AS400 password synchronization between different AS400 systems

Raymond, Have you tried RUNRMTCMD CHGPWD? I don't know if it'll work, but I would assume that you could have a CL perform this, with logcl(*NO) so it can't be read by the normal AS/400 user. Ford New-Holland, in New Holland, PA, had a method that if you changed your password on the /400, it also changed it on the 3090 and NT as well. Likewise if you changed it on the 3090 or NT, it was ported to each system respectively. Don't remember their phone number, but that's what Yahoo, Yellow Pages are for, right? -bret

AS400 password synchronization between different AS400 systems

Raymond - I believe you can do this using exit programs and APIs. I've not done it but from what I've read on exit programs, it can be done this way. HTH, Steve

AS400 password synchronization between different AS400 systems

Vision Solutions offers a product called ODS/400 which, among other things, distributes user profiles to other systems. Never used it, but thats my 2 cents worth. John Panzenhagen

AS400 password synchronization between different AS400 systems

VisionSolutions ODS/400 does object replication including User profiles. have worked with it for a while now at my client. Works pretty well, though it's probably an expensive solution if all you want to replicate is User Profiles. If you'd like some add'l info on it, feel free to email me directly at magtech@optonline.net. Marc

AS400 password synchronization between different AS400 systems

The specific exit program you would want to use is the QPWDVLDPGM system value, as it receives new passwords before they are stored on disk. I don't remeber the exact names of the API's, but they are the "Get encrypted Password" and "Put encrypted password" API's jte MC Security Editor

AS400 password synchronization between different AS400 systems

>Have you tried RUNRMTCMD CHGPWD?<<

Please don't try this. If you are running factory defualts, the DDM Function RUNRMTCMD will run under QUSER. I've seen organizations grant QUSER secofr rights so that they could accomplish tasks like this, and that is a horrible idea. The danger here is that anyone could then run a RUNRMTCMD, and have it run with secofr rights. What's to prevent anyone from changing someone else's password? Besides.... the passowrd would be sent across the network in clear text, and any errors would be visible in a number of system logs. jte MC Security Editor

AS400 password synchronization between different AS400 systems

I just saw this on a Q&A page today. I was looking for something else and thought this looked pretty neat. Hope it helps! Question: I have been asked to find out how AS/400 users can change their passwords using a web browser application. We will synch user info to the NT Domain server to enable validation and signon. The AS/400 passwords expire every 30 days. The users must be able to maintain their passwords without leaving the web application (a combination of Cold Fusion, Javascript and HTML). Off the shelf packages are OK, or IBM supplied API that support some sort of encryption (we don't want passwords xmitted over the internet in the clear.) Any and all suggestions are appreciated. (12/99) Answer 1: If Java is an option then you can use the Java ToolKit for AS/400. The code used to exchange and/or change passwords is encrypted out the wazoo before it is sent over the net. Unless you are going to use some sort of strong encryption for sending the password from the browser (implemented in an applet) to the http server I would suggest supporting SSL on the www server. Answer 2. There are two API's, from V3R7 that allow you to send encrypted passwords form one machine to another. QSYRUPWD (retrieve encrypted password) and QSYSUPWD (set encrypted password). These two API's can (and are meant to) be used together to sync passwords between AS/400s QSYRUPWD retrieves the DES5 encrypted version of the password from the user password table. This value is already encrypted. QSYSUPWD sets a users password (using an encrypted value retrieved by QSYRUPWD) in the table to the supplied value. At no point is the password decrypted in to the plain text form. Passing this encrypted value over the net work should be fairly safe (as safe as passing any encrypted data can be) I my self would probably double encrypt it with another public domain routine (such as Blowfish) just to obscure the data even more. One thing however, is to ensure that the multiple systems that you are trying to sync passwords between are using the same password limiting system values, to ensure that the passwords can be sync'ed.