TAA Tools
INZPWD          INITIALIZE PASSWORD                    TAASECX

The  Initialize  Password  tool  is  designed  for  Assistant  Security
Officers to  be able to reset  a users password.  The  typical case for
this would be where the user has forgotten his password.

The INZPWD toolset actually consists of 5 commands:

  INZPWD    Change password to the user profile name or random value.
  INZPWD2   Forces password to random value between 6-10 characters.
  INZPWD3   Change password to random value between 5-75 characters.
  SETINZPWD Schedule job to disable unchanged pwds set by INZPWD cmds
  CHKINZPWD Disable unchanged passwords set by INZPWD commands.

INZPWD Command                                       *CMD
-------------------------
The  INZPWD  command allows  the  new password  to  be either  the user
profile name or a random value of 6 to 10 characters.

INZPWD command parameters are:

   USRPRF        The user profile to have its password initialized.

   PASSWORD      The password assigned  to the  user profile.   *USRPRF
                 sets  the  password  to  the  same name  as  the  user
                 profile.  *USRPRF is the default.

                 *RANDOM  may  be  specified  to  generate  a  6  -  10
                 character random password.

                 The  random  password  will  conform  to  the   system
                 password  rules or  system  password attributes  which
                 are set.

                 See  Restrictions  section  below  for conflicts  with
                 password rules  length settings  and possible  invalid
                 results that can occur.

A typical command would be:

           INZPWD   USRPRF(JONES)

This would reset  the users password to  the same name as  the profile.

The profile  is set to  PWDEXP(*YES) which forces a  change of password
at the next signon.

Password  length  is  set with  an  application value.    See EDTAPPVAL
discussion below.

INZPWD2 Command                                       *CMD
--------------------------
The INZPWD2 command forces a random value of 6 to 10 characters.

INZPWD2 command parameters are:

   USRPRF        The user  profile will  have its password  initialized
                 to a random value, 6-10 characters in length.

                 The  random  password  will   conform  to  the  system
                 password  rules  or system  password  attributes which
                 are set.

                 See Restrictions  section  below  for  conflicts  with
                 password rules  length settings  and possible  invalid
                 results that can occur.

   TAAPWDARA     A  *YES/*NO  value  for  whether  the random  password
                 should be placed  in the TAAPWDARA  *DTAARA in  QTEMP.

                 *NO is  the default.   The TAAPWDARA *DTAARA  will not
                 exist.

                 *YES  may  be specified  to  create the  data  area in
                 QTEMP.   It  is created as  *CHAR LEN(20).   The first
                 10 bytes  will contain  the  user profile  name.   The
                 second  10 bytes will  contain the  randomly generated
                 password.

A typical command would be:

           INZPWD2  USRPRF(JONES)

A  random password  will be  set, 6  to 10 characters  in length.   The
default length is 6.

The completion message contains the password that is assigned.

The profile is set  to PWDEXP(*YES) which  forces a change of  password
at the next signon.

Password  length is  set  with an  application  value.   See  EDTAPPVAL
discussion below.


Application value settings
(using EDTAPPVAL - applies to INZPWD and INZPWD2 only)
----------------------------------------------
 Additional INZPWD features are available via the application
 values INZPWD and INZPWD2:
  - EDTAPPVAL   APPVAL(TAASECURE/INZPWD) allows:

        - STATUS parameter of the user profile to be set
          when INZPWD run. Values are *SAME, *ENABLED or *DISABLED.
          The default is *SAME which will leave the user profile
          in it's current state.
          To ensure the profile is enabled after the use of INZPWD,
          set STATUS to *ENABLED.
        - Allow INZPWD on SECOFR2 menu
        - Allow INZPWD2 on SECORF2 menu
  - EDTAPPVAL   APPVAL (TAASECURE/INZPWD2) allows:
        - Password length - length between 6-10 characters long


INZPWD3 Command                                       *CMD
--------------------------
The INZPWD3 command forces a random value of 5 to 75 characters.

INZPWD3 command parameters are:

   USRPRF        The  user profile  will have its  password initialized
                 to a random value, 5 to 75 characters in length.

                 The  random  password  will  conform  to  the   system
                 password  rules or  system  password attributes  which
                 are set.

   PWDLEN        A  pasword length between  5 and 75  can be set.   The
                 default length is 8.

   STATUS        Status  of the  user profile  can be  set to *ENABLED,
                 *DISABLED,  or  *SAME.   *SAME  will  leave  the  user
                 profile  in  it's  current  state.    The  default  is
                 *ENABLED.

   PWDEXP        Password  Expired  determines  whether  the user  must
                 change the password at the  next signon.  The  default
                 is *NO.

A typical command would be:

           INZPWD3  USRPRF(JONES)

A random  password will  be set,  5 to  75 characters  in length.   The
default length is 8.

The password  will automatically be placed in  the TAAPWDARA *DTAARA in
QTEMP.  Upon  completion of  the command, the  TAAPWDARA will  display.
The first 10  bytes will contain the  user profile name.  The  next 128
bytes will contain the randomly generated password.

Authority considerations
----------------------------------------------
The  user  of  INZPWD,  INZPWD2,  INZPWD3  must be  authorized  to  the
TAAINZPWD authorization list.

The  QSECOFR  profile  cannot  be changed  nor  can  the  current user.
Other  profiles  that  cannot   be  changed  are  QSRV,  QSRVBAS,   and
TAAJOBCTL.

The INZPWD  data area  in TAASECURE can  be used to  specify a  list of
additional  profiles that  cannot be  changed using  the command.   The
Security Officer can  use the following  command to specify  additional
user profiles:

        EDTCONARR     DTAARA(TAASECURE/INZPWD)

If the  user entering INZPWD, INZPWD2,  or INZPWD3 has  *ALLOBJ special
authority,  he can  change any  user profile  except QSECOFR  and those
specified in  the INZPWD  data  area in  TAASECURE.   This  allows  the
simple  INZPWD/INZPWD2/INZPWD3  commands  to be  used  instead  of  the
CHGUSRPRF command.

If the user does not have *ALLOBJ authority, he cannot change:

  **   QSECOFR  or any user  in the list  described by the  INZPWD data
       area in TAASECURE.

  **   Any  user  profile  that  has a  special  authority  of *ALLOBJ,
       *SECADM,  or   *SERVICE.     These  profiles  have   significant
       security aspects to  them and should be changed  by the Security
       Officer.

Use with the TAADPTSEC Authorization List --

An  alternative approach  is to  allow for multiple  assistant security
officers who can each  manage a set of unique  user profiles.  This  is
called a  'Departmental Security Officer'.   See the discussion  of the
TAADPTSEC authorization list in the SECOFR2 tool documentation.

Audit considerations
----------------------------------------------
To  provide an audit  trail of the  use of this  command, the following
occurs:

  **   If  the  QAUDJRN  journal  exists,  an  entry  is  sent  to   it
       describing the use  of INZPWD or  INZPWD2, the profile  that was
       changed, and  the user that made the change.   The entry type is
       IP.

  **   If  the QAUDJRN journal does not  exist, the same information as
       described for the  journal entry is sent  as a message to  QHST.


SETINZPWD / CHKINZPWD commands - Disabling unchanged passwords
-------------------------------------------------

A typical  concern of  many installations is  to have user  profiles in
existence  that can be signed onto using  the user profile name or have
been created and never signed onto.

An option can be set so that  any use of INZPWD will cause a record  to
be  entered into  a  data base  file  that  will be  checked  by a  job
schedule  job at  5 minutes after  midnight.   If the password  has not
been changed, the profile is disabled.

To set  the option,  a user  with *ALLOBJ  and *SECADM  authority  must
enter the SETINZPWD command such as:

             SETINZPWD   DISABLE(*YES) JOBD(*USRPRF)

SETINZPWD sets a  value in the SETINZPWD  data area in TAASECURE.   The
value  is tested  by the  INZPWD  commands and  causes a  record  to be
written  to the  INZPWDP file  in TAASECURE  for each  profile password
that is initialized.

SETINZPWD also adds  a job schedule entry  for the job CHKINZPWD  to be
run at 5  minutes after midnight every day of the  week.  The CHKINZPWD
command is  run which reads the records in  the INZPWDP file and if the
user profile has not had its  password changed since the use of  INZPWD
(on a previous day), the profile is disabled.

A  listing is  output describing  any actions  taken.   If the  profile
password  has been changed  or if the  profile is disabled,  the record
is deleted from the  file.  The INZPWDP  file is set to  REUSEDLT(*YES)
so there is no reason to have to reorganize the file.

The CHKINZPWD job  is set to RCYACN(*SBMRLS)  so that if the  system is
powered off,  the job will  be run when the  system is powered  on.  If
your  system is  powered off for  multiple days, multiple  jobs will be
submitted when  the system  is powered  on.   This will  not cause  any
errors, but will produce a listing for each job.

If  you  used  SETINZPWD  to  disable  profiles and  want  to  end  the
function, specify:

            SETINZPWD   DISABLE(*NO)

This  will reset the switch used by  INZPWD and remove the job schedule
entry.

Note that only  INZPWD and INZPWD2  cause cause records  to be  written
to  the INZPWDP  file.   If  you create  a  profile and  want the  same
function to  occur, you must follow the  CRTUSRPRF command with INZPWD.

SETINZPWD Command parameters                          *CMD
----------------------------

   DISABLE       A  *YES/*NO  parameter  for  whether  to  disable  any
                 profiles that have  not changed since the last  use of
                 INZPWD.   *YES is  the default  which causes  a switch
                 to  be  set in  the SETINZPWD  data area  in TAASECURE
                 and  causes  the  CHKINZPWD  to  be  added  as  a  job
                 schedule  entry to  run at  5 minutes  after midnight.
                 Any   profiles  that  have  not   had  their  password
                 changed since the  last use of  INZPWD (on a  previous
                 day) are disabled.

                 *NO  may   be  specified  to  prevent   the  disabling
                 function.    This resets  the switch  and  removes the
                 job schedule entry.

   JOBD          The fully  qualified  job  description  that  will  be
                 used  to  run  the CHKINZPWD  job.    The  default  is
                 *USRPRF.

                 A  specific   job  description  and   library  may  be
                 entered.

Restrictions
------------

  **   The   user  of  either  INZPWD,  INZPWD2,  or  INZPWD3  must  be
       authorized  to  the   TAAINZPWD  authorization  list,  or   have
       *ALLOBJ   authority.     To  add   a  user   to   the  TAAINZPWD
       authorization   list,  use  ADDAUTLE  AUTL(TAAINZPWD)  USER(xxx)
       AUT(*USE)

  **   A user properly  authorized to use  INZPWD, INZPWD2, or  INZPWD3
       (see  above) can  change  any user  profile  except QSECOFR  and
       those specified in the INZPWD data area in TAASECURE.

  **   A user  without *ALLOBJ authority cannot  change QSECOFR, a user
       profile  that  is   specified  in  the   INZPWD  data  area   in
       TAASECURE, or  a user profile  that has  a special authority  of
       *ALLOBJ, *SECADM, or *SERVICE.

  **   The  user  of  SETINZPWD  must  have both  *ALLOBJ  and  *SECADM
       special authorities.

  **   An  invalid  random password  could be  generated due  to length
       conflicts.    Since  INZPWD  and  INZPWD2  only  allow  password
       lengths  of  6  to  10  characters, length  conflicts  with  the
       password rules can happen.

  **   For  example, if INZPWD2  length = 6,  but the MINLEN  = 10, the
       password generated  would be  invalid.   Similarly,  if  INZPWD2
       length =10, but DGTMIN  = 6, LTRMIN = 4, and SPCCHRMIN  = 2, the
       password generated would be invalid.

  **   An  invalid random  password  could be  also be  generated  if a
       password  password  validation  program   is  used  with   rules
       different from the system password rules.

Prerequisites
-------------

The following TAA Tools must be on your system:

     ADDDAT       Add date
     CHKOBJ3      Check object 3
     CONARR       Constant array
     GENRANNBR    Generate random number
     GENRANPWD2   Generate random password 2
     RTVDAT       Retrieve date
     RTVPWDSTS    Retrieve password status
     RTVSPCAUT    Retrieve special authority
     RTVSYSVAL3   Retrieve system value 3
     SNDCOMPMSG   Send completion message
     SNDESCMSG    Send escape message

Implementation
--------------

The tool  is ready  to use, but  a user  must be  be authorized to  the
TAAINZPWD authorization list.  For example,

      ADDAUTLE   AUTL(TAAINZPWD) USER(xxx) AUT(*USE)

The  Security  Officer  may also  specify  certain  user profiles  that
cannot  be  changed  by entering  them  into  the INZPWD  data  area in
TAASECURE.  To edit the list of invalid profiles, use the command:

        EDTCONARR    DTAARA(TAASECURE/INZPWD)

You do not  need to enter QSECOFR  as it is  always prevented.  You  do
not  need  to add  a  user  profile that  has  a  special authority  of
*ALLOBJ,  *SECADM,  or *SERVICE  unless  you do  not want  a  user with
*ALLOBJ authority to  be able to  change these profiles.   Any  profile
with one  or more of these  special authorities will be  prevented from
being changed by other code in the program.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   INZPWD        *CMD                   TAASECX       QATTCMD
   INZPWD2       *CMD                   TAASECX2      QATTCMD
   SETINZPWD     *CMD                   TAASECX5      QATTCMD
   CHKINZPWD     *CMD                   TAASECX6      QATTCMD
   TAASECXC      *PGM       CLP         TAASECXC      QATTCL
   TAASECXC2     *PGM       CLP         TAASECXC2     QATTCL
   TAASECXC3     *PGM       CLP         TAASECXC3     QATTCL
   TAASECXC4     *PGM       CLP         TAASECXC4     QATTCL
   TAASECXC5     *PGM       CLP         TAASECXC5     QATTCL
   TAASECXC6     *PGM       CLP         TAASECXC6     QATTCL
   TAASECXC16    *PGM       CLP         TAASECXC16    QATTCL
   TAASECXR4     *PGM       RPG         TAASECXR4     QATTRPG
   TAASECXR6     *PGM       RPG         TAASECXR6     QATTRPG
   INZPWDP       *FILE      PF          TAASECXP      QATTDDS
   INZPWD        *DTAARA
   SETINZPWD     *DTAARA
   SETINZPWD     *USRSPC
   INZPWD2       *USRSPC

The  CL  programs  are  created  with  USRPRF(*OWNER).    The  TAASECEC
program used  is the  CPP for  RTVSPCAUT.   It is  called directly  and
does not invoke any user commands.

The   INZPWDP  file,   the  SETINZPWD/INZPWD   data   areas,  and   the
INZPWD/INZPWD2 user spaces are in TAASECURE.

Structure
---------

INZPWD      Cmd
   TAASECXC   CL pgm
      TAASECXC4  CL pgm  - Checks if record should occur to INZPWDP
        TAASECXR4  RPG pgm - Adds information to INZPWDP file

INZPWD2     Cmd
   TAASECXC2  CL pgm
      TAASECXC4  CL pgm  - Checks if record should occur to INZPWDP
        TAASECXR4  RPG pgm - Adds information to INZPWDP file
INZPWD3     Cmd
   TAASECXC3  CL pgm
      TAASECXC4  CL pgm  - Checks if record should occur to INZPWDP
        TAASECXR4  RPG pgm - Adds information to INZPWDP file

SETINZPWD   Cmd
   TAASECXC5  CL pgm - Sets job schedule entry for CHKINZPWD

CHKINZPWD   Cmd
   TAASECXC6  CL pgm
     TAASECXR6  RPG pgm - Reads INZPWDP and deletes some records
       TAASECXC16  CL pgm - Does RTVPWDSTS and CHGUSRPRF
					

Added to TAA Productivity tools April 1, 1995


Home Page Up to Top