iSeries – Can I have a program that can read QSYSOPR msgq and execute a pgm?

0 pts.
Tags:
AS/400
DataCenter
Hi there; If QSECOFR is disabled, and I get the corresponding CPF1393 (thanks PaulThomas) message id in QSYSOPR, then: - Is there a way to automatically re-enable it? - Maybe by a PGM? - I thought of a once a day to read QSYSOPR, search for CPF1393, if text contains QSECOFR, then reset it. Is this what you would do? Thanks to all Bruno (aka Mutkey)
ASKED: September 13, 2005  1:59 AM
UPDATED: November 11, 2009  3:14 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Bruno,

First of all I would query who is using QSECOFR and why it is being disabled regularly (I presume it is, as you want to scan for the message on a daily basis).

As QSECOFR is the ultimate profile on the 400, I would strongly recommend you restrict it’s usage.

However, if for whatever reason you need to use it regularly and it is becoming frequently disabled, I would not go to the effort of writing a pgm, I would simply use a scheduler (IBM supplied, Robot, etc) to perform a CHGUSRPRF QSECOFR *ENABLED on a pre-defined basis.

If QSECOFR is not disabled, nothing will change but if it is…..!!!

=====================================================

Automatic re-enablement of <b>any</b> profile other than perhaps a designated GUEST profile with strong controls is a seriously risky process. Any auditor who saw such a process should order it shut down immediately. Why have a disabling process if it’s simply going to be automatically re-enabled?

Any re-enablement should wrapped in an appropriate challenge/response proc.

Further, for QSECOFR in particular, there is no point to it. It <i>should</i> be disabled and it should stay that way most of the time.

Tom

=====================================================================
I agree with the above comments as to investigating why QSECOFR is being Disabled,
But another option is to use Management Central, Message Monitors. You can set this up to monitor for the CPF message in Qsysopr and it will execute a trigger program that could Enable the Qsecofr Profile.

Hope this helps,
Bill

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • TheQuigs
    You can monitor any message queue by using a Break Handling exit program. Here's the URL for the V5R2 Information Center: http://publib.boulder.ibm.com/iseries/v5r2/ic2924/info/apis/XBREAK.htm and for the V5R3 Information Center: http://publib.boulder.ibm.com/iseries/v5r3/ic2924/info/apis/XBREAK.htm Then you use would issue a CHGMSGQ QSYSOPR *BREAK PGM(yourlib/yourpgm)
    0 pointsBadges:
    report
  • JPLamontre
    if you reroute qsysopr msgq to a user program, you can have side effects when logging with qsecofr. for a sample of break-message receiver, look at http://jplamontre.free.fr/AS400/BRKMSG.htm for a sample of regular-basis qsysopr inspection, look at my qsysopr supervisor http://jplamontre.free.fr/AS400/SurveillerQsysopr.htm
    0 pointsBadges:
    report
  • WoodEngineer
    Check out the Start Watch (STRWCH) command. It allows you to watch for specific messages and take an action of your choice. Once started, it just keeps running until you end it. One of the recent newsletters included a program to re-enable a user profile when disabled by watching for the exact message you mentioned. As suggested above, we use it to watch for a common user profile many people use to log into the system to enter their time. These folks can only do that one function so it is safe to auto re-enable the user profile. In your case, you could use the data retrieved to learn exactly when QSECOFR became disabled and who triggered it. As others have said, just re-enabling QSECOFR is not the answer. It is important to find out who is trying to use QSECOFR and stop them. Maybe someone has a script that tries to log on as QSECOFR with an old password. I don't know when STRWCH was introduced. We are running it on a V5R4 system.
    6,055 pointsBadges:
    report
  • Splat
    I'd suggest creating the QSYSMSG message queue in QSYS - messages about profiles being disabled will go there rather than to QSYSOPR. Monitoring that queue, either manually or via a program, would be easier. I would never set up a job to automatically re-enable QSECOFR - it's an invitation to trouble.
    6,255 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following