Skip to main content  
        iSeries home   |   Easy400  
Freeware
 
 Introduction
 Terminal operation
 Browser operation
 
 Download
 
 
PWDRESET
5250 Green Screen Terminal Operation
 

This page is related to a scenario where users are connected to the IBMi box via 5250 green-screen workstations, via TELNET, or via WEB Terminal Emulator.

1. Summary  4. Command PWDRESET
2. Restrictions 5. User login with OTP active
3. Command PWDSERVE 6. User login with 2FA active

1. Summary

  1. A Security Administrator runs command PWDSERVE to have a permanent job servicing user-profile change requests sent from the other commands.
  2. A Security Administrator runs command PWDRESET to reset a user-profile password with a One Time pPassword (OTP) optionally adding the 2-Factor Authentication (2FA) feature
  3. The user of the user profile, as soon as he logs in, is requested to enter the OTP and to replace it with a password of his choice.
  4. On all subsequent logings, he will have to enter his password and - if optional feature 2FA enabled - enter a 5-digit code sent to him via SMS and/or e-mail message.

2. Restrictions
The following restrictions apply:

  1. PWDRESET OPT and 2FA technique can be used only for used profiles exclusively dedicated to single persons.
    Using OTP or 2FA for an user proprofile shared among a group of people makes no sense.

3. Command PWDSERVE
This command can be run only by a class *SECADM user profile.
It submits to job queue QSYSNOMAX a non-ending job, named PWDSERVER, running under the user profile of the submitting job. This job executes received user-profile change requests.
It is highly recommended to have this job activated daily via a Job Scheduled Entry (command WRKJOBSCDE).

4. Command PWDRESET

                 Reset usrprf password with OTP (PWDRESET)
                                                                                
 Type choices, press Enter.                                                     
                                                                                
 User profile . . . . . . . . . .  URSPRF     ABC           Name
 Length of the OTP password . . .  PWDLEN     8             5-10
 Person name  . . . . . . . . . .  USRNAME    'Jean Martin'                     
       
 User e-mail address  . . . . . .  EMAIL      j98martin@yahoo.com               
                                                                                
          
 Mobile phone:                     PHONE
   Country phone prefix . . . . .             33            Number
   Phone number . . . . . . . . .             0676788789          
 2-Factor authenticated logon . .  LOGON2F    *YES          *YES, *NO, *SAME
               
Figure 1 - Command PWDRESET
This command can only be run from an user profile with *SECADM special authority.
This command is used to:
  1. Provide a One Time Password (OTP) to a given user profile. The user must then logon with OTP password and provide his new password.
    Communicating the OTP password to the user:
    • The OTP password is displayed in a log message once PWDRESET command completes execution.
      The OTP password is communicated to the user in the following ways:
      1. E-mail message - The following requirements are needed:
        • The MMAIL utility should include command EMLPTUMSG.
        • File PWDRESETDT/SENDERADDR must contain a single record specifying the sender e-mail address to be used in all e-mail messages.
        • Easy400.net utility MMAIL must have been properly installed and tested by sending e-mail messages from such sender address to the e-mail addresses of the users.
      2. SMS message - The following requirements are needed:
        • Easy400.net utility MMAIL must have been properly installed
        • The MMAIL SMS Clickatell support feature must have been installed (as documented in the MMAIL Developer Guide, page MMAIL integration of Clickatell SMS service).
        • As command MMAIL/CLICKAT2 is used by PWDRESET programs to send SMS messages, the CLICKA2INT database requirement must be accomplished (see point 6 in the same page).
  2. Support 2-Factor Authentication (2FA)login. This is an optional feature, implementing a special login procedure for a given user profile.
    Once the user has logged in and replaced the OTP password with a new password of his choice,
    • in every next login the user is requested to additionally enter a 5 digit sent to his e-mail address or to his mobile phone number.
      Note: A user profile using this 2-Factor Authentication (2FA) feature, may later on disable it by a special parameter in command PWDRESET/CHGPWD.
User profile (USRPRF) - The name of the user profile that should have its password reset with a OTP.
Length of the OTP password (PWDLEN) - The number of characters in thenew OTP password. It ranges from 5 to 10 and defaults to 8.
User name (USRNAME) - The name of the person related to the user profile entered in paramer USRPRF.
User e-mail address (EMAIL) (Optional) - The e-mail address of this user. This is needed to send the OTP password to the e-mail address of the user.
Mobile phone (PHONE) (Optional) - The phone number (international country code plus phone number). This is needed to send the OTP password to the user mobile phone via SMS.
The following requirements are needed to make this feature work:
  • Easy400.net utility MMAIL must have been properly installed
  • The MMAIL SMS Clickatell support feature must have been installed (as documented in a MMAIL Developer Guide page).
  • As command MMAIL/CLICKAT2 is used by PWDRESET programs to send SMS messages, the CLICKA2INT database requirement must be accomplished (see point 6 in this page).
2-Factor authenticated logon (LOGON2F) - Whether the 2-Factor Authenticated (2FA) logon should be implemented for this user profile.

The following is returned when the above PWDRESET command is executed:
      The new password for user profile ABC is "TXKI1FWB".
      An e-mail message was sent to the e-mail address of user profile ABC.    
      A SMS was sent to phone number 330676788789.

Note - Command PWDRESET also executes a PWDSERVE command.

5. User login with OTP active
A user, when loggin in with the assigned One Time Password, receives the following screen:

                         Update One Time Password (OTP)                         
                                                                  
 User profile  . . . . . . . . . . . . . . :  ABC

 Type choices, press Enter.                                       
                                                                  
   Current password  . . . . . . . . . . . .  __________
   New password  . . . . . . . . . . . . . .  __________
   New password (to verify)  . . . . . . . .  __________
                                                                  
 Session will end after password change.                          
                                                                  
   Other user profile data:                                       
    - person name  . . . . . . . . . . . . .  Jean Martin

    - e-mail address . . . . . . . . . . . .  j98martin@yahoo.com

    - mobile phone number  . . . . . . . . .  33 0676788789
    - 2-factor authentication option . . . .  *YES  *YES, *NO

 F3=Signoff  F14=Disp passwords
               
Figure 2 - OTP logging in
The user must re-enter his OTP password, and enter twice a new password of his choice (password fields have the "non display" attribute).
He may also enable or disable the 2-Function Authentication (2FA) feature for this profile.
When the Enter key is pressed, the 5250 session ends and the user is requested to sign on again with his new password.

6. User login with 2FA active
A user, when loggin in with a user profile enabling the 2-Factor Authentication (2FA) feature, receives the following screen:

                            2_Factor Authentication                            
                                                                               
 User profile  . . . .  ABC                                                    
                                                                               
 Person name . . . . .  Jean Martin                                            
 Mobile phone number .  33 0676788789                                          
 E-mail address  . . .  j98martin@yahoo.com
                                                                               
                                                                               
 To make sure that you are the right person signing in, a code will be sent to 
 the above phone mumber or to the above e-mail address                         
 You must then enter on this screen the code you received                      
                                                                               
 -Press F5 to send the code to the above phone number                          
 -Press F6 to send the code to the above e-mail address                        
                                                                               
                                                                               
 F3=Signoff  F5=Send code to phone  F6=Send code to e-mail address
               
Figure 3 - 2FA logging in - part 1

The user may decide to receive either an SMS or e-mail message (SMS is faster) containing a random 5 digit code.
After pressing F5 or F6, the user receives the following screen:
                            2_Factor Authentication                            

 User profile  . . . .  ABC

 Person name . . . . .  Jean Martin
 Mobile phone number .  33 0676788789
 E-mail address  . . .  j98martin@yahoo.com

 An authentication code was sent to
 phone number 33 0676788789
 
 Type the received authentication code and press Enter
          authentication code . . .       


 F3=Signoff   F12=Another authentication code
               
Figure 4 - 2FA logging in - part 2

After entering the received 5-digit authentication code and pressing the Enter key, the logon process completes and control is passed to the user profile initial program or menu.

previous page
next page