Generate Profile Token (QsyGenPrfTkn) API
Syntax for QsyGenPrfTkn:
#include <qsyptkn.h> void QsyGenPrfTkn (unsigned char *Profile_token, char *User_profile_name, char *User_password, int *Time_out_interval, char *Profile_token_type, void *Error_code);Service Program: QSYPTKN
Default Public Authority: *USE
Threadsafe: Yes
The Generate Profile Token (QsyGenPrfTkn) API verifies that the caller has authority to generate a profile token for the requested profile and then generates a profile token. This profile token can be passed to one or more additional processes which can then use it to perform tasks on behalf of the authenticated user.
This API requires a special value to be specified for the user password parameter. If you need to validate a user password, see the Generate Profile Token Extended (QsyGenPrfTknE) API.
The Generate Profile Token API follows this process:
- Verifies that the user ID and password value are correct. Incorrect password
values and special cases are handled as follows:
- *NOPWD is not allowed if the user profile name is the name of the user
profile running currently.
- To obtain a profile token for a profile that does not have a password,
specify *NOPWD, *NOPWDCHK or *NOPWDSTS for the password parameter.
You cannot obtain a profile token for the following system-supplied user profiles:
QAUTPROF QDLFM QMSF QSNADS QTSTRQS QCLUMGT QDOC QNETSPLF QSPL QCOLSRV QDSNX QNFSANON QSPLJOB QDBSHR QFNC QNTP QSRVAGT QDBSHRDO QGATE QPEX QSYS QDFTOWN QLPAUTO QPM400 QTCP QDIRSRV QLPINSTALL QRJE QTFTP
-
To obtain a profile token for a profile that is disabled,
specify *NOPWDCHK for the password parameter.
-
To obtain a profile token when the password is expired,
specify *NOPWDCHK or *NOPWDSTS for the password parameter.
- *NOPWD is not allowed if the user profile name is the name of the user
profile running currently.
- Generates the profile token designating the
user's authorities.
The maximum number of profile tokens that can be generated is approximately 2,000,000 per system; after that, the space to store them is full. Message CPF4AAA is sent to the application, and no more profile tokens can be generated until one is removed.
- Updates the last-used date for the user and its group profiles.
- Resets the signon attempts not valid count to zero when a profile
token is successfully generated for a user.
- If security-related events are being audited, adds an entry to the
QAUDJRN audit journal to indicate that a profile token is created.
Authorities and Locks
- API Public Authority
- *USE
- User profile authority
- *USE
- User Profile Lock
- *LSRD
Required Parameter Group
- Profile token
- OUTPUT; CHAR(32)
The profile token that is generated.
- User profile name
- INPUT; CHAR(10)
The name of the user for which to generate the profile token.
- User password
- INPUT; CHAR(10)
The password value used to generate the profile token.
Only special values are allowed for this parameter. A special value must be a 10 character, blank padded value in CCSID 37.
One of the following special values must be specified:
*NOPWD The user requesting the profile token must have *USE authority to the user profile. A profile token does not get created for a disabled user profile.
A profile token does not get created for a user profile with an expired password.
This value is not allowed if the name of the currently running profile is specified for the user profile name parameter.
*NOPWDCHK The user requesting the profile token must have *USE authority to the user profile. If the profile is disabled, the user requesting the profile token must have *ALLOBJ and *SECADM special authorities to get a token.
If the password is expired, the user requesting the profile token must have *ALLOBJ and *SECADM special authorities to get a token.
If the currently running profile is specified for the user profile name parameter, the profile is required to have *ALLOBJ and *SECADM special authority to get a token.
*NOPWDSTS The user requesting the profile token must have *USE authority to the user profile. A profile token does not get created for a disabled user profile.
If the password is expired, the user requesting the profile token must have *ALLOBJ and *SECADM special authorities to get a token.
If the currently running profile is specified for the user profile name parameter, the profile is required to have *ALLOBJ and *SECADM special authority to get a token.
- Time out interval
- INPUT; BINARY(4)
The time before the profile token times out.
You can specify one of the following values:
-1 Use system default value (3600 seconds) 1-3600 Time out value in seconds.
- Profile token type
- INPUT; CHAR(1)
The type of the profile token to be generated.
You can specify one of the following values:
1 Single-use profile token. A single-use profile token can be used only on the Set To Profile Token (QSYSETPT; QsySetToProfileToken) API once and cannot be used to generate new profile tokens. 2 Multiple-use profile token. A multiple-use profile token can be used on the Set To Profile Token (QSYSETPT; QsySetToPrfTkn) API an unlimited number of times, but cannot be used to generate new profile tokens. 3 Multiple-use, regenerable profile token. A multiple-use, regenerable profile token can be used on the Set To Profile Token (QSYSETPT; QsySetToPrfTkn) API an unlimited number of times and can be used to generate a new single-use, multiple-use, or multiple-use, regenerable profile token.
- Error code
- I/O; CHAR(*)
The structure in which to return error information. For the format of the structure, see Error Code Parameter.
Error Messages
Message ID | Error Message Text |
---|---|
CPF22E3 E | User profile &1 is disabled. |
CPF22E4 E | Password for user profile &1 has expired. |
CPF22E9 E | *USE authority to user profile &1 required. |
CPF2204 E | User profile &1 not found. |
CPF2213 E | Not able to allocate user profile &1. |
CPF2225 E | Not able to allocate internal system object. |
CPF227F E | *NOPWD not allowed for current user. |
CPF3CF1 E | Error code parameter not valid. |
CPF3C3C E | Value for parameter &1 not valid. |
CPF3C90 E | Literal value cannot be changed. |
CPF4AA5 E | *ALLOBJ and *SECADM special authority required. |
CPF4AAA E | Maximum number of profile tokens have been generated. |
CPF4AAB E | Time out value not valid. |
CPF4AAD E | Profile token type not valid. |
CPF4AB8 E | Insufficient authority for user profile &1. |
CPF9872 E | Program or service program &1 in library &2 ended. Reason code &3. |
API introduced: V4R5
[ Back to top | Security APIs | APIs by category ]