Previous Topic: Using LOGON-BYNext Topic: System Access with CA ACF2 for VM Inactive

Advanced Logon ProceduresExecuting AUTOLOG without a Password

Executing AUTOLOG without a Password

With special CA ACF2 for VM AUTOLOG procedures, you can execute the AUTOLOG command without entering a password and not compromise system security. This is useful because it lets you AUTOLOG from uninterrupted execs. To enter AUTOLOG with CA ACF2 for VM, enter the command followed by the name of the machine that is autologged.

autolog cmsauto (you can specify a group‑logonid as the logonid)
 
ACFpgm137I CMSAUTO last system access at 17.22 on 11/09/97 from GRAF‑490
AUTO LOGON  ***  autologged‑logonid USERS = 043

Depending on certain CA ACF2 for VM VM logonid privileges defined for the machine performing the autolog or the machine being autologged (as discussed shortly), there is no prompt for a password. The machine being autologged logs on automatically. After you have entered the system, CA ACF2 for VM validates data and resource access against the machine that is autologged, not the machine performing the autolog.

With CA ACF2 for VM, you can specify the name of the target machine and its password to enter the AUTOLOG command. A password prompt does not appear.

CA ACF2 for VM protects the AUTOLOG command in a unique way. System entry for executing the AUTOLOG command through CA ACF2 for VM consists of the following steps:

  1. AUTOLOG command limiting validation. This step is optional, just as it is for any other CP command. See the Command and Diagnose Limiting Guide for details.
  2. AUTOLOG resource rule validation. Whenever you try to autolog a virtual machine, the system automatically checks a resource rule to see if you are allowed access. This occurs regardless of the CA ACF2 for VM data access mode setting and any special privileges you might have.
  3. Conditional password validation that determines you can execute AUTOLOG without entering a password. The system does not prompt for a password if the logonid of the machine being autologged has the AUTONOPW privilege (in the PRIVILEGES group of the logonid record) or the logonid of the machine executing the autolog has the AUTOALL privilege (also in the PRIVILEGES group of the logonid record).

    On the other hand, if none of these conditions are met, CA ACF2 for VM prompts for the password of the autologged machine with the standard password prompt:

    ACFpgm244R Enter CA‑ACF2 password

    The autologged machine can be a group virtual machine (a machine with the GRPLOGON privilege). If this is the case and you receive a password prompt, enter the password of the autologged machine (the group virtual machine).

    For XAUTOLOG: If the same conditions as above are not met when executing XAUTOLOG, CA ACF2 for VM issues error message 1690E:

    XAUTOLOG failed ‑ password required

    CA ACF2 for VM then displays:

    XAUTOLOG logonid PROMPT

    The standard password prompt follows the message:

    ACFpgm244R Enter CA‑ACF2 password

    To assign virtual machines the special logonid privileges of AUTONOPW and AUTOALL, see the Implementation Planning Guide.

  4. User IDs for group logonids (group machines). At this point of the AUTOLOG validation process, the user who issued the AUTOLOG command is authorized to autolog a virtual machine. This step preserves the individual accountability of group machines (machines with the GRPLOGON privilege). This is done for audit purposes. CA ACF2 for VM checks the logonid of the machine being autologged for the GRPLOGON privilege. If present, the name of the machine performing the autolog appears in all CA ACF2 for VM reports with the name of the autologged group machine. This corresponds with how CA ACF2 for VM generates reports for group virtual machines. For details on how the CA ACF2 for VM group logonid feature works with the CA ACF2 for VM report generators, see the Reports and Utilities Guide.

    The name of the original machine that performed the autolog continues to appear in the reports for any machine that an autologged group machine subsequently autologs. The original group user of the group machine is accountable for all of that machine's subsequent actions.

    A machine with the GRPLOGON privilege does not undergo group logon resource validation for group machines that are being autologged. (The machine has already gone through autolog resource validation.) Group logon resource validation applies only when group machines are trying to gain system entry through logon procedures. That is where the name GRPLOGON (GRouP LOGON) is derived from.

  5. The machine executing the AUTOLOG command must have CP privilege class A or B.
  6. Password suppression is an IBM security feature implemented in the PSUPRS operand of the SYSJRL macro. It forces you to enter your password on a separate line from your logonid when you log on. Your password is not displayed when you enter it.

    If password suppression is turned off and the machine you are autologging has the AUTONOPW privilege or your machine has the AUTOALL privilege, enter a dummy password of at least one character.

    autolog TLCAUTO
(press enter)
 
AUTO LOGON  *** CMSAUTO USERS = 043

    We recommend, however, that you have password suppression turned on. This forces you to enter your password separate from your logonid so your password is not visible on the screen. If password suppression is turned off and you are autologging a group virtual machine, CA ACF2 for VM does not accept any password on the same line as the logonid.