CHG128PWD       CHANGE 128 PASSWORD                    TAASEKK

      *********************************************************
      *                                                       *
      *  The CHG128PWD tool has been created, but             *
      *    requires changes on your part. A test program      *
      *    is also created for demonstration purposes.        *
      *    See the implementation section.                    *
      *                                                       *
      *********************************************************

 The Change  128  Password command  is intended  for those  environments
 using 128  byte passwords where a  change to a user  password should be
 replicated on one or more systems.

 Instead  of using  the normal CHGUSRPRF  command to  change a password,
 the change would  be made  using CHG128PWD.   This allows the  password
 to be captured,  masked, and sent to a target system  where it would be
 unmasked and applied by the companion command CHG128PWD2.

      *********************************************************
      *                                                       *
      *  You must have the TAA Productivity Tools product     *
      *    on each system that will either originate          *
      *    a password change or be the target system to       *
      *    be changed.                                        *
      *                                                       *
      *********************************************************

 The  normal  method of  sending  the command  would  be by  the  use of
 SBMRMTCMD which is part  of DDM support.   Other alternatives are  also
 possible such as journaling and FTP.

 A typical command on the originating system would be:

       CHG128PWD   USRPRF(xxxx) PASSWORD(yyyy) PWDEXP(*SAME)

 The  change can  also  be  made using  the  CHGPWD  command.   See  the
 special instructions for this.

 The passwords are not shown in the job log.

 The CL  programs must be modified to provide  a unique 'secret code' to
 assist in  masking  the passwords  and  to remove  some  testing  code.
 Once you have  made the modifications  and created your version  of the
 programs,  the source  and  the programs  should  be kept  in  a secure
 library.    See  the  later discussion  on  modifications  and security
 considerations.

 The password can  contain upper or  lower case and special  characters.
 The  PASSWORD  parameter  is  defined  as 'mixed  case'.    Any  quotes
 entered in the parameter are considered to be part of the password.

 The  password must  meet the  password rules  assigned to  each system.
 If not, CPI22AE is issued.  Use DSPPWDA to see the existing rules.

 CHG128PWD Command parameters                         *CMD
 ----------------------------

 The CHG128PWD  command should  be entered  on  the originating  system.
 It will change the  password and use a user  specified method to submit
 the CHG128PWD2  command to a target system.   A typical method would be
 to use the DDM command SBMRMTCMD.

    USRPRF        The user profile to be modified.

    PASSWORD      The password to  be assigned.   A password  can be  up
                  to 128 characters  in length and can contain  upper or
                  lower  case  and  special  characters.   The  PASSWORD
                  parameter  is  defined as  'mixed  case'.   Any quotes
                  entered in  the parameter  are considered  to be  part
                  of the password.

    PWDEXP        Whether the  password should be  set to expired.   The
                  default  is  *SAME.    A  *YES  or  *NO  may  also  be
                  specified.

    CHGUSRPRF     A *YES/*NO parameter  for whether  to change the  user
                  profile on the source system.

                  *YES is the default to change the password.

                  *NO may  be specified  if a  different method  is used
                  for changing  the password.  For  example, *NO is used
                  when the  password is  changed  by the  system  CHGPWD
                  command and  the exit  program (TAASEKKC3) is  called.


 CHG128PWD2 Command parameters                         *CMD
 -----------------------------

 The  CHG128PWD2  command  is  to  be  run  on  a target  system.    The
 CHG128PWD  command  must  send  the CHG128PWD2  command  to  the target
 system.  CHG128PWD2  should not be used  directly as it expects  masked
 input for the password parameter.

    USRPRF        The user profile to be modified.

    MSKPWD        The  password   to  be  assigned.     As  passed  from
                  CHG128PWD,  the masked password is up  to 256 bytes of
                  hex data.

    PWDLEN        The length of  the masked  password.   This should  be
                  entered as a 3 byte character field.

    PWDEXP        Whether the  password should be  set to expired.   The
                  default  is  *SAME.    A  *YES  or  *NO  may  also  be
                  specified.


 Restrictions
 -------------

 Capturing the password  to be  sent to  a target  system requires  that
 you do not use  the system supplied CHGUSRPRF command.   Passwords must
 be  changed by the  CHG128PWD command.   See also the  instructions for
 allowing  the  user  to  change the  passwords  via  the  system CHGPWD
 command.

 Prerequisites
 -------------

 The following TAA Tools must be on your system:

      ADJAPOST     Adjust apostrophes
      CVTFRMHEX    Convert from hex
      CVTHEX       Convert to hex
      OR           Or bytes together
      SCNVARRGT    Scan variable right
      SCRAMBLE     Scramble bytes
      SNDCOMPMSG   Send completion message
      SNDDIAGMSG   Send diagnostic message
      SNDESCINF    Send escape information
      SNDESCMSG    Send escape message
      UNADOPT      Unadopt

 Implementation
 --------------

 The tool  is created  so that  you can  test  the concept  on a  single
 system.   You must  make changes  and re-create the  tool to  cause the
 function  to  work  on a  target  system.   See  the  later  section on
 modifying the CL programs.

 If you are planning  to use the SBMRMTCMD,  you must also consider  DDM
 security.  See the section on 'DDM Considerations.'

 Demonstration and Testing
 -------------------------

 To demonstrate the function  and test it on a  single system, a special
 program  is provided  to work  with the  code  as is  shipped.   Do the
 following to test the tool before making any modifications:

   1.   Signon  as  the  Security  Officer   or  a  user  with   *ALLOBJ
        authority.

   2.   Use a test  profile and change  the password using the  TAA Tool
        CHG128PWD command:

            CHG128PWD   USRPRF(xxxx) PASSWORD(yyyy)

   3.   The  code  as  shipped  for  CHG128PWD  executes  the  CHGUSRPRF
        command  to  change the  specified parameters.   It  also builds
        the CHG128PWD2  command and  places  it in  the TSTCHG128P  data
        area in  TAASECURE.  The CHG128PWD2 command  includes the masked
        password  as hex data.  The data  is scrambled and combined with
        a 'secret code'.   You may  display the command  which has  been
        created by:

            DSPDTAARA   DTAARA(TAASECURE/TSTCHG128P)

   4.   Using the system  command CHGUSRPRF, change the  password of the
        same  profile to  some other value.   This  will allow  the next
        step to reset the password as entered on CHG128PWD.

            CHGUSRPRF   USRPRF(xxxx) PASSWORD(zzzz)

   5.   Call the test program in TAASECURE:

            CALL        PGM(TAASECURE/TAASEKKC8)

        The program  should  respond  with messages  that  describe  the
        previous steps  and a  completion message  that states that  the
        password has been changed by the TAA CHG128PWD2 command.

   6.   Signon  to the profile  with the  password that you  assigned in
        Step  2.   This  should  prove that  the  the password  is being
        properly unmasked and changed.

 If you want  to change  the password using  the system CHGPWD  command,
 there are  additional steps.  See  the section on 'Use  with the CHGPWD
 command'.

 You  may want  to use the  same approach  to test  the modifications to
 the CL programs for  your 'secret code'  described in the next  section
 before you  attempt to send the  CHG128PWD2 command to  another system.
 This  will  ensure  that  the  same  'secret  code'  is  used  in  both
 programs.  After this step is  working, you could modify the  TAASEKKC2
 program to send  the CHG128PWD2 command  to a target system  and remove
 the  special  test  code  that  updates  the TSTCHG128P  data  area  in
 TAASECURE.  See the next section.

 Modifying the CL programs
 -------------------------

 The   TAASEKKC  and  TAASEKKC2  programs  must  be  modified.    Before
 modifying the  programs, it  is recommended  that you  create a  unique
 library  for  the  source  that   will  be  modified.    Then  use  the
 CRTTAASRCF command to create QATTxxx source files in the library:

        CRTTAASRCF   LIB(xxxx)

 Use  the  CPYTAA2 command  to  copy the  source  for the  tool  to your
 library.

        CPYTAA2    TOOL(CHG128PWD) TOLIB(xxx)

 Both the CL programs  (TAASEKKC and TAASEKKC2) need  to be modified  to
 supply your own unique version of the 'secret code'.

 Use SEU to modify the source:

         STRSEU      SRCFILE(xxx/QATTCL) SRCMBR(TAASEKKC)

 The SECRET  variable is  declared at  the beginning  of the program  as
 128  bytes in  length.  Scan  for SECRETCODE  until you see  the CHGVAR
 command that sets the value.

 When the password is entered on  CHG128PWD, the length of the  password
 value is determined.   Based on the length of the  password value, only
 the first n  characters of the 'secret code' are  used to help mask the
 data.    Therefore,  you need  only  make  changes within  the  first n
 characters of  the 'secret code'  based on  a typical maximum  password
 length that  is entered.  For  example, if a typical  maximum length of
 your  passwords is  25  bytes, the  'secret code'  need not  be changed
 after position 25.

 Change one  or more  of the  secret code  characters.   After you  have
 changed the value, end  SEU (do not attempt to  create anything at this
 time).

 Use SEU to modify the source for the second program:

         STRSEU      SRCFILE(xxx/QATTCL) SRCMBR(TAASEKKC2)

 Since  both programs must agree  on the 'secret code'  a good technique
 would be to use the  SEU split screen to  copy the CHGVAR command  from
 TAASEKKC to TAASEKKC2.  After you have made the change, end SEU.

 At  this point  it is  recommended  that you  create  the tool  without
 making any  further modifications and try the  demonstration program as
 described in the previous section.  Use CRTTAATOOL:

            CRTTAATOOL    TOOL(CHG128PWD)  SRCLIB(xxx)

 Use  a  password that  will cover  what you  consider  to be  a typical
 maximum length someone would  use.  This will ensure that  the programs
 are both using the same 'secret code'.

 Now try  the demonstration test  as described in the  previous section.

 After  this test is complete,  you must modify the  TAASEKKC program to
 send the CHG128PWD2 command to one  or more remote systems.  A  typical
 solution would  be to use  DDM via  the SBMRMTCMD command.   If  DDM is
 used (it  is not the only solution), the  TAASEKKC program must also be
 modified to specify the DDM  file name to be  used for SBMRMTCMD.   Use
 SEU as  described earlier  to TAASEKKC.   See the  discussion at  about
 statement 180 of the TAASEKKC source member.

 After you  have modified the  source, you should re-create  the tool as
 follows:

            CRTTAATOOL    TOOL(CHG128PWD)  SRCLIB(xxx)

 It  is important that you  protect your secret codes.   See the section
 on Security considerations.

 There is  no  reason for  you to  write  down your  secret  code in  an
 offline place.   If you  have to recreate  the programs, you can  use a
 different 'secret code'.

 Good  practice would be to save your  secure library, secure the media,
 and then delete  the secure  library.   This will provide  a backup  if
 the objects are damaged.

 You must have  the TAA Productivity Tools product on  the systems where
 the change will originate from or be applied to a target system.

 Use with CHGPWD command
 -----------------------

 The system  supports the CHGPWD command to allow  an end user to change
 his password.   System support  allows an Fx  key to  access CHGCMD  on
 some displays or  you may include the command  in a user program.   The
 system may  also be used to  force a user to change  his password after
 n  days.   See the  QPWDEXPITV system  value.  CHGUSRPRF  also supports
 PWDEXP(*YES) which  can be  used  to force  a change  his password  the
 next time he signs on.

 When CHGPWD  is used, the system  supports an optional exit  program to
 ensure  that the password meets  a specific system's rules.   This exit
 program can  also be  used to  capture the  password to  send  it to  a
 target system.

 A  program  (TAASEKKC3) is  provided  to  do  this.   As  the  Security
 Officer,  you must change the  system value QPWDVLDPGM  to specify that
 the registration facility will be used to define the exit program:

            CHGSYSVAL     SYSVAL(QPWDVLDPGM) VALUE(*REGFAC)

 Then use WRKREGINF.  When the screen appears, rollup to:

            QIBM_QSY_VLD_PASSWRD

 Use option 8 (Work with exit programs).

 When the display appears, enter:

              Option            1 (to add)
              Exit program      TAASEKKC3
              Library           TAATOOL

 TAASEKKC3 exists in TAATOOL  and is owned by  the Security Officer  and
 adopts his profile.  This allows access to the TAASECURE library.

 When  the user  changes  his password  with  CHGPWD, the  exit  program
 TAASEKKC3  will be  called.  It  invokes the  CHG128PWD command.   This
 will  cause  the same  function as  if  CHG128PWD was  invoked directly
 except that the  CHGUSRPRF function  is not done  (it has already  been
 done by the system).

 DDM considerations
 ------------------

 The  DDM Users  Guide  describes  how the  SECURELOC  parameter in  the
 remote  systems configuration  controls  who the  user profile  is that
 will be used on  the remote system.   If SECURELOC(*YES) is  specified,
 the  command will  be run  by the  same  user profile  and no  security
 considerations should exist.

 If  SECURELOC(*NO) is specified,  the command must  be run by  the user
 specified for the DDM job.   To allow a  single user profile to  change
 the passwords for  any user will  probably cause a  security violation.
 A program  written to adopt  the security officers profile  can be used
 to  accept  a string  and execute  it.   To  prevent this  program from
 being used in an  non-secure manner, you should provide  some technique
 to prevent misuse.

 A  solution would  be to  use a  CALL command  to your  program  on the
 target  system  instead of  the CHG128PWD2  with  SBMRMTCMD.   Pass the
 same list of  values.  The  program on the  target system would  accept
 the  parameters and  pass  the  same list  to  a  second program  which
 adopts  the security  officer profile.   The  second program  could use
 the TAA command  RTVPGMSTK and  ensure that  it is only  called by  the
 program you intended.

 Security considerations
 -----------------------

 The  code  is  written  to  attempt  to  minimize  security  exposures.
 However,  because the programs  and the  submitted command are  the key
 to determining what the passwords are, there is always an exposure.

 For  example,  there  is nothing  to  prevent an  authorized  user from
 saving the TAASECURE library and  taking it to another system  where he
 can analyze  the information as the  Security Officer.   While it would
 not  be  easy  to  determine  what  is  being  done,  it  would not  be
 impossible.

 There is  nothing to  prevent  an unauthorized  user from  reading  the
 documentation about this tool.

 Unless you are  willing to assume a  risk of this type,  you should not
 implement CHG128PWD.

 You can  reduce the risk somewhat by saving  the source files to secure
 media and deleting them from the system.

 The sensitive  objects  (the  CL  programs  which  contain  the  secret
 codes)  are placed  in  the private  library  TAASECURE.   The  Product
 Library  for the  CHG128PWD  and  CHG128PWD2 commands  is  specified as
 TAASECURE.    Only  the security  officer  can  create the  tool.   The
 commands  will  not execute  unless  the  user  is  authorized  to  the
 TAASECURE library.

 The validity  checking program (TAASEKKC3  in TAATOOL) must exist  in a
 public  library (TAATOOL) so it can be  accessed when the user signs on
 and the operating system is  validating a new password.  The  TAASEKKC3
 program adopts  the user  profile of  its owner  so that  the user  can
 access  the  secure library  TAASECURE.   The  CPP  (TAASEKKC)  for the
 CHG128PWD command is called using a qualified name from TAASEKKC3.

 Any TAA  Tool commands  that are  executed by  CHG128PWD or  CHG128PWD2
 are done in a sub  program which is created as USEADPAUT(*NO).   The CL
 programs  (as created by  CRTTAATOOL) are  created to  prevent logging,
 retrieving of CL source and debugging.

 While  the  TAASEKKC3  program attempts  to  block  security exposures,
 there is  nothing to  prevent a normal  user from  calling the  program
 during the  day (e.g.  after signing  on).  The program  will perform a
 SBMRMTCMD  as if the  user had done  CHGPWD.  This will  cause a change
 on the other system  without making the  change on the current  system.

 Backup of TAASECURE Library
 ---------------------------

 For  the CHG128PWD  tool,  the TAASECURE  library  contains source  and
 object for  CHG128PWD.  However, other tools  may also use this library
 (e.g.   DSPPWD)  and you  should  consider  the overall  use.    Normal
 backup should be done.

 A new release of the TAA Tools
 ------------------------------

 When a  new release of  TAA Tools is  shipped, the install  code checks
 the  TAASEKKC  and  TAASEKKC2 programs  in  TAASECURE.    If they  were
 created  on a system  with a name  that begins with  TAASYS, the object
 programs are replaced.   If they  were created on  a system other  than
 TAASYSxx, they  are left  intact.  Therefore,  if you created  the tool
 on  your  system,  the  install code  will  not  replace  your modified
 version.

 The objects in TAATOOL related  to CHG128PWD (command and CL  programs)
 are replaced on  each release, but this  should not impact your  use of
 CHG128PWD unless you have made additional modifications.

 You  should read the information  member from the HELPTAA  menu on each
 release regarding 'changes in  the release' to  determine if there  any
 changes to  the CHG128PWD tool  that will require  you to recreate  the
 programs.   If so,  you must repeat  the process described  earlier and
 recreate the tool.

 Objects used by the tool
 ------------------------

    Object        Type        Attribute      Src member    Src file
    ------        ----        ---------      ----------    ----------

    CHG128PWD     *CMD                       TAASEKK       QATTCMD
    CHG128PWD2    *CMD                       TAASEKK2      QATTCMD
 *  TAASEKKC      *PGM           CLP         TAASEKKC      QATTCL
 *  TAASEKKC2     *PGM           CLP         TAASEKKC2     QATTCL
    TAASEKKC3     *PGM           CLP         TAASEKKC3     QATTCL
 *  TAASEKKC8     *PGM           CLP         TAASEKKC8     QATTCL
 *  TAASEKKC9     *PGM           CLP         TAASEKKC9     QATTCL
 ** TSTCHG128P    *DTAARA

      * These objects are located in the TAASECURE library.

     ** The data area is created by test instructions in TAASEKKC.

 Structure
 ---------

 CHG128PWD  Cmd
   TAASEKKC   CL
     TAASEKKC9   CL

 CHG128PWD2  Cmd
   TAASEKKC2   CL
     TAASEKKC9   CL

 Other programs

   TAASEKKC3   CL  - Used as the exit program for QPWDVLDPGM
   TAASEKKC8   CL  - Used as a demonstration/test program

Added to TAA Productivity Tools January 15, 2012


Home Page

Last modified on March 10, 2014 © 1995, 2014 - TAA Tools, Inc.