Skip to main content

OS/400 trigger

Bravura Pass can intercept password changes on an IBM OS/400 system. This is done by installing an exit program, pspwdexit_v5r4m0 or pspwdexit_v7r1m0 , which implements the QIBM_QSY_VLD_PASSWRD exit point on the OS/400 system. The exit program informs Bravura Pass when a password is changed. It also allows Bravura Pass to check who is changing whose password. If a user tries to change another user’s password, the attempt is blocked and a warning is sent to a specified administrator.

Bravura Pass ships with two exit programs for OS/400, pspwdexit_v5r4m0 for the IBM i7.1 operating system and pspwdexit_v7r1m0 for the IBM i7.2 operating system.

This chapter details how to configure transparent password synchronization on an OS/400 system by:

  1. Creating and applying a password policy

  2. Installing and configuring pspwdexit

  3. Configuring the Password Manager service (idpm )

  4. Verifying the configuration

These steps are detailed in the sections that follow.

This chapter assumes you have set up an OS400 target system and tested its configuration according to IBM OS/400 Server in Connector Pack documentation .

Create and apply a password policy

Before installing and configuring the Bravura Pass transparent password synchronization software on the OS/400 server, you need to create a password strength policy for the OS/400 server:

  1. Configure a password strength policy .

    Set the Maximum number of lowercase letters to 0. Passwords on the OS/400 system cannot include lowercase letters. Configure other parameters as required.

  2. Create a target system group.

    • Ensure that the Use transparent password synchronization checkbox is selected.

    • Select the password policy that you created.

  3. Make the OS/400 server a member of the target system group.

Once you have applied the password policy and installed the exit programs on an OS/400 server, be sure to inform your users that:

  • All future password changes are subjected to the password policy enforced by the Bravura Pass server.

  • When they change their password on the OS/400 server, their new password is automatically applied to all their other accounts managed by the Bravura Pass server.

  • Their new password must be all uppercase.

Install and configure pspwdexit

The pspwdexit_v5r4m0 and pspwdexit_v7r1m0 programs are installed in the \<instance>\addon\transparent-synch\as400 directory.

To install and configure the pspwdexit_v5r4m0 for IBM i7.1 or pspwdexit_v7r1m0 for IBM i7.2 program:

  1. From the Bravura Pass server, establish a connection to the OS/400 server using the 5250 emulator software.

  2. If the OS/400 server already has another version of the transparent synchronization interceptor installed on it, you must remove it by running the following command:

    DLTLIB PSYNCH

  3. Create a PSPWDEXIT save file.

    CRTSAVF FILE(QGPL/PSPWDEXIT)

  4. Transfer the pspwdexit_v5r4m0 or pspwdexit_v7r1m0 file to the OS/400 server, so that it overwrites the placeholder file you created in step 3.

    1. Navigate to the \<instance>\addon\transparent-synch\as400 directory.

    2. From a Windows command prompt:

      ftp <OS/400 server>

> binary

> put <exit program> QGPL/PSPWDEXIT (replace

> quit

      Note that there is no closing parenthesis on the put command.

  5. Switch back to the 5250 emulator.

  6. Restore the PSYNCH library:

    RSTLIB SAVLIB(PSYNCH) DEV(*SAVF) SAVF(QGPL/PSPWDEXIT)

  7. Change the following system value:

    CHGSYSVAL SYSVAL(QPWDVLDPGM) VALUE(*REGFAC)

    then add the exit program by typing on one line:

    ADDEXITPGM EXITPNT(QIBM_QSY_VLD_PASSWRD) FORMAT(VLDP0100) PGMNBR(⋆HIGH) PGM(PSYNCH/PSPWDEXIT) THDSAFE(⋆YES) TEXT('Password Manager Password Exit Program')

  8. Configure the following data areas:

    • Set TARGETID to the target ID of the OS/400 server as it is configured in Bravura Pass :

      CHGDTAARA DTAARA(PSYNCH/TARGETID) VALUE('<target ID>')

    • Set PSSERVER to the address of the Bravura Pass server:

      CHGDTAARA DTAARA(PSYNCH/PSSERVER) VALUE('<Pass server address>')

    • Set PSPORT to 3334:

      CHGDTAARA DTAARA(PSYNCH/PSPORT) VALUE('3334')

    • Set COMMKEY to the Bravura Pass server communication key (or Master Key) value:

      CHGDTAARA DTAARA(PSYNCH/COMMKEY) VALUE('<commkey value>')

    • Set MSGUSER to the administrative user who will receive system messages:

      CHGDTAARA DTAARA(PSYNCH/MSGUSER) VALUE('<user>')

    See OS/400 system components for a description of values.

  9. Modify the PSYNCH library’s object authorization.

    To modify the authority of the objects in the PSYNCH library:

    1. Type:

      WRKLIB LIB(PSYNCH)

    2. Enter 12 (work with objects).

    3. For each object in the PSYNCH library:

      • Select 2 to edit authority.

      • Ensure the *PUBLIC user has its object authority set to *USE. Modify accordingly.

OS/400 system components

All the values are type CHAR, so the values should be encased in single-quotes.

Component

Description

PSPWDEXIT

The exit programs work with the QIBM_QSY_VLD_PASSWRD exit point. Use the ADDEXITPGM command to add the exit point.

You also need to set the QPWDVLDPGM system value to *REGFAC. The advantage of this, is that it can check who is changing whose password. Users are not allowed to change others users’ passwords. If this is attempted, a warning message is sent to an administrator MSGUSER.

MSGUSER

The user to whom administrative messages are sent. If the user is not specified, messages are sent to QSYSOPR. If a nonexistent user is specified, messages are not sent. Field length is 10.

MSGLEVEL

The administrative message level settings are logged. The default level is 3. The value can be set to the following: 0 (No logging), 1 (Error), 2 (Warning), 3 (Notice), 4 (Info), 5 (Debug)

PSSERVER

The Bravura Pass server’s network name or IP address. Field length is 50.

PSPORT

The Password Manager service port number. Field length is 5.

COMMKEY

The Bravura Pass communication key (or Master Key) in the encrypted format. Field length is 80.

TARGETID

The target ID of the OS/400 server as it is identified in Bravura Pass. Field length is 80.

TIMEOUT

The default timeout value for connecting to the Password Manager service is 8 seconds. If the network is slow, a greater value may be needed. Field length is 2.

FAILPPDOWN

The behavior when the Password Manager service cannot be contacted. By default, it is 0, and the CHGPWD is still permitted if it cannot be contacted. If set to 1, CHGPWD is rejected if the Password Manager service cannot be contacted.

Configure the Password Manager service for transparent synchronization

To allow external servers access to the Password Manager service (idpm ) on the primary Bravura Security Fabric server you must also add a CIDR mask address for the trigger system.

  1. Click Manage the system > Maintenance > Services.

  2. Select Bravura Security (idpm ) Password Manager Service.

  3. Add a CIDR mask address for the trigger system in the following setting:

    Comma-delimited list of IP addresses with CIDR bitmask that are allowed to send socket requests

Verify the configuration

Verify that the transparent password synchronization trigger is working as expected. Log into the OS/400 server and change the password of a user that Bravura Pass is managing. Ensure that the password change was captured by Bravura Pass and propagated to other target systems.

In this section: