*********************************************************
* *
* The CHG128PWD tool has been created, but *
* requires changes on your part. A test program *
* is also created for demonstration purposes. *
* See the implementation section. *
* *
*********************************************************
The Change 128 Password command is intended for those environments
using 128 byte passwords where a change to a user password should be
replicated on one or more systems.
Instead of using the normal CHGUSRPRF command to change a password,
the change would be made using CHG128PWD. This allows the password
to be captured, masked, and sent to a target system where it would be
unmasked and applied by the companion command CHG128PWD2.
*********************************************************
* *
* You must have the TAA Productivity Tools product *
* on each system that will either originate *
* a password change or be the target system to *
* be changed. *
* *
*********************************************************
The normal method of sending the command would be by the use of
SBMRMTCMD which is part of DDM support. Other alternatives are also
possible such as journaling and FTP.
A typical command on the originating system would be:
CHG128PWD USRPRF(xxxx) PASSWORD(yyyy) PWDEXP(*SAME)
The change can also be made using the CHGPWD command. See the
special instructions for this.
The passwords are not shown in the job log.
The CL programs must be modified to provide a unique 'secret code' to
assist in masking the passwords and to remove some testing code.
Once you have made the modifications and created your version of the
programs, the source and the programs should be kept in a secure
library. See the later discussion on modifications and security
considerations.
The password can contain upper or lower case and special characters.
The PASSWORD parameter is defined as 'mixed case'. Any quotes
entered in the parameter are considered to be part of the password.
The password must meet the password rules assigned to each system.
If not, CPI22AE is issued. Use DSPPWDA to see the existing rules.
CHG128PWD Command parameters *CMD
----------------------------
The CHG128PWD command should be entered on the originating system.
It will change the password and use a user specified method to submit
the CHG128PWD2 command to a target system. A typical method would be
to use the DDM command SBMRMTCMD.
USRPRF The user profile to be modified.
PASSWORD The password to be assigned. A password can be up
to 128 characters in length and can contain upper or
lower case and special characters. The PASSWORD
parameter is defined as 'mixed case'. Any quotes
entered in the parameter are considered to be part
of the password.
PWDEXP Whether the password should be set to expired. The
default is *SAME. A *YES or *NO may also be
specified.
CHGUSRPRF A *YES/*NO parameter for whether to change the user
profile on the source system.
*YES is the default to change the password.
*NO may be specified if a different method is used
for changing the password. For example, *NO is used
when the password is changed by the system CHGPWD
command and the exit program (TAASEKKC3) is called.
CHG128PWD2 Command parameters *CMD
-----------------------------
The CHG128PWD2 command is to be run on a target system. The
CHG128PWD command must send the CHG128PWD2 command to the target
system. CHG128PWD2 should not be used directly as it expects masked
input for the password parameter.
USRPRF The user profile to be modified.
MSKPWD The password to be assigned. As passed from
CHG128PWD, the masked password is up to 256 bytes of
hex data.
PWDLEN The length of the masked password. This should be
entered as a 3 byte character field.
PWDEXP Whether the password should be set to expired. The
default is *SAME. A *YES or *NO may also be
specified.
Restrictions
-------------
Capturing the password to be sent to a target system requires that
you do not use the system supplied CHGUSRPRF command. Passwords must
be changed by the CHG128PWD command. See also the instructions for
allowing the user to change the passwords via the system CHGPWD
command.
Prerequisites
-------------
The following TAA Tools must be on your system:
ADJAPOST Adjust apostrophes
CVTFRMHEX Convert from hex
CVTHEX Convert to hex
OR Or bytes together
SCNVARRGT Scan variable right
SCRAMBLE Scramble bytes
SNDCOMPMSG Send completion message
SNDDIAGMSG Send diagnostic message
SNDESCINF Send escape information
SNDESCMSG Send escape message
UNADOPT Unadopt
Implementation
--------------
The tool is created so that you can test the concept on a single
system. You must make changes and re-create the tool to cause the
function to work on a target system. See the later section on
modifying the CL programs.
If you are planning to use the SBMRMTCMD, you must also consider DDM
security. See the section on 'DDM Considerations.'
Demonstration and Testing
-------------------------
To demonstrate the function and test it on a single system, a special
program is provided to work with the code as is shipped. Do the
following to test the tool before making any modifications:
1. Signon as the Security Officer or a user with *ALLOBJ
authority.
2. Use a test profile and change the password using the TAA Tool
CHG128PWD command:
CHG128PWD USRPRF(xxxx) PASSWORD(yyyy)
3. The code as shipped for CHG128PWD executes the CHGUSRPRF
command to change the specified parameters. It also builds
the CHG128PWD2 command and places it in the TSTCHG128P data
area in TAASECURE. The CHG128PWD2 command includes the masked
password as hex data. The data is scrambled and combined with
a 'secret code'. You may display the command which has been
created by:
DSPDTAARA DTAARA(TAASECURE/TSTCHG128P)
4. Using the system command CHGUSRPRF, change the password of the
same profile to some other value. This will allow the next
step to reset the password as entered on CHG128PWD.
CHGUSRPRF USRPRF(xxxx) PASSWORD(zzzz)
5. Call the test program in TAASECURE:
CALL PGM(TAASECURE/TAASEKKC8)
The program should respond with messages that describe the
previous steps and a completion message that states that the
password has been changed by the TAA CHG128PWD2 command.
6. Signon to the profile with the password that you assigned in
Step 2. This should prove that the the password is being
properly unmasked and changed.
If you want to change the password using the system CHGPWD command,
there are additional steps. See the section on 'Use with the CHGPWD
command'.
You may want to use the same approach to test the modifications to
the CL programs for your 'secret code' described in the next section
before you attempt to send the CHG128PWD2 command to another system.
This will ensure that the same 'secret code' is used in both
programs. After this step is working, you could modify the TAASEKKC2
program to send the CHG128PWD2 command to a target system and remove
the special test code that updates the TSTCHG128P data area in
TAASECURE. See the next section.
Modifying the CL programs
-------------------------
The TAASEKKC and TAASEKKC2 programs must be modified. Before
modifying the programs, it is recommended that you create a unique
library for the source that will be modified. Then use the
CRTTAASRCF command to create QATTxxx source files in the library:
CRTTAASRCF LIB(xxxx)
Use the CPYTAA2 command to copy the source for the tool to your
library.
CPYTAA2 TOOL(CHG128PWD) TOLIB(xxx)
Both the CL programs (TAASEKKC and TAASEKKC2) need to be modified to
supply your own unique version of the 'secret code'.
Use SEU to modify the source:
STRSEU SRCFILE(xxx/QATTCL) SRCMBR(TAASEKKC)
The SECRET variable is declared at the beginning of the program as
128 bytes in length. Scan for SECRETCODE until you see the CHGVAR
command that sets the value.
When the password is entered on CHG128PWD, the length of the password
value is determined. Based on the length of the password value, only
the first n characters of the 'secret code' are used to help mask the
data. Therefore, you need only make changes within the first n
characters of the 'secret code' based on a typical maximum password
length that is entered. For example, if a typical maximum length of
your passwords is 25 bytes, the 'secret code' need not be changed
after position 25.
Change one or more of the secret code characters. After you have
changed the value, end SEU (do not attempt to create anything at this
time).
Use SEU to modify the source for the second program:
STRSEU SRCFILE(xxx/QATTCL) SRCMBR(TAASEKKC2)
Since both programs must agree on the 'secret code' a good technique
would be to use the SEU split screen to copy the CHGVAR command from
TAASEKKC to TAASEKKC2. After you have made the change, end SEU.
At this point it is recommended that you create the tool without
making any further modifications and try the demonstration program as
described in the previous section. Use CRTTAATOOL:
CRTTAATOOL TOOL(CHG128PWD) SRCLIB(xxx)
Use a password that will cover what you consider to be a typical
maximum length someone would use. This will ensure that the programs
are both using the same 'secret code'.
Now try the demonstration test as described in the previous section.
After this test is complete, you must modify the TAASEKKC program to
send the CHG128PWD2 command to one or more remote systems. A typical
solution would be to use DDM via the SBMRMTCMD command. If DDM is
used (it is not the only solution), the TAASEKKC program must also be
modified to specify the DDM file name to be used for SBMRMTCMD. Use
SEU as described earlier to TAASEKKC. See the discussion at about
statement 180 of the TAASEKKC source member.
After you have modified the source, you should re-create the tool as
follows:
CRTTAATOOL TOOL(CHG128PWD) SRCLIB(xxx)
It is important that you protect your secret codes. See the section
on Security considerations.
There is no reason for you to write down your secret code in an
offline place. If you have to recreate the programs, you can use a
different 'secret code'.
Good practice would be to save your secure library, secure the media,
and then delete the secure library. This will provide a backup if
the objects are damaged.
You must have the TAA Productivity Tools product on the systems where
the change will originate from or be applied to a target system.
Use with CHGPWD command
-----------------------
The system supports the CHGPWD command to allow an end user to change
his password. System support allows an Fx key to access CHGCMD on
some displays or you may include the command in a user program. The
system may also be used to force a user to change his password after
n days. See the QPWDEXPITV system value. CHGUSRPRF also supports
PWDEXP(*YES) which can be used to force a change his password the
next time he signs on.
When CHGPWD is used, the system supports an optional exit program to
ensure that the password meets a specific system's rules. This exit
program can also be used to capture the password to send it to a
target system.
A program (TAASEKKC3) is provided to do this. As the Security
Officer, you must change the system value QPWDVLDPGM to specify that
the registration facility will be used to define the exit program:
CHGSYSVAL SYSVAL(QPWDVLDPGM) VALUE(*REGFAC)
Then use WRKREGINF. When the screen appears, rollup to:
QIBM_QSY_VLD_PASSWRD
Use option 8 (Work with exit programs).
When the display appears, enter:
Option 1 (to add)
Exit program TAASEKKC3
Library TAATOOL
TAASEKKC3 exists in TAATOOL and is owned by the Security Officer and
adopts his profile. This allows access to the TAASECURE library.
When the user changes his password with CHGPWD, the exit program
TAASEKKC3 will be called. It invokes the CHG128PWD command. This
will cause the same function as if CHG128PWD was invoked directly
except that the CHGUSRPRF function is not done (it has already been
done by the system).
DDM considerations
------------------
The DDM Users Guide describes how the SECURELOC parameter in the
remote systems configuration controls who the user profile is that
will be used on the remote system. If SECURELOC(*YES) is specified,
the command will be run by the same user profile and no security
considerations should exist.
If SECURELOC(*NO) is specified, the command must be run by the user
specified for the DDM job. To allow a single user profile to change
the passwords for any user will probably cause a security violation.
A program written to adopt the security officers profile can be used
to accept a string and execute it. To prevent this program from
being used in an non-secure manner, you should provide some technique
to prevent misuse.
A solution would be to use a CALL command to your program on the
target system instead of the CHG128PWD2 with SBMRMTCMD. Pass the
same list of values. The program on the target system would accept
the parameters and pass the same list to a second program which
adopts the security officer profile. The second program could use
the TAA command RTVPGMSTK and ensure that it is only called by the
program you intended.
Security considerations
-----------------------
The code is written to attempt to minimize security exposures.
However, because the programs and the submitted command are the key
to determining what the passwords are, there is always an exposure.
For example, there is nothing to prevent an authorized user from
saving the TAASECURE library and taking it to another system where he
can analyze the information as the Security Officer. While it would
not be easy to determine what is being done, it would not be
impossible.
There is nothing to prevent an unauthorized user from reading the
documentation about this tool.
Unless you are willing to assume a risk of this type, you should not
implement CHG128PWD.
You can reduce the risk somewhat by saving the source files to secure
media and deleting them from the system.
The sensitive objects (the CL programs which contain the secret
codes) are placed in the private library TAASECURE. The Product
Library for the CHG128PWD and CHG128PWD2 commands is specified as
TAASECURE. Only the security officer can create the tool. The
commands will not execute unless the user is authorized to the
TAASECURE library.
The validity checking program (TAASEKKC3 in TAATOOL) must exist in a
public library (TAATOOL) so it can be accessed when the user signs on
and the operating system is validating a new password. The TAASEKKC3
program adopts the user profile of its owner so that the user can
access the secure library TAASECURE. The CPP (TAASEKKC) for the
CHG128PWD command is called using a qualified name from TAASEKKC3.
Any TAA Tool commands that are executed by CHG128PWD or CHG128PWD2
are done in a sub program which is created as USEADPAUT(*NO). The CL
programs (as created by CRTTAATOOL) are created to prevent logging,
retrieving of CL source and debugging.
While the TAASEKKC3 program attempts to block security exposures,
there is nothing to prevent a normal user from calling the program
during the day (e.g. after signing on). The program will perform a
SBMRMTCMD as if the user had done CHGPWD. This will cause a change
on the other system without making the change on the current system.
Backup of TAASECURE Library
---------------------------
For the CHG128PWD tool, the TAASECURE library contains source and
object for CHG128PWD. However, other tools may also use this library
(e.g. DSPPWD) and you should consider the overall use. Normal
backup should be done.
A new release of the TAA Tools
------------------------------
When a new release of TAA Tools is shipped, the install code checks
the TAASEKKC and TAASEKKC2 programs in TAASECURE. If they were
created on a system with a name that begins with TAASYS, the object
programs are replaced. If they were created on a system other than
TAASYSxx, they are left intact. Therefore, if you created the tool
on your system, the install code will not replace your modified
version.
The objects in TAATOOL related to CHG128PWD (command and CL programs)
are replaced on each release, but this should not impact your use of
CHG128PWD unless you have made additional modifications.
You should read the information member from the HELPTAA menu on each
release regarding 'changes in the release' to determine if there any
changes to the CHG128PWD tool that will require you to recreate the
programs. If so, you must repeat the process described earlier and
recreate the tool.
Objects used by the tool
------------------------
Object Type Attribute Src member Src file
------ ---- --------- ---------- ----------
CHG128PWD *CMD TAASEKK QATTCMD
CHG128PWD2 *CMD TAASEKK2 QATTCMD
* TAASEKKC *PGM CLP TAASEKKC QATTCL
* TAASEKKC2 *PGM CLP TAASEKKC2 QATTCL
TAASEKKC3 *PGM CLP TAASEKKC3 QATTCL
* TAASEKKC8 *PGM CLP TAASEKKC8 QATTCL
* TAASEKKC9 *PGM CLP TAASEKKC9 QATTCL
** TSTCHG128P *DTAARA
* These objects are located in the TAASECURE library.
** The data area is created by test instructions in TAASEKKC.
Structure
---------
CHG128PWD Cmd
TAASEKKC CL
TAASEKKC9 CL
CHG128PWD2 Cmd
TAASEKKC2 CL
TAASEKKC9 CL
Other programs
TAASEKKC3 CL - Used as the exit program for QPWDVLDPGM
TAASEKKC8 CL - Used as a demonstration/test program
|
