Skip to main content

IBM OS/400 Server

Connector name

agtos400

Connector type

Executable

Type (UI field value)

IBM OS/400 Server

Connector status / support

Customer-Verified

Clients may contact Bravura Security support for assistance with this connector. Troubleshooting and testing must be completed in the client's test environment as Bravura Security does not maintain internal test environments for the associated target system.

This connector issues commands – for example, crtusrprf – from the Bravura Security Fabric server via the IBM iSeries Access for Windows client to the OS/400 server.

The following Bravura Security Fabric operations are supported by this connector:

  • expire password

  • administrator reset password

  • administrator reset+expire password

  • unexpire password

  • user verify password

  • verify+reset password

  • create account

  • delete account

  • unlock account*

    Note

    The "unlock account" operation requires special configuration. For details see Targeting an IBM OS/400 Server.

  • disable account

  • enable account

  • check account enabled

  • update attributes

  • list account attributes

  • List:

    • accounts

    • attributes

Bravura Security Fabric can also manage application-specific accounts on OS/400 servers using the scripted connector for OS/400. See IBM OS/400 Server Hosted Applications for details.

In either case, no software is installed on the OS/400 server.

See also

  • Bravura Pass can intercept password changes on an OS/400 system. This is done by installing an exit trap program, pspwdexit, which implements the QIBM_QSY_VLD_PASSWRD exit point on the OS/400 system.

    See the Transparent Password Synchronization "Transparent Password Synchronization" in the configuration documentation for details.

  • Bravura Security Fabric can also manage OS/400 system accounts by issuing commands over a TN-5250 session using the programmable Telnet connector (agtelnet). This method, however, is less secure and requires scripting. See TCP Telnet HTTP or HTTPS Access for more information.

Preparation

Before Bravura Security Fabric can perform operations on an OS/400 server, you must:

  1. Install the client software.

  2. Configure a target system administrator.

  3. Install the as-svrmap service.

  4. Enable SSL.

  5. Create at least one template account.

Installing client software

Bravura Security Fabric communicates with the OS/400 server via APIs provided by the IBM iSeries Access for Windows client. Before you can target an OS/400 server, you must install the IBM iSeries Access for Windows client software on the Bravura Security Fabric server.

To install IBM iAccess Windows Application framework:

  1. Obtain the IBMiAccess_v1r1_WindowsAP_English.zip package from the IBM website.

  2. Extract the files from the zip package.

  3. Run setup.exe in the Image64a folder.

Note the default installation directory which is: C:\Program Files (x86)\IBM\Client Access\

By default, the setup program installs:

  • Required programs

  • ODBC

  • OLE DB Provider

  • .NET Data Provider

  • Secure Socket Layer (SSL)

  • Languages

  • Header, Libraries, and Documentation

After the install, cwbco.dll is installed in C:\Windows\SysWOW64 .

The client requires ports to be open between all the Bravura Security Fabric servers (nodes or proxies, wherever the agent runs), and all targets to be managed, as described in: https://www.ibm.com/support/pages/unable-start-or-connect-tcpip-server .

Connectors for OS/400 Server and OS/400 Server hosted applications use the API contained in this DLL and its sub-DLLs.

This software also contains a 5250 emulator. The emulator is used to configure the server for transparent password synchronization. If you plan to implement transparent synchronization, verify that you can establish a connection to the OS/400 server with it. If you cannot, install a 5250 emulator that can communicate with your OS/400 server.

Consult the documentation included with your iSeries client software for more information.

Configuring a target system administrator

Bravura Security Fabric uses a designated account (for example, psadmin) on the OS/400 server to perform operations.

The target system administrator must have the *ALLOBJ and *SECADM special authority. Ensure that you set and note the account’s password. You will be required to enter the login ID and password when you add the OS/400 target system to Bravura Security Fabric .

Listing users

In order for the IBM client API to retrieve a list of users from the OS/400 server, the as-svrmap service must be installed and running on the OS/400 server.

Enabling SSL

SSL security is recommended. To enable SSL for OS/400 systems using iSeries Navigator:

  1. Open iSeries Navigator (Start > IBM iSeries Access for Windows > iSeries Navigator).

  2. Right-click the server you are trying to connect to and select Properties.

  3. From the Secure Sockets tab, press Download.

Creating a template account

Bravura Security Fabric uses template accounts as models or "blueprints" for creating new OS/400 accounts. The following example illustrates how you can create a template account on your OS/400 server:

  1. Using Telnet, connect to the OS/400 server.

    The Sign On screen displays.

  2. Type your user ID in the User field.

  3. Type your password in the Password field.

  4. Press the Enter key.

    The Command Entry screen displays.

  5. Type the following command:

    crtusrprf usrrrf (username) password (password) [Enter]

  6. You can enter more information about the user or submit the account for creation.

See your systems administrator or OS/400 documentation for more information if required.

Targeting an IBM OS/400 Server

For each IBM OS/400 server, add a target system in Bravura Security Fabric (Manage the System > Resources > Target systems).

  • Type is IBM OS/400 Server .

  • Address uses options described in the table below.

  • The Administrator ID and Password is the login ID and password for the target system administrator you configured earlier.

Table 1. IBM OS/400 Server address configuration

Option

Description

Options marked with a redstar.png are required.

Server redstar.png

IP address or host name.

(key: server)

Connection over SSL

Enables an SSL connection when connecting to the target system server. This is enabled by default.

(key: ssl)

Disable on lock

Enables support for the lock operation, which the connector simulates by disabling the account.

(key: disableOnLock)

Enable on unlock

Enables support for the unlock operation, which the connector simulates by enabling the account.

(key: enableOnUnlock)

Enable on reset

Enables support for password reset which also enables the account.

(key: enableOnReset)

Advanced

Number of characters to truncate password for verify/reset

By default, passwords will not be truncated. When a non-zero value is given, this setting will supercede existing password policies. Any trailing characters will be ignored.

(key: truncatePassword)

AS400 output file

The name of the file created by dspusrprf. Default value is ’psynch’.

(key: as400OutputFile)

AS400 output library

The name of the AS400 library. Default value is ’qgpl’.

(key: as400OutputLibrary)



The address is entered in KVGroup format:

{server=<IP/Hostname>;ssl=<true|false>;disableOnLock=<true|false>;enableOnUnlock=<true|false>;enableOnReset=<true|false>;as400OutputFile=psynch;as400OutputLibrary=qgpl}

The full list of target system parameters is explained in Target System Options .

Handling account attributes

You can view the complete list of attributes that Bravura Security Fabric can manage, including native and pseudo-attributes, using the Manage the system (PSA) module. To do this, select IBM OS/400 Server from the Manage the system > Resources > Account attributes > Target system type menu.

This section describes the pseudo-attributes that Bravura Security Fabric uses to compose values, set flags, or control behavior on OS/400. For information about the native OS/400 attributes managed by Bravura Security Fabric , consult your OS/400 documentation.

Deleting accounts

When Bravura Identity deletes an OS/400 account, the following pseudo-attributes define how to handle owned objects:

_homedir_option There are three possible options for deleting an account with owned objects:

  • *nodlt - don’t delete the account if the user has any owned objects.

  • delete - delete both the owned object and the account.

  • changeowner - change ownership of the objects and delete the account. If this option is defined, the sup_homedir_option pseudo-attribute must be set to the user name of the recipient account.

    If no action is defined for _homedir_option , the default action is *nodlt.

sup_homedir_option Specifies the new owner for orphaned objects. This pseudo-attribute must be defined if _owned_object_option is set to changeowner.

Bravura Security Fabric respects the account deletion rules of OS/400 and will not delete accounts if, for example the user profile is the primary group for any object. Also, certain types of objects such as *LIB, *DIR, or *RCT are not deleted, but transferred to the QDFTOWN account upon deletion of their original owners.

Troubleshooting

If you experience any errors, verify that:

  • The IBM iSeries Access for Windows client software is installed on the Bravura Security Fabric server.

  • The IBM iSeries Access for Windows libraries are on the system-wide search path (PATH variable). If not, add the appropriate directory to the PATH environment variable and restart the Bravura Security Fabric server.

  • You can log into each OS/400 server from the Bravura Security Fabric server, using any tool in the IBM iSeries Access for Windows client, and the target system administrator ID and password you created.

  • Ensure correct ports are open between all the Bravura Security Fabric servers (nodes or proxies, wherever the agent runs), and all targets to be managed, as described in: https://www.ibm.com/support/pages/unable-start-or-connect-tcpip-server . Encrypted communication is recommended.

  • You can issue the crtusrprf and chgusrprf commands to create and update accounts when logged into each OS/400 server as the target system administrator.

  • You can issue a chgusrprf command on each OS/400 server to reset a user’s password when logged in with the administrative account.

Specific error messages

If you get the following error messages:

cwbCO_Connect: err=10061 (winsock error) The connection has been refused.

Check with the target administrators if they used different ports than the ones in the port table from the IBM article https://www.ibm.com/support/pages/unable-start-or-connect-tcpip-server , for these services:

  • Port mapper

  • License Management

  • Signon Verification

  • Telnet (PC5250 Emulation)

    Open remote access from the Privilege servers or proxies to whatever ports those services are listening on, to each specific target server, as they can be configured differently from target to target.

cwbCO_Connect: err=11001 (winsock error) The host was not found. Change the target system address line from the DNS to IP address.

cwbCO_CreateSystem: err=8014 Ensure there is no whitespace in the target system address line.

In this section: