PWDRESET terminal-mode 2-Factor Authentication can be used also for user profiles specifying SPCENV(*S36).
The only difference with IBMi native user profiles is that with SPCENV(*S36) the user profile initial program must be slightly modified (see later in this page).
The process to enable S/36 user profile to 2-Factor Authentication is the same as for IBMi native user profiles:
- A security administrator must run command PWDRESET for the S/36 user profile, in order to enable it to the 2-F Authentication and to provide the user with a
One Time Password (OTP).
Parameter SPCENV(*S36) is removed from the user profile, because the PWDRESET 2-F Authentication programs must be run in IBM i native mode.and
- Next, the user must logon with his user profile and the assigned OTP password and specify his new password.
- Last, any time the user logs on with his user profile and his own password, he is requested to send, retrieve and enter a random numeric code assigned by
his new initial program, PWDRESET/AUTH2FUSER.
The "small" problem
The "small" problem is that the user profile S/36 initial program (example: MYLIB/MYPGM ), instead of being started by the IBM i System/36 session manager,
is now started by program PWDRESET/AUTH2FUSER with command STRS36 CURLIB(MYLIB) PRC(MYPGM).
Because of this, instead of being initiated within a predefined System/36 environment,
the initial program is started in a System/36 environment with the job library list used for running program PWDRESET/AUTH2FUSER
and with current library MYLIB.
This is why in most cases the user profile initial program MYLIB/MYPGM must be added some initial code to set up
the correct job library list and current library.
|