Skip to main content  
        iSeries home   |   Easy400  
Freeware
 
 Introduction
 Terminal operation
 - S/36 environment
 Browser operation
 
 Download
 
 
PWDRESET
5250 Green Screen Terminal Operation
 

This page is related to a scenario where users are connected to the IBMi box via 5250 green-screen workstations, via TELNET, or via WEB Terminal Emulator.

1. Summary  4. Command PWDRESET 7. Command RSTUSRPARM
2. Restrictions 5. User login with the communicated OTP password
3. Command PWDSERVE 6. User login with his new password

1. Summary

  1. A Security Administrator runs command PWDSERVE to have a permanent job servicing user-profile change requests sent from the other commands.
  2. A Security Administrator runs command PWDRESET to reset a user-profile password with a One Time pPassword (OTP) optionally adding the 2-Factor Authentication (2FA) feature
  3. The user of the user profile, as soon as he logs in, is requested to enter the OTP and to replace it with a password of his choice.
  4. On all subsequent logings, he will have to enter his password and - if optional feature 2FA enabled - enter a 5-digit code sent to him via SMS and/or e-mail message.

2. Restrictions
The following restrictions apply:

  1. PWDRESET OPT and 2FA technique can be used only for used profiles exclusively dedicated to single persons.
    Using OTP or 2FA for an user proprofile shared among a group of people makes no sense.

3. Command PWDSERVE
This command can be run only by a class *SECADM user profile.
It submits to job queue QSYSNOMAX a non-ending job, named PWDSERVER, running under the user profile of the submitting job. This job executes received user-profile change requests.
It is highly recommended to have this job activated daily via a Job Scheduled Entry (command WRKJOBSCDE).

4. Command PWDRESET

This command can only be run from an user profile with *SECADM special authority.
This command is used to:
  • Provide a One Time Password (OTP) to a given user profile.
The user profile must specify
  • An initial program (CHGUSRPRF INLPGM(xxx)), AND/OR
  • An initial menu (CHGUSRPRF UNLMNU(yyy)).
The command looks as follow: 
                 Reset usrprf password with OTP (PWDRESET)
                                                                                
 Type choices, press Enter.                                                     
                                                                                
 User profile . . . . . . . . . .  URSPRF     ABC           Name
 Length of the OTP password . . .  PWDLEN     8             5-20
 Person name  . . . . . . . . . .  USRNAME    'Jean Martin'                     
       
 User e-mail address  . . . . . .  EMAIL      j98martin@yahoo.com               
                                                                                
          
 Mobile phone:                     PHONE
   Country phone prefix . . . . .             33            Number
   Phone number . . . . . . . . .             0676788789          
 2-Factor authenticated logon . .  LOGON2F    *YES          *YES, *NO, *SAME
Figure 1 - Command PWDRESET
Note - Command PWDRESET also executes a PWDSERVE command
  1. Command parameters:
    • User profile (USRPRF) - The name of the user profile that should have its password reset with a OTP.
    • Length of the OTP password (PWDLEN) - The number of characters in thenew OTP password. It ranges from 5 to 10 and defaults to 8.
    • User name (USRNAME) - The name of the person related to the user profile entered in paramer USRPRF.
    • User e-mail address (EMAIL) (Optional) - The e-mail address of this user. This is needed to send the OTP password to the e-mail address of the user.
    • Mobile phone (PHONE) (Optional) - The phone number (international country code plus phone number). This is needed to send the OTP password to the user mobile phone via SMS.
      The following requirements are needed to make this feature work:
      • Easy400.net utility MMAIL must have been properly installed
      • The MMAIL SMS Clickatell support feature must have been installed (as documented in a MMAIL Developer Guide page).
      • As command MMAIL/CLICKAT2 is used by PWDRESET programs to send SMS messages, the CLICKA2INT database requirement must be accomplished (see point 6 in this page).
  2. Changes performed to the user profile
    Command PWDRESET replaces the initial program of the user profile with program PWDRESET/CHGPWD. This is done in order to let the user to change the PWDRESET OTP password with a password of his choice. The user profile initial program name and library are saved in an internal file of the utility.
  3. The following is returned when the above PWDRESET command is executed: 
          The new password for user profile ABC is "TXKI1FWB".
An e-mail message was sent to the e-mail address of user profile ABC.    
A SMS was sent to phone number 330676788789.
  4. Communicating the OTP password to the user
    The OTP password is communicated to the user in the following ways:
    1. E-mail message - The following requirements are needed:
      • The MMAIL utility should include command EMLPTUMSG.
      • File PWDRESETDT/SENDERADDR must contain a single record specifying the sender e-mail address to be used in all e-mail messages.
      • Easy400.net utility MMAIL must have been properly installed and tested by sending e-mail messages from such sender address to the e-mail addresses of the users.
    2. SMS message - Provided that following requirements are met:
      • Easy400.net utility MMAIL must have been properly installed
      • The MMAIL SMS Clickatell support feature must have been installed (as documented in the MMAIL Developer Guide, page MMAIL integration of Clickatell SMS service).
      • As command MMAIL/CLICKAT2 is used by PWDRESET programs to send SMS messages, the CLICKA2INT database requirement must be accomplished (see point 6 in the same page).
  5. Support 2-Factor Authentication (2FA)login. This is an optional feature, implementing a special login procedure for a given user profile.
    Once the user has logged in and replaced the OTP password with a new password of his choice,
    • in every next login the user is requested to additionally enter a 5 digit sent to his e-mail address or to his mobile phone number.
      Note: A user profile using this 2-Factor Authentication (2FA) feature, may later on disable it by a special parameter in command PWDRESET/CHGPWD.
2-Factor authenticated logon (LOGON2F) - Whether the 2-Factor Authenticated (2FA) logon should be implemented for this user profile.


Note - Command PWDRESET also executes a PWDSERVE command.

5. User logging in with the communicated OTP password
A user, when loggin in with the assigned One Time Password, receives the following screen: 

                         Update One Time Password (OTP)                         
                                                                  
 User profile  . . . . . . . . . . . . . . :  ABC

 Type choices, press Enter. Session will end after password change.                                       
                                              ....+....1....+....2
   Current password  . . . . . . . . . . . .  ____________________
   New password  . . . . . . . . . . . . . .  ____________________
   New password (to verify)  . . . . . . . .  ____________________
                                                                  
                          
                                                                  
   Other user profile data:                                       
    - person name  . . . . . . . . . . . . .  Jean Martin
    - e-mail address . . . . . . . . . . . .  j98martin@yahoo.com

    - mobile phone number  . . . . . . . . .  33 0676788789
    - 2-factor authentication option . . . .  *YES  *YES, *NO

 F3=Signoff  F14=Disp passwords
Figure 2 - OTP logging in
The user must re-enter his OTP password, and enter twice a new password of his choice (password fields have the "non display" attribute).
He may also enable or disable the 2-Function Authentication (2FA) feature for this profile.
When the Enter key is pressed,
  • The user profile password is updated with the user-specified new value.
  • The user profile initial program is replaced by PWDRESET/AUTH2FUSER program.
    This is the program that implements the 2-factor authentication when the user signs on with his new password.


6. User logging in with his new password
Initial program PWDRESET/AUTH2FUSER sends out this screen: 

                            2_Factor Authentication                            
                                                                               
 User profile  . . . .  ABC                                                    
                                                                               
 Person name . . . . .  Jean Martin                                            
 Mobile phone number .  33 0676788789                                          
 E-mail address  . . .  j98martin@yahoo.com
                                                                               
                                                                               
 To make sure that you are the right person signing in, a code will be sent to 
 the above phone mumber or to the above e-mail address                         
 You must then enter on this screen the code you received                      
                                                                               
 -Press F5 to send the code to the above phone number                          
 -Press F6 to send the code to the above e-mail address                        
                                                                               
                                                                               
 F3=Signoff  F5=Send code to phone  F6=Send code to e-mail address
Figure 3 - 2FA logging in - part 1

The user may decide to receive either an SMS or e-mail message (SMS is faster) containing a random 5 digit code.
After pressing F5 or F6, the user receives the following screen: 
                            2_Factor Authentication                            

 User profile  . . . .  ABC

 Person name . . . . .  Jean Martin
 Mobile phone number .  33 0676788789
 E-mail address  . . .  j98martin@yahoo.com

 An authentication code was sent to
 phone number 33 0676788789
 
 Type the received authentication code and press Enter
          authentication code . . .       


 F3=Signoff   F12=Another authentication code
Figure 4 - 2FA logging in - part 2

After entering the received 5-digit authentication code and pressing the Enter key, the 2-Factor authentication process is completed.
Then program PWDRESET/AUTHF2USER calls the user profile original initial program or initial menu.

7. Command RSTUSRPARM

Run this command to disable the PWDRESET 2-Factor Authentication feature for a given user profile and to reassign to it its original initial program. Either enter a single user profile name, or enter *ALL to remove the 2FA feature from all user profiles having such a feature. 
                   Rst usrprf original parameters (RSTUSRPARM)                       

 Type choices, press Enter.

 User profile . . . . . . . . . .  __________ Name, *ALL
Figure 3 - Removing the 2FA feature from a given user profile



previous page
next page