CA VM:Secure supports two application programming interfaces (APIs) for password verification under program control. These APIs are Diagnose X’88’ subcode 8, and Diagnose X’A0’ subcode 4. Any application server can use the APIs so that a VM user ID and password combination can grant access to the capabilities provided by the server. One example would be the File Transfer Protocol (FTP) server. When you connect to it, and present a VM user ID and password, the server can verify your identity. It can then allow you to transfer files owned by that VM user ID to the FTP client computer, or allow client files to be transferred to disks or directories owned by the VM user ID.
CA VM:Secure supports a programming interface for changing passwords or password phrases. That API is Diagnose X’A0’ subcode X’60’. One form for that diagnose code requires that the existing password be validated before the password change is allowed.
The authorization for using the password validation APIs is separate from the authorizations provided by a VALIDATE rule. The use of Diagnose X’88’ subcode 8 is allowed by a DIAG88 rule discussed earlier in this chapter. The use of Diagnose X’A0’ subcode 4 is allowed by a GRANT DIAGPCHK configuration file record entered during VMSECURE CONFIG AUTH command processing. The use of Diagnose X’A0’ subcode ‘X’60’ is authorized by a PASSCHNG rule discussed earlier in this chapter.
CA VM:Secure protects the APIs so that limits are placed on the number of attempts that can be made to validate a user ID password combination.
Note: For more information about the journaling facility, see the JOURNAL command in the Reference Guide.
A VALIDATE journal count is maintained whenever an incorrect password is detected by the password verification APIs. A pair of installation User Exits is provided by CA VM:Secure as part of the journaling facility. When the password verification APIs exceed the journal count for a particular user ID password combination because the password supplied is incorrect, CA VM:Secure calls the USERPASS User Exit. It is also documented in the Reference Guide. A return code value of 8 from the USERPASS exit causes a user level rule to be created by CA VM:Secure in the user rules file of the user ID being verified. The form of the rule is as follows:
REJECT * VALIDATE ( NOTIFY
The purpose of this rule is to suppress the ability of a server to validate a password for this particular user ID until the rule is removed.
The only means to override the REJECT VALIDATE rule created by CA VM:Secure is by adding a rule at the SYSTEM override level. Such an ACCEPT rule could serve to allow some specific server to be exempt from API password validation journal processing. Such a REJECT rule could serve to prohibit any password validation by a specified requestor although a simpler means to accomplish this would be to remove that requestors authorization to use the validation API in the first place. (Authorization to use Diagnose X’88’ subcode 8 is controlled by a DIAG88 rule. DIAGNOSE X’A0’ subcode 4 is controlled by a GRANT DIAGPCHK authorization record. Diagnose X’A0’ subcode X’60’ is controlled by the PASSCHNG rule.)
In the absence of a USERPASS User Exit, no VALIDATE rules are created by CA VM:Secure. The rule operates as any other rule, but with certain distinctions:
The NORULE record in the SECURITY CONFIG file does not apply to VALIDATE requests.
Examples
ACCEPT MAINTJR VALIDATE REJECT MAINTJR VALIDATE
ACCEPT SVM VALIDATE (GROUP
REJECT * VALIDATE
|
Copyright © 2014 CA.
All rights reserved.
|
|