRN RCV  should I check??
0
 
LVL 27

Assisted Solution

by:tliotta
tliotta earned 333 total points
ID: 36577502
The basic command to view journal entries is DSPJRN. There is a secondary command on most systems that can be easier (but it can have limitations that make this kind of work more difficult) -- DSPAUDJRNE.

An example of DSPJRN:
DSPJRN JRN(QAUDJRN) RCVRNG(*CURCHAIN) FROMTIME(092111 1000) JRNCDE((T)) ENTTYP(CP)

Open in new window

An example of DSPAUDJRNE:
DSPAUDJRNE ENTTYP(CP) JRNRCV(*CURCHAIN) FROMTIME(092111 1000) OUTPUT(*)

Open in new window

Both of those would list any journal entries from the QAUDJRN system audit journal that had code 'T' and type 'CP' in the current chain of receivers, starting on 09/21/2011 at 10:00 AM. The commands can be prompted to learn more about what parameters are available. The <help> text describes each parameter. The RCVRNG(*CURCHAIN) parameter was used in the examples, but it might select too many receivers. You could leave that parameter off to see entries that are only in the current receiver.

Usually, the only time you need to know which receivers to look at is when you have to restore old receivers to look at historical data. Sometimes you need to specify receivers because there is just too much data for the command to process quickly.

The DSPJRN command can be used for any kind of entry in any kind of journal. The DSPAUDJRNE command only works for the system audit journal (QAUDJRN in library QSYS).

Tom
0
 
LVL 35

Expert Comment

by:Gary Patterson
ID: 36580816
Well, that is definitely an "attack" signature.  Someone is trying to guess administrator's passwords, and is disabling the profiles by making too many attempts.

To supplement Tom's excellent advice regarding using auditing, here are a couple of good references that cover how to configure auditing and how to use the audit journals:

http://www.redbooks.ibm.com/abstracts/sg246668.html
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=%2Frzahg%2Frzahgsecref.htm

Both of these are V5R4.  You should use the Security Reference (second link) that matches the OS version that you are running on your system, as there have been minor enhancements to auditing from version to version.

- Gary Patterson
0
 
LVL 27

Expert Comment

by:tliotta
ID: 36582654
Be aware that it could also be something like an automated script, e.g., a regular FTP process for administrators that tries to copy some file of system status info or whatever. If administrators regularly change passwords but the scripts don't get changed until after they fail a few times or if they're never changed because nobody remembers to check them, disabling will occur regularly.

Regardless, you definitely need to track the source and fix it. Gary will have good info on procedures to follow. Nothing much I need to add.

Tom
0
 
LVL 35

Expert Comment

by:Gary Patterson
ID: 36583546
I certainly agree with Tom that this could also be the result of cached passwords someplace, but when we see repeated disabling of privileged profiles (administrators) we treat it as an attack until we know otherwise.  I encourage you to do the same.

A few more questions:

How long has this been happening (how many days in a row?)
Is your AS/400 exposed directly to the internet?
Does your shop you require these users (the ones that have been getting repeatedly disabled) to change passwords regularly?  
If so,when was the last password change?  Does that password change date correspond to the start of the problem?

- Gary Patterson

0
 

Author Comment

by:Apolo Victores
ID: 36598804
Thank you!
0
 

Author Closing Comment

by:Apolo Victores
ID: 36903258
Thank you !!!
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question