ASNA Mobile RPG® Reference Manual
|
Resetting Expired User Passwords
This topic explains a solution that lets users with expired passwords update them through your Mobile RPG program.
Many Wings and Mobile RPG applications require that users provide their IBM i credentials in the form of User and Password. These credentials are used to establish a Job on the IBM i thru a DataGate connection.
In the past, if a user's password was expired, the user could not start the application and would require the user to reset the password with a 'Green Screen' session, or ask an administrator to reset his password.
The new login process for version 8.0 of Wings and Mobile RPG provide a configuration setting enabling a user to reset the expired password.
Caution –Please note that this information is provided solely as an example. You must explore its benefits and risks and see if it fits within your organization's security policies. ASNA does not guarantee the usability of this information and by using it you assume all responsibility.
In order to enable this facility several tasks are required.
On the IBM i
Copyright (c) 2020 ASNA, Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. [The MIT License (MIT) ]
You will create a program that will use the QSYCHGPW
API to change user passwords.
This program will run under the ownership of a user profile ("RESETPASS
") with high
authorities. The program will only be allowed to be executed by a second user profile
("RESETCALLR
").
Consider these steps:
- Create the user profile "
RESETPASS
" as follows:- Give it
*SECADM
special authority and*OBJMGT
,*READ
and*EXECUTE
authorities to all the user profiles which will be allowed to reset their own passwords (typically all of the application's users). - Set the password to
*NONE
. This will prevent anybody from using this account to sign on to the system.
- Give it
===> CRTUSRPRF USRPRF(RESETPASS) PASSWORD(*NONE) USRCLS(*SECADM) TEXT('To be used for Resetting Wings/MR passwords') ===> GRTOBJAUT OBJ(QSYS/*ALL) OBJTYPE(*USRPRF) USER(RESETPASS) AUT(*OBJMGT *READ *EXECUTE) ///Alternatively, you could use ===> CHGUSRPRF USRPRF(RESETPASS) SPCAUT(*SECADM *ALLOBJ)
- Create a second user profile "
RESETCALLR
" as follows:- Give it minimum security.
- Set the initial menu to
*SIGNOFF
to prevent interactive use of the account.
===> CRTUSRPRF USRPRF(RESETCALLR) PASSWORD(blahblahblah) INLMNU(*SIGNOFF) TEXT('Caller of Reset Wings/MR passwords')
- Review the following source:
0001.00 PGM PARM(&USERNAME &OLDPASS &LENOLD &NEWPASS + 0002.00 &LENNEW &RESULT) 0003.00 DCL VAR(&USERNAME) TYPE(*CHAR) LEN(10) 0004.00 DCL VAR(&OLDPASS) TYPE(*CHAR) LEN(128) 0005.00 DCL VAR(&LENOLD) TYPE(*INT) LEN(4) 0006.00 DCL VAR(&NEWPASS) TYPE(*CHAR) LEN(128) 0007.00 DCL VAR(&LENNEW) TYPE(*INT) LEN(4) 0008.00 DCL VAR(&RESULT) TYPE(*CHAR) LEN(100) 0009.00 DCL VAR(&ERRORCODE) TYPE(*INT) LEN(4) VALUE(0) 0010.00 DCL VAR(&CCSID0) TYPE(*INT) LEN(4) VALUE(0) 0011.00 DCL VAR(&FIRSTCHAR) TYPE(*CHAR) LEN(1) 0012.00 DCL VAR(&MSGID) TYPE(*CHAR) LEN(7) 0013.00 DCL VAR(&MSGTXT) TYPE(*CHAR) LEN(100) 0014.00 0015.00 CHGVAR &RESULT VALUE(' ') 0016.00 /* Make sure we don't attempt to change a system account */ 0017.00 CHGVAR VAR(&FIRSTCHAR) VALUE(%SST(&USERNAME 1 1)) 0018.00 IF (&FIRSTCHAR = 'Q' *OR &FIRSTCHAR = 'q') DO 0019.00 CHGVAR &RESULT VALUE('TEXT--:INVALID User Name') 0020.00 GOTO ENDPROG 0021.00 ENDDO 0022.00 0023.00 /* New password should not start with a digit */ 0024.00 CHGVAR VAR(&FIRSTCHAR) VALUE(%SST(&NEWPASS 1 1)) 0025.00 IF (&FIRSTCHAR >= '0' *AND &FIRSTCHAR <= '9') DO 0026.00 CHGVAR &RESULT VALUE('TEXT--:INVALID Numeric Password') 0027.00 GOTO ENDPROG 0028.00 ENDDO 0029.00 0030.00 /* Old password should be given */ 0031.00 IF (&OLDPASS = '*NOPWD') DO 0032.00 CHGVAR &RESULT VALUE('TEXT--:INVALID Old Password') 0033.00 GOTO ENDPROG 0034.00 ENDDO 0035.00 0036.00 /* Call API to change the password */ 0037.00 CHGVAR &RESULT VALUE('Password has been Reset') /*Optimistic */ 0038.00 CALL PGM(QSYCHGPW) PARM(&USERNAME &OLDPASS + 0039.00 &NEWPASS &ERRORCODE &LENOLD &CCSID0 + 0040.00 &LENNEW &CCSID0) 0041.00 MONMSG CPF0000 EXEC(DO) 0042.00 RCVMSG MSGTYPE(*LAST) MSG(&MSGTXT) MSGID(&MSGID) 0043.00 CHGVAR &RESULT VALUE(&MSGID *BCAT &MSGTXT) 0044.00 ENDDO 0045.00 0046.00 ENDPROG: 0047.00 ENDPGM
- If it seems appropriate to you, add the source to a source member
'
MYRESTLIB/QCLSRC RESETPW
' and create the CL programRESETPW
setting its attributes as follows:
===> CRTBNDCL PGM(MYRESTLIB/RESETPW) SRCFILE(MYRESETLIB/QCLSRC) SRCMBR(RESETPW) USRPRF(*OWNER) AUT(*EXCLUDE) ===> CHGOBJOWN OBJ(MYRESETLIB/RESETPW) OBJTYPE(*PGM) NEWOWN(RESETPASS) ===> GRTOBJAUT OBJ(MYRESETLIB/RESETPW) OBJTYPE(*PGM) USER(RESETCALLR) AUT(*USE) ===> GRTOBJAUT OBJ(QSYS/MYRESETLIB) OBJTYPE(*LIB) USER(RESETCALLR) AUT(*USE)
On the Website and Server
You will create a DataGate Database Name with the "RESETCALLR
" user profile and it will be thru this Database Name
that the website will invoke the "RESETPW
" program on the IBM i.
Consider these steps:
- Create the Public DataGate Database Name called "PassReseter" with these properties:
Property | Value |
---|---|
Server | Your IBM i Server |
Label | DB2 |
User | RESETCALLER |
Password | InputPassword |
Initial Library List | MYRESETLIB |
- In the Website project, under the <appSettings> section of the Web.config file, set the ResetExpiredPassword to "true" as follows:
<appSettings> <add key="vs:EnableBrowserLink" value="false"/> . . . <add key="ResetExpiredPassword" value="true"/> </appSettings>
The reset password function on the web site will invoke the RESETPW
program
using the library list. Setting the 'Initial Library List' to 'MYRESETLIBM
'
allows the call to succeed, however it is vulnerable to having a different
program (a 'Man in the Middle') be invoked instead of the real one. For a
moresecure way of making the call, you could modify the setNewPassword
method of
the WingsLogon
(or MobileRPGLogon
) file, located in the website's App_Code
folder, as follows:
private string setNewPassword(string user, string password, string newPass) { AdgConnection reseterConnection; . . . string result = string.Empty; /* From this: string programName = "RESETPW"; */ /* To this: string programName = "MYRESETLIB/RESETPW"; */ string programName = "MYRESETLIB/RESETPW"; . . . }
Your Own Names
In this document, several IBM i object names have been used, these are only examples and it would be preferable for you to user your own names. These are the names used:
Name | Object |
---|---|
RESETPW | Program |
MYRESETLIB | Library |
RESETPASS | User Profile |
RESETCALLER | User Profile |
Examples
If everything is set up correctly, when you try to log in to a Wings application with a user account that has its password expired, you should see a sequence of screens similar to these:
1. User attempts to Logon with expired user password. | |
2. Screen is presented requesting user to reset the password | |
3. Screen redirected back to logon screen showing that the password has been reset. | |
4. After entering new password, application continues as normal. |