OW Sign On Security - AS/400

On OW SignOn Screen, how does the system validated the password. ?. Ya ya ya the answer would be goes to the F98OWSEC file and validated against it. Ok. How does it access the F98OWSEC file ..... any ideas........

Zakeer

ES=AS/400 V4R5, TSE

Christophe,

Do you know how does these files are accessed ?????

Thanks, Zakeer

My 2 cents..

a) Reads the workstation jde.ini [Security] section. Looks for the SecurityServer.
b) Passes a JDENET message with the userid to the server specified as the security server
c) JDENET passes the request off to a JDENET_k (Starts a security kernel if one is not already started)
c) Security kernel reads the [Security] section in the server jde.ini, uses the userid and password in that section to access the datasource mentioned in that section. Typically that would be datasource where you would find the F98OWSEC file.
d) continues on with F98OWSEC validations for the userid..

Cheers!

How does it talking to the the as/400 in "Section C you had mentioned that passes message to the as/400" what profile it uses to passes the messge to as/400 ?????

It is not using any profile to pass the message to the AS/400. It is simply passing a JDENET message to the enterprise server running the services.
It uses the profile & password listed in the server JDE.INI in the next step to connect to the System Data source (which houses F98OWSEC).

Let me know if this still does not answer your question ...

Cheers!

I understand your point. but As/400 with a Security level 30 required a
valid password to access the as/400. how does this message get though the
as/400 without required information. Please see SYSVAL QSECURITY.




----- Original Message -----
From: "aryak" <[email protected]>
To: <[email protected]>
Sent: Monday, October 21, 2002 3:09 PM
Subject: Re: OW Sign On Security - AS/400


simply passing a JDENET message to the enterprise server running the
services.It uses the profile & password listed in the server JDE.INI in
the next step to connect to the System Data source (which houses
F98OWSEC).Let me know if this still does not answer your question ...Cheers!

Also after step C , the userid and password from server jde.ini [SECURITY] section should have valid authorization to the AS/400 and access to the SYS733x library.

Hi there,

I understand your points........ but according to your information. what I
understood is there is a big security hole in the system, It sends messages
to the AS/400 without having any kind of security.




----- Original Message -----
From: "aryak" <[email protected]>
To: <[email protected]>
Sent: Monday, October 21, 2002 4:55 PM
Subject: Re: OW Sign On Security - AS/400


section should have valid authorization to the AS/400 and access to the
SYS733x library.

TCP/IP communications do not require authorisation as far as networking is concerned. The security would be implemented at a higher level - in the application that you are communicating with.

"Access" and "Send a message to" are related as "write/change" relates to "read-only": there is no security hole here.

Actually, it would be much easier to answer your question if you tell us what it is exactly you are trying to prove?

Regards,
Alex.

Please, dont fall in deathn end road, here we talking about security in OW
not on 400, remenber OW have a lot of big hole of security.

Dont put people in wrong way...
----- Original Message -----
From: "Alex_Pastuhov" <[email protected]>
To: <[email protected]>
Sent: Monday, October 21, 2002 10:54 PM
Subject: Re: OW Sign On Security - AS/400


concerned. The security would be implemented at a higher level - in the
application that you are communicating with.
"read-only": there is no security hole here.
what it is exactly you are trying to prove?

what is passed to the server, on the port specified in the JDE.INI, is the user id/password setup in the User Security section of User id setup. The user id/password setup in User Security is what is used to determine the server authority of the user. Once User Security user id/password has been validated, then the JDENET listener can take the OW user id/password and get it validated against the System Data Source.