This page is related to the following scenario:
- Users connect to IBMi host applications via HTTP server and WEB browser
- The HTTP instance supports CGI directives
- Application programs are CGIDEV2-based CGI programs
- Access to the applications is authenticated through the host IBMi user profile system
- A Security Administrator runs - from a green screen terminal - command PWDSERVE to have a permanent job servicing user-profile change requests sent from the other commands.
- In order to reset a user-profile password with a One Time Password (OTP) optionally adding the 2-Factor Authentication (2FA) feature,
the Security Addministrator either runs from a green screen terminal command PWDRESET, or invokes a special CGI program avilable from an HTTP instance.
- Users, when entering HTTP instance applications, beside providing User profile name and password, may be requested to replace an OTP password and / or
to undergo a 2-factor Authentication process.
The following restrictions apply:
- PWDRESET OPT and 2FA technique can be used only for used profiles exclusively dedicated to single persons.
Using OTP or 2FA for an user proprofile shared among a group of people makes no sense.
- PWDRESET 2FA technique can be used in a WEB environment only with application initial programs developed using the CCGIDEV2 CGI technique.
3. HTTP instance requirement
In addition to all the other PWDRESET basic requirement documented, see topics Requirements and PWDRESET Setup
in a in a previous page,
the HTTP instance must support CGI programs and must be added the following HTTP directives:
ScriptAliasMatch /pwdresetp/(.*) /qsys.lib/pwdreset.lib/$1
ScriptAliasMatch /xresetpwd(.*) /qsys.lib/pwdreset.lib/resetpwd.pgm
ScriptAliasMatch /xchgpwd(.*) /qsys.lib/pwdreset.lib/chgpwd.pgm
ScriptAliasMatch /cgilogon /qsys.lib/pwdreset.lib/cgilogon.pgm
Require all granted
Require all granted
AuthName "PWDRESET utility"
AuthName "CGI logon"
|Figure 1 - HTTP directives to be added|
4. CGI programs requirement
In a 5250 green-screen environment, when someone logins in a terminal session specifying user profile name and password,
the system gives to the user profile initial program to call (parameter INLPGM) or, if *NONE specified for such a program,
to the user profile initial menu (parameter INLMNU). In this environment, PWDRESET provides OTP and 2FA support
by replacing the value of parameter INLPGM with some its program that would eventually transfer control to the original initial program or menu.
In a HTTP instance, a different process takes place. An initial program is invoked from the WEWB browser by specifying the program to be called,
and a user profile validation (user profile name and password) is performed by the WEB browser only if the access to that program
is protected if the HTTP instance by specifying the appropriate directives (in a <Directory> or <LocationMatch> group)
by specifying <PasswdFile %%SYSTEM%%> and <UserID %%CLIENT%%>.
Because of this, the technique of implementing OTP and 2FA support replacing the initial program with an appropropriate PWDRESET program cannot work.
What we have done, is to provide a service program procedure that would provide the same PWDRESET OTP and F2A support available in the 5250 green-screen environment.
What you must do to have your application CGI initial program supporting OTP and 2FA, is to have it running this special procedure
as soon as it starts. This special procedure is named CGILogon2F(), exported from service program PWDRESET/PWDRESET.
Therefore, the CGI program must be created by bounding it to service program PWDRESET/PWDRESET.
Example of such coding in an ILE-RPG CGI program:
D cgilogon2f pr n
D forever s 1
... ... ...
* Main line
* NOTE: Procedure CGILogon2F() returns an *ON indicator as soon as
* the OTP Logon or the 2FA Logon process is complete
dow forever=' ';
if CGILogon2F(); // OTP Logon or 2FA Logon complete or not needed
return; // continue with the OTP Logon or the 2FA Logon
// Now the CGI program starts its real execution:
... ... ...
|Figure 2 - CGI program start up code|
An example of such initial program is provided in file PWDRESET/QRPGLESRC member CGILOGON.
You may test this program in this way
PWDRESET HTTP instance directives are available in IFS stream file /pwdreset/conf/httpd.conf .
- STRTCPSVR SERVER(*HTTP) HTTPSVR(PWDRESET)
- In the WEB browser address line, type
5. Resetting password to OTP
You can do that, as CLASS(*SECADM) user, entering command PWDRESET from a green-screen terminal,
or from a WEB browser, over an HTTP instance containing the directives in Figure 1, using the URL
The browser will ask you to enter an user-profile name and the related password. You must enter the name of a CLASS(*SECADM) user profile.
You receive the following page:
|Figure 3 - Reset user profile password - Step 1|
Just enter an existing user profile name (example: ABC) and press the "go" button. The following shows up:
|Figure 4 - Reset user profile password - Step 2|
Enter or update the input data, then press the "go" button:
|Figure 5 - Reset user profile password - Done|
You should remember to close all windows of that WEB browser, to protect the access to your CLASS(*SECADM) user profile.
6. User login with OTP active
Let us have a look at the login to our example program PWDRESET/CGILOGON when the access to it is protected in the instance HTTP directives
via user profile authentication group <LocationMatch /pwdresetp/cgilogon.pgm> ... </LocationMatch> (see Figure 1).
When our user tries to access URL http://.../pwdresetp/cgilogon.pgm, the browser asks to login by specifying a user-profile name and its password.
Our user specifies user profile ABC (the one that has now an OTP password) and the OTP password he received by SMS or by e-mail message.
The following shows up:
|Figure 6 - User must replace the OTP|
The user enters the received OTP and his new password (twice), then presses to "Go" button.
The password change is confirmed:
|Figure 7 - Password successfully changed|
7. User login when 2FA active
As the 2FA option (Figure 6) was confirmed, when the user presses the "Continue" button (or whenever he logs in again with the same user-profile),
the 2-Factor Authentication Feature (2FA) takes control by displaying the following:
|Figure 8 - 2FA in action|
When the user presses one of the two buttons there ("Send SMS" or "Send e-mail"),
a message like
IBMi - Authentication code for user ABC is "60499"
is sent to the user mobile phone ot to his mailbox,
and the following pops up:
|Figure 9 - 2FA asking for the code it just sent|
When the user enters the received 5-digit code and presses the "go" button, a confirmation is shown:
|Figure 10 - 2FA confirms the code entered|
and, when the "Continue" button is pressed, the CGI program (PWDRESET/CGILOGON in this example)
resumes control and does its application job:
|Figure 11 - CGI program got control|