AS/400 User Profile

225 pts.
Tags:
AS/400
AS/400 user profiles
A particular user profile is getting disabled often and the user has not logged on during that time. Is someone trying to logon using that ID or there is some other reason behind it? Please advise.

Answer Wiki

Thanks. We'll let you know when a new response is added.
Most likely it being disable after x number of attempts. 
They can be from any device.  Try the following..

WRKSYSVAL SYSVAL(*SEC) OUTPUT(*PRINT)
These are the values I would be looking at:

QMAXSIGN

and

QMAXSGNACN
QSECURITY

Discuss This Question: 15  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • pdraebel
    If you have setup System Auditing you can extract the 'PW' (password violation) entries from the audit journals and find out from which IP the invalid Passwords were entered. If System Auditing is not activated checkout how to set up.
    7,455 pointsBadges:
    report
  • JDroke
    If you have auditing turned on, you can do this to see failed attempts to log on...

    DSPAUDJRNE ENTTYP(PW)       
               USRPRF(USERNAME) 
               JRNRCV(*CURCHAIN)
               OUTPUT(*)        

    ...replace USERNAME with the actual user name.
    50 pointsBadges:
    report
  • pdraebel
    In order to see the IP you have to use the CPYAUDJRNE command, DSPAUDJRNE will only show the Workstation Name. Of course that could also help. It could also be that the person entering the wrong passwords is operating from the original users workstation at times when the person is not at the office. Maybe some prank played on the user. Perhaps giving the user a new profile only known to himself to stop the pest.
    7,455 pointsBadges:
    report
  • Gayathri123
    Sorry Team. I have missed to provide some important logs. QMAXSIGN value is 3 and action is to disable the profile after 3 failed attempts. The QSECOFR user profile is getting disabled without anyone using them. Is this because of some job or someone tries to login using this profile.Here are the logs,

     5770SS1 V7R1M0 100423                                   History Log                 POC01    31/03/17 13:04:40        Page  0001
    MSGID    SEV MSG TYPE
    CPIAD0B  00  INFO         *SIGNON server job 297135/QUSER/QZSOSIGN processing request for user Q11111111 on 29/03/17 19:51:24 in su
                          QZSOSIGN   QUSER      297135 QZSOSIGN     0000 29/03/17 19:51:24.529383 QUSER
    CPIAD0B  00  INFO         *SIGNON server job 297135/QUSER/QZSOSIGN processing request for user Q22222222 on 29/03/17 19:51:24 in su
                          QZSOSIGN   QUSER      297135 QZSOSIGN     0000 29/03/17 19:51:24.839296 QUSER
    CPIAD0B  00  INFO         *SIGNON server job 297135/QUSER/QZSOSIGN processing request for user IBM on 29/03/17 19:51:25 in subsyste
                          QZSOSIGN   QUSER      297135 QZSOSIGN     0000 29/03/17 19:51:25.001010 QUSER
    CPIAD0B  00  INFO         *SIGNON server job 297135/QUSER/QZSOSIGN processing request for user IBM on 29/03/17 19:51:25 in subsyste
                          QZSOSIGN   QUSER      297135 QZSOSIGN     0000 29/03/17 19:51:25.157141 QUSER
    CPIAD0B  00  INFO         *SIGNON server job 297135/QUSER/QZSOSIGN processing request for user IBM on 29/03/17 19:51:25 in subsyste
                          QZSOSIGN   QUSER      297135 QZSOSIGN     0000 29/03/17 19:51:25.285991 QUSER
    CPIAD0B  00  INFO         *SIGNON server job 297135/QUSER/QZSOSIGN processing request for user QDBSHR on 29/03/17 19:51:25 in subsy
                          QZSOSIGN   QUSER      297135 QZSOSIGN     0000 29/03/17 19:51:25.407102 QUSER
    CPIAD0B  00  INFO         *SIGNON server job 297135/QUSER/QZSOSIGN processing request for user QDFTOWN on 29/03/17 19:51:25 in subs
                          QZSOSIGN   QUSER      297135 QZSOSIGN     0000 29/03/17 19:51:25.542376 QUSER
    CPIAD0B  00  INFO         *SIGNON server job 297135/QUSER/QZSOSIGN processing request for user QDOC on 29/03/17 19:51:25 in subsyst
                          QZSOSIGN   QUSER      297135 QZSOSIGN     0000 29/03/17 19:51:25.684484 QUSER
    CPIAD0B  00  INFO         *SIGNON server job 297135/QUSER/QZSOSIGN processing request for user QDSNX on 29/03/17 19:51:25 in subsys
                          QZSOSIGN   QUSER      297135 QZSOSIGN     0000 29/03/17 19:51:25.810989 QUSER
    CPIAD0B  00  INFO         *SIGNON server job 297135/QUSER/QZSOSIGN processing request for user QFNC on 29/03/17 19:51:25 in subsyst
                          QZSOSIGN   QUSER      297135 QZSOSIGN     0000 29/03/17 19:51:25.930649 QUSER
    CPIAD0B  00  INFO         *SIGNON server job 297135/QUSER/QZSOSIGN processing request for user QGATE on 29/03/17 19:51:26 in subsys
                          QZSOSIGN   QUSER      297135 QZSOSIGN     0000 29/03/17 19:51:26.049791 QUSER
    CPIAD0B  00  INFO         *SIGNON server job 297135/QUSER/QZSOSIGN processing request for user QLPAUTO on 29/03/17 19:51:26 in subs
                          QZSOSIGN   QUSER      297135 QZSOSIGN     0000 29/03/17 19:51:26.163699 QUSER
    CPIAD0B  00  INFO         *SIGNON server job 297135/QUSER/QZSOSIGN processing request for user QLPINSTALL on 29/03/17 19:51:26 in s
                          QZSOSIGN   QUSER      297135 QZSOSIGN     0000 29/03/17 19:51:26.295551 QUSER
    CPIAD0B  00  INFO         *SIGNON server job 297135/QUSER/QZSOSIGN processing request for user QPGMR on 29/03/17 19:51:26 in subsys
                          QZSOSIGN   QUSER      297135 QZSOSIGN     0000 29/03/17 19:51:26.421172 QUSER
    CPIAD0B  00  INFO         *SIGNON server job 297135/QUSER/QZSOSIGN processing request for user QSECOFR on 29/03/17 19:51:26 in subs
                          QZSOSIGN   QUSER      297135 QZSOSIGN     0000 29/03/17 19:51:26.578068 QUSER
    CPIAD0B  00  INFO         *SIGNON server job 297135/QUSER/QZSOSIGN processing request for user QSECOFR on 29/03/17 19:51:26 in subs
                          QZSOSIGN   QUSER      297135 QZSOSIGN     0000 29/03/17 19:51:26.688346 QUSER
    CPIAD0B  00  INFO         *SIGNON server job 297135/QUSER/QZSOSIGN processing request for user QSECOFR on 29/03/17 19:51:26 in subs
                          QZSOSIGN   QUSER      297135 QZSOSIGN     0000 29/03/17 19:51:26.809054 QUSER
    CPF1393  70  INFO         User profile QSECOFR has been disabled.
                          QZSOSIGN   QUSER      297135 QSYSGNON     0000 29/03/17 19:51:26.823105 QUSER
    CPF1124  00  INFO         Job 297467/QTCP/QTFTP00090 started on 29/03/17 at 19:51:56 in subsystem QSYSWRK in QSYS. Job entered syst
                          QTFTP00090 QTCP       297467 QWTPIIPP     0000 29/03/17 19:51:56.568242 QTCP



    Best Regards,
    Gayathri
    225 pointsBadges:
    report
  • pdraebel
    This is looking like someone or something is trying to logon using IBM supplied user profiles. This looks suspect to me like someone is trying to get in to your system. Most of the Q* user profile should have their password set to *NONE. For QSYSOPR and QSECOFR profiles you should designate/create a profile that has identical capabilities and stop using the QSYSOPR and QSECOFR profiles during day to day jobs.
    Auditing can help you get more info on the source of the logons.
    7,455 pointsBadges:
    report
  • ToddN2000
    I agree that QSECOFR should looked at. Someone may be trying to take control or change your system without you knowledge. Take the advice of turning on auditing until you get this issue resolved. What looks suspicious is it tries 3 times and then gets disabled all with the same timestamp (on 29/03/17 19:51:26 in subs ). This makes me think it's an automated process. Check to see what jobs may be running at that time.
    82,675 pointsBadges:
    report
  • JDroke
    Looking at that job log - here is another question - has the QSECOFR password been changed recently? If so, it's possible that you have entered/saved it into some app that tries to connect to the 400 and it's getting disabled. I've seen this when a developer enters/saves the password in Data Studio.
    50 pointsBadges:
    report
  • ToddN2000
    Yes, that or built into a connection string. Not a good thing to do with the QSECOFR profile though, to much power in the wrong hands. Where I work only the department manager and operations manager have access to that profile. Even a senior developer with 17 years does not have access.
    82,675 pointsBadges:
    report
  • Gayathri123
    The password for QSECOFR user profile has not changed recently. I will check the jobs running at that time to find whether any automated job disabled the profile.
    225 pointsBadges:
    report
  • Gayathri123
    We have not changed the QSECOFR password recently. However I will check the automated jobs running at that time which could have disabled the profile.
    225 pointsBadges:
    report
  • TheRealRaven
    If that's an actual joblog, someone inside/outside your network is trying to penetrate your server, apparently with a tool/script that tries default or common passwords.

    Review your system audit journal with DSPJRN (not CPYAUDJRNE nor DSPAUDJRNE since those cut out necessary info for forensics; they're only good for general review). Look for JRNCDE((T)) ENTTYP(CP) rather than ENTTYP(PW) to see a disabled profile entry.

    There should be no jobs (other than IBM jobs) that need or use QSECOFR. QSECOFR should only be used (1) to create a couple local *SECOFR user profiles and (2) to follow instructions from IBM. (And other 'Q' profiles should be similar after following IBM recommendations for them.)
    21,845 pointsBadges:
    report
  • azohawk
    In my previous employment we had a number of jobs that utilized QSECOFR behind the scenes. They never had to be logged into but it was essential that QSECOFR was enabled. Do you have someone from outside (i.e. a vendor) that was given the profile/password in the past to perform legitimate transactions (just a one idea)? I would run a trace (IBM can assist you with this if you are current on maintenance) to determine IP address where attempted signons are coming from.
    2,565 pointsBadges:
    report
  • ToddN2000
    If you have remote or auto logins using QSECOFR you are looking for possible trouble. If Someone is successful logging in and they change the password they can lock you out of your system or worse. Losing your QSECOFR signon and not having any other profile with the authority needed to fix it can be a costly problem. We had it happen here where someone changed it and forgot what they did. We had to have IBM come in over a weekend and work their magic..It was not cheap from what I was told.
    82,675 pointsBadges:
    report
  • GregManzo
    A good idea here is to have QSECOFR password sealed in an envelope and locked in the safe to be used ONLY in emergencies, then have other profiles that have the necessary authorities (*ALLOBJ, *SECADM, etc.). Any 3rd party software that needs specific authorities, you create a profile specifically for that software. If you have multiple 3rd party packages you create multiple profiles (typically named after the package or the vendor) - any problems will be limited to that package, and you will know who to blame.
    1,650 pointsBadges:
    report
  • TheRealRaven
    No 3rd-party software ever needs to know a QSECOFR password. GregManzo is right on how it should be done. Beyond knowing who to blame, it also helps in protecting everyone else. Any user or vendor who claims QSECOFR access is required needs to be thoroughly vetted; they are missing some fundamental knowledge. IBM is the exception. Only IBM should ever need actual QSECOFR use, and even then the password could be temporarily changed.
    21,845 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following

Share this item with your network: