Automatic Sign-On for Display Station Pass-Through

Resolving The Problem

Automatic Sign-On for 5250 Display Station Pass-Through or STRPASTHR

IBM OS/400 or IBM i5/OS 5250 Display Station Pass-Through allows you to request an automatic sign-on to the target system. If you have the correct security authorization and if the target system allows automatic sign-on, the sign-on display can be bypassed on the target system.

Step 1: Verify that the QRMTSIGN system value is set correctly. To use automatic sign-on with Display Station Pass-Through, the QRMTSIGN system value must be set to *SAMEPRF or *VERIFY. The following is a description for the possible values for the QRMTSIGN system value.

o	Force sign-on (*FRCSIGNON) The force sign-on value requires all pass-through sessions started for this system to go through normal sign-on procedures. This is the default value.
o	Reject (*REJECT) No pass-through is allowed. All pass-through attempts to this target system are rejected. Specifying QRMTSIGN(*REJECT) is the most effective method for preventing users from passing through to a system. However, the batch jobs controlling the pass-through sessions run briefly. If the security officer wants to prevent this, the subsystem that handles pass-through requests should be ended or the communications objects should be varied off.
o	Same profile (*SAMEPRF) The same profile value allows you to bypass the sign-on display by specifying that the target system use the same user profile that the source system is using. Bypassing the sign-on display should be allowed for pass-through attempts only if the user profile name on the source system and the user profile name on the target system are identical. Password verification occurs before the target pass-through program is used. If a password that is not valid is sent on an automatic sign-on attempt, the pass-through session always ends and an error message is sent to the user. However, if the profile names are different, *SAMEPRF indicates that the session ends with a security failure even if the user entered a valid password for the remote user profile. The sign-on display appears for pass-through attempts not requesting automatic sign-on.
o	Verify (*VERIFY) The VERIFY value allows you to bypass the sign-on display of the target system if valid security information is used. Bypassing the sign-on display should be allowed for any pass-through attempt that provides valid security information. If the password is not valid for the specified target user profile, the pass-through session ends with a security failure.

If this system has a QSECURITY value of 10, any automatic sign-on request is allowed.

The sign-on display appears for pass-through attempts not requesting automatic sign-on.

Use the Change System Value (CHGSYSVAL) command or the Work with System Value (WRKSYSVAL) command to specify the QRMTSIGN system value.

Note: Only a user with *ALLOBJ authority can change the QRMTSIGN system value.

Step 2: Determine where the Secure Location (SECURELOC) parameter can be found.

1.	Display the device on the target operating system that is used to connect to the source system.
2.	Determine if APPN CAPABLE is set to YES or NO. *NO - proceed to Step 3 *YES - proceed to Step 4

Step 3: Change Secure Location (SECURELOC) to *YES on the target system not using APPN.

Because APPN Capable is set to *NO, the SECURELOC parameter is going to be located in the device description. The SECLOC parameter must be set to *YES.

If it says *NO, vary off the device. Then, change the device description (CHGDEVAPPC or Option 2 from the Work with Device Description screen) to have SECURELOC = *YES.

Vary the controller and device off and back on to renegotiate the BIND to allow the security bit indicator to be turned on.

Step 4: Change Secure Location (SECURELOC) to *YES on the target system using APPN.

Because APPN Capable is set to *YES, the SECURELOC parameter is going to be located in the Remote Configuration List. The SECURELOC parameter must be set to *YES.

1.	Type WRKCFGL on the operating system command line, and press the Enter key.
2.	Does the QAPPNRMT configuration list exist? YES - proceed to Step 5 NO - proceed to Step 6

Step 5: Use Option 2 to change the QAPPNRMT configuration list. Find the entry that points to the source system, and change the SECURELOC parameter to *YES.

Vary the controller and device off and back on to renegotiate the BIND to allow the security bit indicator to be turned on.

Step 6: Because the QAPPNRMT configuration does not exist, one must be created. Do the following:

1.	Select Option 1 to create and use the list name of QAPPNRMT, and press the Enter key.
2.	For the list type, use *APPNRMT, fill in a description, and press the Enter key.
3.	Complete the configuration list table. The first three parameters are from the device description, and the fourth and fifth are from the controller. Most importantly, specify SECLOC *YES. Below are examples of automatic sign-on for STRPASTHR. Automatic Sign-on: Examples If system value QRMTSIGN has a value of: *REJECT - All passthrough requests are rejected with message CPF8935 or *FRCSIGNON - All passthrough requests will receive a sign-on screen. STRPASTHR RMTUSER(*NONE): This passthrough attempt does not request automatic sign-on so all users will receive a sign-on screen. STRPASTHR RMTUSER(*CURRENT) RMTPWD(*NONE): The remote location must be a secure location or user receives message CPD8905. non-APPN capable - SECURELOC(*YES) must be specified in the APPC device description APPN capable - A remote configuration list entry with the secure location *YES RMTPWD(password): The password must be valid for user profile on the target system, or the user receives message CPF8936. No messages, user is automatically signed on. STRPASTHR RMTUSER(FRED) RMTPWD(*NONE): Receives message CPF8905, must always specify a password when specifying a user profile name in the RMTUSER parameter. RMTPWD(password): The password must be valid for user profile FRED on the target system, or FRED receives message CPF8936. No messages, user is automatically signed on. Situation: FRED is doing a STRPASTHR and specifies RMTUSER(MARY) RMTPWD(*NONE): Receives message CPF8905, must always specify a password when specifying a user profile name in the RMTUSER parameter. RMTPWD(password): The password must be valid for the user profile MARY on the target system, or FRED receives message CPF8936. System value QRMTSIGN: *SAMEPRF - No passthrough session occurs. A CPF8936 message is sent to the user of the STRPASTHR command and a job log is created on the target system. *VERIFY - User is automatically signed on. Note: If the source machine sees the following message CPF8936 on a normal STRPASTHR TARGET command, look on the target machine for a CPF1269 with a RC of 726,0. Then go and determine if the QUSER profile has been disabled.