ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahl_5.4.0.1/rzahlsecurityman.htm

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights                   -->
<!-- Use, duplication or disclosure restricted by            -->
<!-- GSA ADP Schedule Contract with IBM Corp.                -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="keywords" content="NetServer, iSeries, QMAXSIGN, user profile,
profile, user, last-changed date, date, last-changed" />
<title>Disabled user profiles</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link --> 
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>


<a name="securityman"></a>
<h2 id="securityman">Disabled user profiles</h2><a id="idx3" name="idx3"></a><a id="idx4" name="idx4"></a><a id="idx5" name="idx5"></a><a id="idx6" name="idx6"></a><a id="idx7" name="idx7"></a><a id="idx8" name="idx8"></a>
<p> iSeries NetServer&trade; uses iSeries user profiles and passwords to allow network
administrators to control how users can access data. In addition, an iSeries
system value named <tt class="xph">QMAXSIGN</tt> specifies how many unauthorized sign-on
attempts disable the user profile.</p>
<p> A user profile becomes disabled when the user tries to access iSeries NetServer a
specified number of times with an incorrect password. A user profile cannot
become completely disabled when connecting to an iSeries with iSeries NetServer. If a user
exceeds the maximum number of  sign-on attempts the user profile becomes disabled
for only iSeries NetServer use. Other types of access, such as a system sign-on, are
not prevented.</p>
<p>iSeries NetServer uses the last-changed date on iSeries user profiles to determine
if they have changed since becoming disabled. If the last-changed date is
newer than the date of becoming disabled, then the user profile becomes enabled
again for use with iSeries NetServer.</p>
<a name="wq47"></a>
<div class="notelisttitle" id="wq47">Notes:</div>
<ol type="1">
<li>The QSYSOPR message queue displays the CPIB682 error message that indicates
when an iSeries user profile was disabled for use with iSeries NetServer.</li>
<li>Some clients will try a name and password several times without the user
being aware of it. For example, if the user's desktop password does not match
the iSeries user profile password, the client may try to access the iSeries NetServer several
times before displaying the Network Password popup window. When the correct
password is supplied, the user profile may already be disabled for iSeries NetServer use
on the iSeries. If you encounter this situation, the Maximum sign-on attempts
allowed system value, QMAXSIGN, could be increased to accommodate multiple
client authentication attempts. To do this, use the <span class="bold">Work
with System Values</span> command: <tt class="xph">WRKSYSVAL SYSVAL (QMAXSIGN)</tt>.</li>
</ol>
<p><span class="bold">Display disabled user profiles</span></p>
<p>To display the disabled iSeries NetServer users using iSeries Navigator, follow these steps:</p>
<ol type="1">
<li>In iSeries Navigator, connect to an iSeries server.</li>
<li>Expand <span class="bold">Network</span>.</li>
<li>Expand <span class="bold">Servers</span>.</li>
<li>Click <span class="bold">TCP/IP</span> to view list of TCP/IP servers available.</li>
<li>Right-click <span class="bold">iSeries NetServer</span> and select <span class="bold">Open</span>.</li>
<li>Click on <span class="bold">File</span> in the upper left corner.</li>
<li>On the pull-down select <span class="bold">Disabled User IDs</span>.</li></ol>
<a name="reenable"></a>
<p id="reenable"><span class="bold">Enable a disabled user profile</span></p>
<p>You can re-enable a user profile that has become disabled. You
need *IOSYSCFG and *SECADM authority to use iSeries Navigator to enable a disabled iSeries NetServer user.</p>
<p>There are three ways that you can enable a user profile that
has been disabled.</p>
<ul>
<li>Use iSeries Navigator:
<ol type="1">
<li>In iSeries Navigator, connect to an iSeries server.</li>
<li>Expand <span class="bold">Network</span>.</li>
<li>Expand <span class="bold">Server</span>.</li>
<li>Click <span class="bold">TCP/IP</span> to view list of TCP/IP servers available.</li>
<li>Right-click <span class="bold">iSeries NetServer</span> and select <span class="bold">Open</span>.</li>
<li>Click on <span class="bold">File</span> in  upper left corner.</li>
<li>On the pull-down menu, select <span class="bold">Disabled User IDs</span>.</li>
<li>Click a disabled user ID and select <span class="bold">Enable User ID</span>.</li></ol></li>
<li>Change the user profile. Starting the following command re-enables the
user profile. You may exit the Change User Profile screen without making any
changes to the properties for the user profile. 
<pre class="xmp">CHGUSRPRF USRPRF(<span class="italic">USERNAME</span>) </pre>where <span class="italic">USERNAME</span> is
the name of the user profile you want to re-enable.</li>
<li>Stop and then restart iSeries NetServer.</li></ul>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>