This page is related to a scenario where users are connected to the IBMi box via 5250 green-screen workstations, via TELNET, or via WEB Terminal Emulator.
1. Summary
- A Security Administrator runs command PWDSERVE to have a permanent job servicing user-profile change requests sent from the other commands.
- A Security Administrator runs command PWDRESET to reset a user-profile password with a One Time pPassword (OTP)
optionally adding the 2-Factor Authentication (2FA) feature
- The user of the user profile, as soon as he logs in, is requested to enter the OTP and to replace it with a password of his choice.
- On all subsequent logings, he will have to enter his password and - if optional feature 2FA enabled - enter a 5-digit code sent to him via SMS and/or e-mail message.
2. Restrictions
The following restrictions apply:
- PWDRESET OPT and 2FA technique can be used only for used profiles exclusively dedicated to single persons.
Using OTP or 2FA for an user proprofile shared among a group of people makes no sense.
3. Command PWDSERVE
This command can be run only by a class *SECADM user profile.
It submits to job queue QSYSNOMAX a non-ending job, named PWDSERVER, running under the user profile of the submitting job.
This job executes received user-profile change requests.
It is highly recommended to have this job activated daily via a Job Scheduled Entry (command WRKJOBSCDE).
4. Command PWDRESET
This command can only be run from an user profile with *SECADM special authority.
This command is used to:
- Provide a One Time Password (OTP) to a given user profile.
The user profile must specify
- An initial program (CHGUSRPRF INLPGM(xxx)), AND/OR
- An initial menu (CHGUSRPRF UNLMNU(yyy)).
The command looks as follow:
Reset usrprf password with OTP (PWDRESET)
Type choices, press Enter.
User profile . . . . . . . . . . URSPRF ABC Name
Length of the OTP password . . . PWDLEN 8 5-20
Person name . . . . . . . . . . USRNAME 'Jean Martin'
User e-mail address . . . . . . EMAIL j98martin@yahoo.com
Mobile phone: PHONE
Country phone prefix . . . . . 33 Number
Phone number . . . . . . . . . 0676788789
2-Factor authenticated logon . . LOGON2F *YES *YES, *NO, *SAME
|
|
Figure 1 - Command PWDRESET
Note - Command PWDRESET also executes a PWDSERVE command |
- Command parameters:
- User profile (USRPRF) - The name of the user profile that should have its password reset with a OTP.
- Length of the OTP password (PWDLEN) - The number of characters in thenew OTP password. It ranges from 5 to 10 and defaults to 8.
- User name (USRNAME) - The name of the person related to the user profile entered in paramer USRPRF.
- User e-mail address (EMAIL) (Optional) - The e-mail address of this user.
This is needed to send the OTP password to the e-mail address of the user.
- Mobile phone (PHONE) (Optional) - The phone number (international country code plus phone number).
This is needed to send the OTP password to the user mobile phone via SMS.
The following requirements are needed to make this feature work:
- Easy400.net utility MMAIL must have been properly installed
- The MMAIL SMS Clickatell support feature must have been installed (as documented in
a MMAIL Developer Guide page).
- As command MMAIL/CLICKAT2 is used by PWDRESET programs to send SMS messages,
the CLICKA2INT database requirement must be accomplished (see point 6 in this page).
- Changes performed to the user profile
Command PWDRESET replaces the initial program of the user profile with program PWDRESET/CHGPWD.
This is done in order to let the user to change the PWDRESET OTP password with a password of his choice.
The user profile initial program name and library are saved in an internal file of the utility.
- The following is returned when the above PWDRESET command is executed:
The new password for user profile ABC is "TXKI1FWB".
An e-mail message was sent to the e-mail address of user profile ABC.
A SMS was sent to phone number 330676788789. |
|
- Communicating the OTP password to the user
The OTP password is communicated to the user in the following ways:
- E-mail message - The following requirements are needed:
- The MMAIL utility should include command EMLPTUMSG.
- File PWDRESETDT/SENDERADDR must contain a single record specifying the sender e-mail address to be used in all e-mail messages.
- Easy400.net utility MMAIL must have been properly installed and tested by sending
e-mail messages from such sender address to the e-mail addresses of the users.
- SMS message - Provided that following requirements are met:
- Easy400.net utility MMAIL must have been properly installed
- The MMAIL SMS Clickatell support feature must have been installed
(as documented in the MMAIL Developer Guide, page MMAIL integration of Clickatell SMS service).
- As command MMAIL/CLICKAT2 is used by PWDRESET programs to send SMS messages,
the CLICKA2INT database requirement must be accomplished
(see point 6 in the same page).
- Support 2-Factor Authentication (2FA)login.
This is an optional feature, implementing a special login procedure for a given user profile.
Once the user has logged in and replaced the OTP password with a new password of his choice,
- in every next login the user is requested to additionally enter a 5 digit sent to his e-mail address or to his mobile phone number.
Note: A user profile using this 2-Factor Authentication (2FA) feature, may later on disable it by a special parameter in command PWDRESET/CHGPWD.
2-Factor authenticated logon (LOGON2F) - Whether the 2-Factor Authenticated (2FA) logon should be implemented for this user profile.
Note - Command PWDRESET also executes a PWDSERVE command.
5. User logging in with the communicated OTP password
A user, when loggin in with the assigned One Time Password, receives the following screen:
Update One Time Password (OTP)
User profile . . . . . . . . . . . . . . : ABC
Type choices, press Enter. Session will end after password change.
....+....1....+....2
Current password . . . . . . . . . . . . ____________________
New password . . . . . . . . . . . . . . ____________________
New password (to verify) . . . . . . . . ____________________
Other user profile data:
- person name . . . . . . . . . . . . . Jean Martin
- e-mail address . . . . . . . . . . . . j98martin@yahoo.com
- mobile phone number . . . . . . . . . 33 0676788789
- 2-factor authentication option . . . . *YES *YES, *NO
F3=Signoff F14=Disp passwords
|
| Figure 2 - OTP logging in |
The user must re-enter his OTP password, and enter twice a new password of his choice (password fields have the "non display" attribute).
He may also enable or disable the 2-Function Authentication (2FA) feature for this profile.
When the Enter key is pressed,
- The user profile password is updated with the user-specified new value.
- The user profile initial program is replaced by PWDRESET/AUTH2FUSER program.
This is the program that implements the 2-factor authentication when the user signs on with his new password.
6. User logging in with his new password
Initial program PWDRESET/AUTH2FUSER sends out this screen:
2_Factor Authentication
User profile . . . . ABC
Person name . . . . . Jean Martin
Mobile phone number . 33 0676788789
E-mail address . . . j98martin@yahoo.com
To make sure that you are the right person signing in, a code will be sent to
the above phone mumber or to the above e-mail address
You must then enter on this screen the code you received
-Press F5 to send the code to the above phone number
-Press F6 to send the code to the above e-mail address
F3=Signoff F5=Send code to phone F6=Send code to e-mail address
|
| Figure 3 - 2FA logging in - part 1 |
The user may decide to receive either an SMS or e-mail message (SMS is faster) containing a random 5 digit code.
After pressing F5 or F6, the user receives the following screen:
2_Factor Authentication
User profile . . . . ABC
Person name . . . . . Jean Martin
Mobile phone number . 33 0676788789
E-mail address . . . j98martin@yahoo.com
An authentication code was sent to
phone number 33 0676788789
Type the received authentication code and press Enter
authentication code . . .
F3=Signoff F12=Another authentication code
|
| Figure 4 - 2FA logging in - part 2 |
After entering the received 5-digit authentication code and pressing the Enter key, the 2-Factor authentication process is completed.
Then program PWDRESET/AUTHF2USER calls the user profile original initial program or initial menu.
7. Command RSTUSRPARM
Run this command to disable the PWDRESET 2-Factor Authentication feature for a given user profile and to reassign to it its original initial program.
Rst usrprf original parameters (RSTUSRPARM)
Type choices, press Enter.
User profile . . . . . . . . . . __________ Name, *ALL
|
Figure 3 - Removing the 2FA feature from a given user profile |
|
Either enter a single user profile name, or enter *ALL to remove the 2FA feature from all user profiles having such a feature.
|