Troubleshooting
Problem
The sample program demonstrates how to create a WATCH which automatically enables a disabled IBM i NetServer user ID when message CPIB682 is generated.
Resolving The Problem
NOTE: The "SMBWATCH" program documented here represents a circumvention of IBM i security. Automated re-enablement of profiles allows infinite brute-force attempts against those profiles and use of this program is discouraged.
At IBM i v750 and later releases, system administrators may set the "Maximum sign-on attempts" (MAXSIGN) parameter on a per-user basis via CHGUSRPRF. This may decrease the instances for users that are frequently being disabled for NetServer.
The sample program demonstrates how to create a WATCH which automatically enables a disabled IBM i NetServer user ID when message CPIB682 is generated. The disabled user ID is read from the EVENTDATA and the QZLSCHSI API is used to enable the user ID. We recommend adding logic that limits the frequency with which a user ID is enabled to prevent such a tool from being used to allow brute-force attacks attempting to guess a password. A confirmation message that the user was enabled is sent to the QSYSOPR message queue. You can also specify a specific message queue to receive a message with the disabled user ID and the sending IP address.
NOTE: Use of the QZLSCHSI API requires that you have *IOSYSCFG special authority. To use format ZLSS0200 to enable an IBM i NetServer user, you must also have *SECADM special authority and *OBJMGT and *USE authority to the system user profile. The QZLSCHSI API is documented in IBM Documentation.
Example
PGM SMBWATCH
NOTE: Use of the QZLSCHSI API requires that you have *IOSYSCFG special authority. To use format ZLSS0200 to enable an IBM i NetServer user, you must also have *SECADM special authority and *OBJMGT and *USE authority to the system user profile. The QZLSCHSI API is documented in IBM Documentation.
Example
PGM SMBWATCH
/*****************************************************************************/
PGM PARM(&WCHOPTSET &SESSIONID &ERRDETECT &EVENTDATA)
/*****************************************************************************/
/* DEMO NETSERVER WATCH PROGRAM - FOR RE-ENABLING A NETSERVER USER */
/*****************************************************************************/
/*****************************************************************************/
/* */
/* THE INFORMATION CONTAINED IN THIS DOCUMENT HAS NOT BEEN SUBMITTED */
/* TO ANY FORMAL TESTS AND IS DISTRIBUTED ON AN 'AS IS' BASIS */
/* WITHOUT ANY WARRANTY EITHER EXPRESSED OR IMPLIED. THE USE OF THIS */
/* INFORMATION OR THE IMPLEMENTATION OF ANY OF THESE TECHNIQUES IS A */
/* CUSTOMER RESPONSIBILITY AND DEPENDS ON THE CUSTOMER'S ABILITY TO */
/* EVALUATE AND INTEGRATE THEM INTO THE CUSTOMER'S OPERATION */
/* ENVIRONMENT. WHILE EACH ITEM MAY HAVE BEEN REVIEWED BY IBM */
/* FOR ACCURACY IN A SPECIFIC SITUATION, THERE IS NO GUARANTEE THAT THE */
/* SAME OR SIMILAR RESULTS WILL BE OBTAINED ELSEWHERE. CUSTOMERS */
/* ATTEMPTING TO ADAPT THESE TECHNIQUES TO THEIR ENVIRONMENTS DO SO */
/* AT THEIR OWN RISK. */
/* */
/*****************************************************************************/
/*****************************************************************************/
/* THIS PROGRAM CALLS THE QZLSCHSI API TO RE-ENABLE A DISABLED NETSERVER */
/* USER PROFILE. */
/* */
/* CHANGE SERVER INFORMATION (QZLSCHSI) API */
/* */
/* REQUIRED PARAMETER GROUP: */
/* */
/* 1 REQUEST VARIABLE INPUT CHAR(*) */
/* 2 LENGTH OF REQUEST VARIABLE INPUT BINARY(4) */
/* 3 FORMAT INPUT CHAR(8) */
/* 4 ERROR CODE I/O CHAR(*) */
/* */
/* DEFAULT PUBLIC AUTHORITY: *USE */
/* */
/* THREADSAFE: NO */
/* */
/*****************************************************************************/
/*****************************************************************************/
/* CREATE A LIB E.G. SMBWATCH => VARIABLE MYLIB */
/* CREATE A OUTQ E.G. SMBWATCH => VARAIBLE MYMSGQ */
/*****************************************************************************/
/*****************************************************************************/
/* PARAMETERS PASSED TO WATCH EXIT PROGRAM */
/*****************************************************************************/
DCL VAR(&WCHOPTSET) TYPE(*CHAR) LEN(10)
DCL VAR(&SESSIONID) TYPE(*CHAR) LEN(10)
DCL VAR(&ERRDETECT) TYPE(*CHAR) LEN(10)
DCL VAR(&EVENTDATA) TYPE(*CHAR) LEN(1024)
/*****************************************************************************/
/* LOCAL VARIABLES */
/*****************************************************************************/
/* MESSAGE INFORMATION USER IP ETC */
DCL VAR(&MYMSG) TYPE(*CHAR) LEN(79)
/* LIB FOR THE MESSAGE QUEUE */
DCL VAR(&MYLIB) TYPE(*CHAR) LEN(15) VALUE(SMBWATCH)
/* MESSAGE QUEUE */
DCL VAR(&MYMSGQ) TYPE(*CHAR) LEN(15) VALUE(SMBWATCH)
/* DISABLED USER ID */
DCL VAR(&USRPRF) TYPE(*CHAR) STG(*AUTO) LEN(10)
DCL VAR(&RQSVAR) TYPE(*CHAR) LEN(14)
DCL VAR(&RQSLEN) TYPE(*INT) VALUE(14)
/*****************************************************************************/
/* FILLING VARIABLES */
/*****************************************************************************/
/* NOTE THAT THE VALUE ON THE NEXT LINE IS TEN (10) SPACES, IT MIGHT */
/* BE COMPRESSED WHEN YOU VIEW IT SO MAKE SURE IT HAS ALL 10 SPACES TO */
/* PREVENT RUN-TIME ERRORS. */
CHGVAR VAR(&ERRDETECT) VALUE(' ')
CHGVAR VAR(&USRPRF) VALUE(%SST(&EVENTDATA 493 10))
/* NOTE THAT THE VALUE ON THE NEXT LINE IS FOUR (4) SPACES, IT MIGHT */
/* BE COMPRESSED WHEN YOU VIEW IT SO MAKE SURE IT HAS ALL 4 SPACES TO */
/* MAKE ROOM FOR THE PARAMETER LENGTH TO BE INSERTED AS A 4 BYTE */
/* INTEGER BEFORE THE NAME */
CHGVAR VAR(&RQSVAR) VALUE(' ' *CAT &USRPRF)
CHGVAR VAR(%BINARY(&RQSVAR 1 4)) VALUE(&RQSLEN)
/*****************************************************************************/
/* SENDING A MESSAGE WITH DISABLED UID AN IP@ TO MYMSGQ */
/*****************************************************************************/
/* CHGVAR VAR(&MYMSG) VALUE(%SST(&EVENTDATA 490 80)) */
/* SNDMSG MSG(&MYMSG) TOMSGQ(&MYLIB/&MYMSGQ) */
/*****************************************************************************/
/* RE-ENABLING USER PROFILE */
/*****************************************************************************/
/*---------------------------------------------------------------------------*/
/* YOU MIGHT PUT SOME LOGIC IN HERE E.G. SO THAT USER WILL ONLY RE-ENABLED */
/* ONCE OR X TIMES A DAY. ADDITIONALLY A SMS, E-MAIL COULD BE SENT TO THE */
/* OPERATOR. */
/*---------------------------------------------------------------------------*/
CALL QSYS/QZLSCHSI PARM(&RQSVAR &RQSLEN ZLSS0200 X'00000000')
/*****************************************************************************/
/* SEND A MESSAGE TO QSYSOPR THAT USER IS RE-ENABLED */
/*****************************************************************************/
CHGVAR VAR(&MYMSG) VALUE('WATCH RE-ENABLED NETSERVER USER: ')
CHGVAR VAR(&MYMSG) VALUE(&MYMSG *TCAT &USRPRF)
SNDMSG MSG(&MYMSG) TOUSR(*SYSOPR)
/*****************************************************************************/
ENDPGM
You might start the WATCH by using the following CL PGM (STRMYWCH)
/**************************************************************************/
/* */
/* THE INFORMATION CONTAINED IN THIS DOCUMENT HAS NOT BEEN SUBMITTED */
/* TO ANY FORMAL TESTS AND IS DISTRIBUTED ON AN 'AS IS' BASIS */
/* WITHOUT ANY WARRANTY EITHER EXPRESSED OR IMPLIED. THE USE OF THIS */
/* INFORMATION OR THE IMPLEMENTATION OF ANY OF THESE TECHNIQUES IS A */
/* CUSTOMER RESPONSIBILITY AND DEPENDS ON THE CUSTOMER'S ABILITY TO */
/* EVALUATE AND INTEGRATE THEM INTO THE CUSTOMER'S OPERATION */
/* ENVIRONMENT. WHILE EACH ITEM MAY HAVE BEEN REVIEWED BY IBM */
/* FOR ACCURACY IN A SPECIFIC SITUATION, THERE IS NO GUARANTEE THAT THE */
/* SAME OR SIMILAR RESULTS WILL BE OBTAINED ELSEWHERE. CUSTOMERS */
/* ATTEMPTING TO ADAPT THESE TECHNIQUES TO THEIR ENVIRONMENTS DO SO */
/* AT THEIR OWN RISK. */
/* */
/**************************************************************************/
PGM
/* The watch program on the next line should be whatever you called the */
/* NetServer watch program. */
STRWCH SSNID(NETSERVER) WCHPGM(SMBWATCH/SMBWATCH) CALLWCHPGM(*WCHEVT) +
WCHMSG((CPIB682)) WCHMSGQ((*SYSOPR))
ENDPGM
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CLSAA2","label":"Integrated File System-\u003ENetServer"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Historical Number
653169169
Was this topic helpful?
Document Information
More support for:
IBM i
Component:
Integrated File System->NetServer
Software version:
All Versions
Operating system(s):
IBM i
Document number:
683941
Modified date:
23 October 2024
UID
nas8N1010645
Manage My Notification Subscriptions