Topic
5 replies Latest Post - ‏2013-01-30T23:32:19Z by markevans
E7H0_john_crosbie
E7H0_john_crosbie
6 Posts
ACCEPTED ANSWER

Pinned topic LogonChecker Authenication for CICS Web Transactions

‏2013-01-22T04:32:36Z |
We have utilised this feature for many years to authenticate users for Web Transactions against RACF via CICS.
I cannot locate the EGL equivalent sample code\doco.
This options works well for us - logon page/authenication/password changes - , except when a user takes too long to think of a new password, if during this quiet time another user logs on (authenticates) at a different PC their session continues ok, but when the password change request is submitted it always fails with -27 (invalid password), as it appears the password change request is being ignored and EGL\WAS tries to initiate a regular initial logon session with an expired password. Any thoughts appreciated. I have the traces - just wondering if there was a sample of the Logonchecker class that I could compare to the local customised version. Thanks John.
Updated on 2013-01-30T23:32:19Z at 2013-01-30T23:32:19Z by markevans
  • markevans
    markevans
    2612 Posts
    ACCEPTED ANSWER

    Re: LogonChecker Authenication for CICS Web Transactions

    ‏2013-01-22T17:19:09Z  in response to E7H0_john_crosbie
    John,

    Here is a copy of the original sample from VAGen.

    
    
    
    package com.ibm.hpt.gateway;   
    /** * Licensed Material - Property of IBM * (C) Copyright IBM Corp. 2001 - All Rights Reserved * * DISCLAIMER: * The following [enclosed] code is sample code created by IBM * Corporation.  This sample code is not part of any standard IBM product * and is provided to you solely for the purpose of assisting you in the * development of your applications.  The code is provided 'AS IS', * without warranty or condition of any kind.  IBM shall not be liable for any damages * arising out of your use of the sample code, even if IBM has been * advised of the possibility of such damages. **/   
    /** * Class Description: * This interface contains developer/customer implemantable constants and methods. * Creation date: (5/21/01 1:08:46 PM) **/ 
    
    import com.ibm.vgj.cso.*;     
    
    public 
    
    interface LogonChecker 
    { 
    /** * Copyright information. */ 
    
    public 
    
    static 
    
    final String COPYRIGHT = 
    "(C) Copyright IBM Corporation 2001"; 
    
    public 
    
    static 
    
    final String   EXPIRED_GTWPASSWORD             = 
    "8000E"; 
    
    public 
    
    static 
    
    final String     INVALID_GTWPASSWORD             = 
    "8001E"; 
    
    public 
    
    static 
    
    final String     INVALID_GTWUSERID                       = 
    "8002E"; 
    
    public 
    
    static 
    
    final String     NULL_ENTRY                              = 
    "8003E"; 
    
    public 
    
    static 
    
    final String     UNKNOWN_SECURITY_ERROR          = 
    "8004E"; 
    
    public 
    
    static 
    
    final String     CHANGE_PASSWORD_ERROR           = 
    "8005E";   
    /** * Creation date: (5/21/01 1:14:46 PM) * @param userid java.lang.String * @param password java.lang.String * @param newpassword java.lang.String * @exception com.ibm.vgj.cso.CSOException The exception description. */ 
    
    void changePassword(String userid, String password, String newpassword) 
    
    throws com.ibm.vgj.cso.CSOException; 
    /** * Creation date: (5/21/01 1:14:24 PM) * @return boolean * @param userid java.lang.String * @param password java.lang.String * @exception com.ibm.vgj.cso.CSOException The exception description. */ 
    
    boolean isUserValid(String userid, String password) 
    
    throws com.ibm.vgj.cso.CSOException; 
    }
    


    I haven't found where we ship this sample in EGL yet.
  • E7H0_john_crosbie
    E7H0_john_crosbie
    6 Posts
    ACCEPTED ANSWER

    Re: LogonChecker Authenication for CICS Web Transactions

    ‏2013-01-24T04:01:18Z  in response to E7H0_john_crosbie
    Hi Mark,

    thanks for the sample,

    The trace below is taken from the gw.propoerties hptErrorLog, this shows a successful password change :

    Thu Jan 24 11:55:36 EST 2013 - CM3UKO02 - VGJ0609I - A gateway session is being bound for user, CM3UKO02.
    Thu Jan 24 11:56:21 EST 2013 - CM3UKO02 - Userid:"au010493"
    Thu Jan 24 11:56:21 EST 2013 - CM3UKO02 - Password:"********"
    Thu Jan 24 11:56:22 EST 2013 - CM3UKO02 - CSO8000E The password entered to the Gateway has expired. @PLEASE CHANGE PASSWORD TO A PASSWORD THAT HAS NOT BEEN USED BEFORE@.

    24 secs think time

    Thu Jan 24 11:56:46 EST 2013 - CM3UKO02 - Userid:"au010493"
    Thu Jan 24 11:56:46 EST 2013 - CM3UKO02 - Password:"********"
    Thu Jan 24 11:56:46 EST 2013 - CM3UKO02 - ExpiredPassword Page was served before.
    Thu Jan 24 11:56:46 EST 2013 - CM3UKO02 - EXPIRED_PASSWORDPAGE_LOGIN is not null
    Thu Jan 24 11:56:46 EST 2013 - CM3UKO02 - setting NewPassword...
    Thu Jan 24 11:56:46 EST 2013 - CM3UKO02 - Userid:"********"
    Thu Jan 24 11:56:46 EST 2013 - CM3UKO02 - OldPassword:"********"
    Thu Jan 24 11:56:46 EST 2013 - CM3UKO02 - NewPassword:"********"
    Thu Jan 24 11:56:46 EST 2013 - CM3UKO02 - ConfirmedNewPassword:"********"

    However, if another user authenticates during this think time - no trace entries are generated after the "think time" for the password change request, the request is then routed to CICS with an expired password resulting in CTG returning -27 Invalid Password code.

    "
    Program In Error: ZZ003WT
    Date of error: 24/01/2013
    Time of Error 12:47:14
    Error messages:
    CSO7658E An error was encountered calling program ZZ003WT on system CICSM2 for user au010493. CICS ECI call returned RC -27 and Abend Code ."
    So I do not believe the problem is with the LogonChecker it is not being invoked. I cannot discover how EGL tracks/detects the following : Session Object ? HTTP header?

    Thu Jan 24 11:56:46 EST 2013 - CM3UKO02 - ExpiredPassword Page was served before.
    Thu Jan 24 11:56:46 EST 2013 - CM3UKO02 - EXPIRED_PASSWORDPAGE_LOGIN is not null
    Thu Jan 24 11:56:46 EST 2013 - CM3UKO02 - setting NewPassword...

    here is our password change JSP :

    <%@ page errorPage="Vagen1ErrorPage.jsp" %>
    <jsp:useBean id="hptGatewayURL" class="java.lang.String" scope="request"/>
    <!-- Uncomment the following line for JSP 0.91 support and comment out
    the lines for JSP 1.0 or later support -->
    <!-- BEAN NAME="hptGatewayURL" TYPE="java.lang.String" SCOPE=REQUEST></BEAN -->
    <jsp:useBean id="hptLogonError" class="java.lang.String" scope="application"/>

    <HTML>
    <HEAD>
    <TITLE>VisualAge Generator System Login</TITLE>
    </HEAD>
    3
    Australia Modification Logon Page

    <%if (hptLogonError != null)
    { %>

    <script language="JavaScript1.2" type="text/javascript">
    <!--

    // Declare Variables
    var a = "<%=hptLogonError%>";
    var status = true;
    var c = 0;
    var result = new String();

    while (c < a.length) {
    c++;
    if (a.charAt(c) == '@') {
    while (status) {
    c++;
    if (a.charAt(c) == '@') {Status = false; break; c = a.length}
    result = result + a.charAt(c);

    }
    }
    }

    document.writeln(result);

    // -->
    </script>

    <%
    } %>

    <FORM METHOD=POST ACTION="<%= hptGatewayURL %>">

    Please enter your userid and password information below ( *: Required entries ):
    *USERID:
    <INPUT TYPE="text" NAME="hptUserid" size="9" maxlength="8">

    *OLDPASSWORD:
    <INPUT TYPE="password" NAME="hptPassword" size="9" maxlength="8">

    *NEWPASSWORD:
    <INPUT TYPE="password" NAME="hptNewPassword" size="9" maxlength="8">

    *CONFIRM NEWPASSWORD:
    <INPUT TYPE="password" NAME="hptConfirmNewPassword" size="9" maxlength="8">


    <INPUT TYPE="submit" VALUE="Login" NAME="hptExpiredPasswordPageLogin">

    </FORM>
    </BODY>
    </HTML>

    Any thoughts, should I raise a support ticket?

    Many thanks John.
    • markevans
      markevans
      2612 Posts
      ACCEPTED ANSWER

      Re: LogonChecker Authenication for CICS Web Transactions

      ‏2013-01-24T23:05:24Z  in response to E7H0_john_crosbie
      John,

      We might need to get a ticket open...but a couple of question first:

      What are you expecting to happen with the second user?

      Are you expecting it to:
      • "wait" until the first user updates the password?
      • Then update the second user's password with the "new password" somehow?
      • Serve the password update page to the second user also so they can change it (which sounds undesirable)?
      • Re- Send the initial logon page for the second user?

      And is this something that ran like this in VAGen also? Or is this the first time you have hit the issue in VAGen or EGL?

      Thanks.
      • E7H0_john_crosbie
        E7H0_john_crosbie
        6 Posts
        ACCEPTED ANSWER

        Re: LogonChecker Authenication for CICS Web Transactions

        ‏2013-01-30T00:23:56Z  in response to markevans
        Hi Mark,

        we would like it to work the same as the CICS Logon. FYI all users have unique RACF logon ids.

        User1 attempts to logon, RACF responds that their password has expired, EGL displays the password change screen, User1 takes some time to think of a new password.
        User2 logs on with a different account\password, successfully authenticates and is presented with the first application.
        User1 submits their password change screen, the requested is autenticated and if successful the user is presented with the first application.

        Currently, if there is no other logon activity in the interval between the display of the password change form and User1 submitting their password change request it all works fine - User1's password is changed and the first application is displayed.

        Currently, if User2 logs on in the interval between User1 being presented with the password change screen and User1 submiting their password change request, User2 works ok but when User1 submits their password change request they receives a -27.

        Interestingly if User2 logs on with an invalid password in the interval between User1 being presented with the password change screen and User1 submiting their password change request, User1 works fine, their password is changed and they receives the first application.

        It appears as though a successful logon by User2 corrupts some "state" information relating to User1's password change session.

        We experienced the same behaviour in VAGen, but as VAGen was out of support when we encountered it, we were advised to wait until we deployed EGL and then retry.

        We recently added a significant number of new users and their passwords are due to expire at similar times so we expect to encounter this problem more often.

        Sorry for any confusion,

        Appreciate the assistance! John.
        • markevans
          markevans
          2612 Posts
          ACCEPTED ANSWER

          Re: LogonChecker Authenication for CICS Web Transactions

          ‏2013-01-30T23:32:19Z  in response to E7H0_john_crosbie
          John,

          thanks for the explanation. I had not gotten the full picture.

          I still think the right approach is to open a PMR. this sounds like something that needs to go to the development team. I can imagine our hardest problem will be forcing the expired password... I can't remember how you would do that on z/OS.