|
View previous topic :: View next topic
|
| Author |
Message |
vasanthz
Global Moderator
Joined: 28 Aug 2007
Posts: 1742
Location: Tirupur, India
|
|
|
|
Hi,
I work in a CICS based application for warehouse management.
The application is used by 300 to 400 individual warehouse users.
But the problem is the users are grouped in to smallerer groups like managers,workers, drivers etc...
Each of these individual user groups have a common CICS logon ID.
Example : All Managers use DELCMAA to logon to CICS application.
All Drivers use DELCDRI to logon to CICS application.
There is no specific user ID for each individual user.
Lets take this scenario,
Driver 1 signs on with DELCDRI user ID and he is working and using CICS screens.
Driver 2 tries to log in with DELCDRI, but he does not know the password and revokes the User ID.
Meanwhile the Driver 1 is not aware that the user ID is revoked and he initiates a transaction in CICS.
This transaction performs some updates, triggers some more transactions and later at some point fails.
There are 100 s of transactions that the driver can initiate. So I am not specifying the details of the programs or code.
We currently do not have a mechanism to validate if a ID is active and eligible to start a transaction.
Could you please advice what could be done in this case
and is there anyway that the RACF status of a user ID is checked from a COBOL program and validated.
Could you please help.
Thanks in advance, |
|
| Back to top |
|
 |
dick scherrer
Moderator Emeritus
Joined: 23 Nov 2006
Posts: 19244
Location: Inside the Matrix
|
|
|
|
Hello,
Suggest you change from the "common" ids to user specific ids.
If management will not insist on unique ids, you may be able to change the number of failed password attempts to whatever is the maximum. Also, it would be good to reset the count each time the cics region is re-cycled.
This would be coordinated with the security people. |
|
| Back to top |
|
|
vasanthz
Global Moderator
Joined: 28 Aug 2007
Posts: 1742
Location: Tirupur, India
|
|
|
|
Hi,
Thanks for your time in this.
| Quote: |
| Suggest you change from the "common" ids to user specific ids. |
The system design is totally reliant on group user IDs and in many cases the IDs are hardcoded, so moving to specific user Ids will be very difficuly and a daunting task.
| Quote: |
| you may be able to change the number of failed password attempts to whatever is the maximum. |
I will try convincing our management to increase the number of re-tries.
Is there any way to access RACF and have some return code and vailidate it accordingly.
Since it proves to be a good technical solution without rebuilding the system that already exists.
Thanks in advance,
Thanks again, |
|
| Back to top |
|
|
dick scherrer
Moderator Emeritus
Joined: 23 Nov 2006
Posts: 19244
Location: Inside the Matrix
|
|
|
|
Hello,
| Quote: |
| Is there any way to access RACF and have some return code and vailidate it accordingly. |
I don't understand the question. . .
Please clarify.
If there is truly to be no security, why is an id ever locked? Just let them flail away until they remember or get lucky or call someone for help. . . |
|
| Back to top |
|
|
Terry Heinze
JCL Moderator
Joined: 14 Jul 2008
Posts: 1249
Location: Richfield, MN, USA
|
|
|
|
| Quote: |
| Each of these individual user groups have a common CICS logon ID. |
Internal auditors just love this.  |
|
| Back to top |
|
|
Bill O'Boyle
CICS Moderator
Joined: 14 Jan 2008
Posts: 2501
Location: Atlanta, Georgia, USA
|
|
|
|
Yeah, especially if there 's a "SUX" (sorry, freudian slip), I mean "SOX" compliance issue.
"SUX" is more fitting. Oxley's last name should have been Uxley.
Regards, |
|
| Back to top |
|
|
Raghu navaikulam
Active User
Joined: 27 Sep 2008
Posts: 193
Location: chennai
|
|
|
|
Hi
| Quote: |
Driver 2 tries to log in with DELCDRI, but he does not know the password and revokes the User ID.
|
As per my understanding of your problem, I have some suggestions.
To check the validity of the password for the userid you can use the following statement in your COBOL program.
| Code: |
EXEC CICS VERIFY PASSWORD(PWDI) USERID(UIDI) RESP(RESPONSE) END-EXEC.
|
Here PWDI and UIDI are map variables corresponding to password and userid fields.
IF RESPONSE = DFHRESP(NOTAUTH)
You can use a count to inform the user that the user supplied wrong password for the first time and subsequently send a message to the user based on the maximum number of password retries allowed in your system.
Please post whether this is helpful for you as per your requirements.
Regards
Raghu |
|
| Back to top |
|
|
dick scherrer
Moderator Emeritus
Joined: 23 Nov 2006
Posts: 19244
Location: Inside the Matrix
|
|
|
|
Hello,
| Quote: |
| To check the validity of the password for the userid you can use the following statement in your COBOL program. |
I suspect that if one cannot log onto CICS, one will never reach any cobol code in that region. . .  |
|
| Back to top |
|
|
CICS Guy
Senior Member
Joined: 18 Jul 2007
Posts: 2146
Location: At my coffee table
|
|
|
|
| dick scherrer wrote: |
| I suspect that if one cannot log onto CICS, one will never reach any cobol code in that region. . . |
Unless that COBOL code is in the signon program....  |
|
| Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007
Posts: 10873
Location: italy
|
|
|
|
what difference does it make that the invalid password is discovered by RACF itself or rather than by a user program invoking RACF services ???
a decision must be taken anyway on what to do after a certain number of invalid passwords |
|
| Back to top |
|
|
vasanthz
Global Moderator
Joined: 28 Aug 2007
Posts: 1742
Location: Tirupur, India
|
|
|
|
Hi All,
Thanks for your time in this.
| Quote: |
| a decision must be taken anyway on what to do after a certain number of invalid passwords |
This seems to be the logical solution , I will try talking to Info Secs about this. (I cant fix your brakes, so I made the horn louder) 
I wish there was a modded version of the command
| Code: |
| EXEC CICS VERIFY PASSWORD(PWDI) USERID(UIDI) RESP(RESPONSE) END-EXEC. |
some thing like,
| Code: |
| EXEC CICS VERIFY USERID(UIDI) RESP(RESPONSE) END-EXEC. |
So it can be used in program.
Thanks, |
|
| Back to top |
|
|
kvamsy
New User
Joined: 14 Apr 2009
Posts: 10
Location: chennai
|
|
|
|
[size=18]I don't think the command mentioned exists but what I can suggest is when ever Depot is trying to submit anything or doing crucial we can pop up one more window asking to re-enter the password so that we can reduce this kind of errors some.
What do you feel...... |
|
| Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007
Posts: 10873
Location: italy
|
|
|
|
what to do if the user keeps on typing the wrong password ?
asking over and over for a password will not help the user to remind a forgotten one
again...
before giving any advice everybody should meditate on the implications of a secure environment
whatever the interface - line, full screen, pop up ( do not exist in 3270 ), ... add anything You want
a choice must be made...
1) revoke the user after a certain number ( just choose some ) of attempts
proper action in any decent environment
one of the many reasons not to have group userid
( auditability is another one )
2) do nothing and let the user keep trying,
but then why ask for the password and spend resources to implement a useless security environment
the final consideration...
security is what the name implies... security
has it's costs and what appear at first glance as inconveniences
... somebody must make the choice on having it or not |
|
| Back to top |
|
|
|
|
