Universal Password Concept
Concept
|
Universal Password, in conjunction with Microsoft's SNA Server's Host Account Synchronization Service, provides single sign-on, single password access to multiple AS/400 and Windows NT servers in a distributed computing environment. |
Quick Links |
|
The main components are shown below, aligned to the left edge. An indication is given for each component about how it is normally started.
Below each component are
shown components which affect that component. Components marked
'support' are typically used to provide application traces to support
personnel. Components marked 'utility' are typically used by
administrators to manage the application.
|
AS/400 password change |
¯ | |
|
AS/400 Password Program ¬ started by: OS/400 on password change |
||
|
¬
utility: 400 Start Password Application |
¯ | |
|
AS/400 Password User Queue |
||
|
¬ utility: NT Cleanup option on NT Utility Program |
¯ | |
|
AS/400 Password Comm Program ¬ started by : NT Password Comm Service |
||
|
« AS/400 Password Restart File |
||
|
¬ utility: NT Cleanup option on NT Utility Program |
||
|
® AS/400 console messages |
||
|
¬ support: AS/400 Start Comm Trace File |
||
|
¬ utility: NT Cleanup option on NT Utility Program |
||
|
® support: AS/400 Comm Trace File |
||
|
¬ utility: NT Cleanup option on NT Utility Program |
||
|
¬
utility: 400 Stop Comm Utility |
¯ | |
|
SNA Server's CPI/C Interface |
¯ | |
|
NT Password Comm Service ¬ started by: NT boot & initialized by: NT Security DLL |
||
|
« NT Password Cache File |
||
|
¬ utility: NT Cleanup option on NT Utility Program |
||
|
®
NT Event Log |
||
|
¬ utility: NT Cleanup option on NT Utility Program |
||
|
® support: NT Comm Trace File |
||
|
¬ utility: NT Cleanup option on NT Utility Program |
||
|
¬
utility: NT Stop Comm option on NT Utility Program |
||
|
NT Security DLL ¬ started by: SNA Host Account Synchronization Service |
||
|
®
NT Event Log |
||
|
¬ utility: NT Cleanup option on NT Utility Program |
||
|
® support: NT Security DLL Trace File |
||
|
¬ utility: NT Cleanup option on NT Utility Program |
¯ | |
|
SNA Server's Host Account Synchronization Service MDSI Interface |
||
The components are described in more detail in the following sections.
Universal
Password enables bi-directional passwords synchronization with
participating Windows NT domains. In order to enable bi-directional
synchronization, some AS/400 components of Universal Passwords must be
installed on the AS/400. A detailed description of each component is
described below so you can have a good understanding of the role and
implications of each component.
|
AS/400 Password Program |
This
program identifies password changes on the AS/400 and caches them in the
AS/400 Password User Queue. This program is started by OS/400 whenever a
password is changed. It checks if the AS/400 Password User Queue exists.
If it does not, it creates the queue. This program obtains each password
change on the AS/400 as that password change is being effected. It
encrypts the user ID, old and new passwords and places them in
chronological order on the AS/400 Password User Queue.
LIMITATIONS: It does not identify user IDs that are created, inactivated
or removed. It does not identify password changes made with Change User
Profile. It will not cache password changes should the AS/400 Password
User Queue exceeds its 64 meg limit.
INSTALLATION: It is activated by a Security Officer or better with the
400 Start Password Application on the 400 Utility Menu. No restrictions
are placed on the AS/400 during these processes.
PERSISTENCE and ADMINISTRATION: IPL does not affect this program. The
administrator does not have to perform any maintenance on this program
once it is activated.
SHUTDOWN and RESTART: This program can be disabled by a Security Officer
or better with either the 400 Stop All Utility or the NT Cleanup option
on NT Utility Program. Shut downs and restarts of this program do not
affect other components. Password changes made while this program is
shut
down will be lost.
This program can be restarted with the 400 Start Password Application on
the 400 Utility Menu.
SUPPORT CAPABILITIES: This program has no trace capabilities.
|
AS/400 Password User Queue |
This
user queue caches the encrypted AS/400 password changes in chronological
order. They are retained until they can be sent to the NT.
LIMITATIONS: It is limited to 64 megs.
CHANGED BY: This queue can be created by either the AS/400 Password
Program or the AS/400 Password Comm Program. It is written to in
chronological order by the AS/400 Password Program. It is destructively
read from in chronological order by the AS/400 Password Comm Program. It
can be deleted by the NT Cleanup option on NT Utility Program.
INSTALLATION: The queue is created when needed.
PERSISTENCE and ADMINISTRATION: This queue is not affected by an AS/400
IPL. No administration is required.
|
AS/400 Password Comm Program |
This
program transfers password changes from the AS/400 Password User Queue
to the NT Password Comm Program. This program is started by the NT
Password Comm Service. Installation configuration is minimized by having
the NT Comm start the 400 Comm.
When this program starts up, it checks if the AS/400 Password User Queue
exists. If not, it creates it. The program then checks if the AS/400
Password Restart File exists. If it does not, it creates the file. If it
exists and contains an entry, that entry is erased from the file and
then transmitted to the NT Password Comm Program. Normal processing then
commences.
This program destructively reads the first entry on the queue. It then
transmits it to the NT Password Comm Program using SNA Server's CPI/C
interface. If the transmission is successful, this program waits for the
next queue entry.
If the transmission returns an error condition, this program writes the
unsent queue entry into the AS/400 Password Restart File. It then sends
a message to the AS/400 console identifying the problem encountered and
stating it is terminating abnormally. It then terminates.
LIMITATIONS: It will terminate on any error condition from the CPI/C
interface. Tests have shown that recovery in such conditions is
problematic. No messages are presently being sent to the console. This
feature will be included in version 2 of the product.
INSTALLATION: This program is activated by the NT Password Comm Service
each time the latter is initialized.
PERSISTENCE and ADMINISTRATION: This program is started by the NT
Password Comm Program. When it is not running, AS/400 password changes
continue to cache in the AS/400 Password User Queue.
SHUTDOWN and RESTART: This program can be stopped using either the 400
Stop Comm Utility, 400 Stop All Utility or the 400 Cleanup Utility on
the 400 Utility Menu. Password changes made while this program is shut
down will not be lost.
When this program terminates, the session to the NT Password Comm
Service will be dropped. That service will note the event in the NT
Event Log and ignore the 400 until the service is restarted.
This program is restarted when the NT Password Comm Service is
restarted.
SUPPORT CAPABILITIES: Each time this program starts, it checks for the
existence of the AS/400 Start Comm Trace File. If it is found this
program records its detailed activity by creating or appending to the
AS/400 Comm Trace File. The NT Password Comm Service should be stopped,
the AS/400 Start Comm Trace File should be deleted, and the service
restarted before the trace file is Emailed to support.
|
AS/400 Password Restart File |
This
file contains the entry from the AS/400 Password User Queue which the
AS/400 Password Comm Program was unable to transmit, causing that
program to terminate abnormally. When the program restarts, it uses this
file to retry the unsuccessful transmission.
LIMITATIONS: none.
CHANGED BY: This file can be created and maintained by AS/400 Password
Comm Program. It can be deleted by the NT Cleanup option on NT Utility
Program.
INSTALLATION: The file is created when needed.
PERSISTENCE and ADMINISTRATION: This file is not affected by an AS/400
IPL. No administration is required.
NAMES: The AS/400 Password Restart File is physical file USIGNRECOV in
library USIGNON.
The
Windows NT components of Universal Password will propagate the password
changes initiated by the participating Windows NT domains and will also
receive and propagate passwords changes initiated on the participating
AS/400s.
|
NT Password Comm Service |
This
service obtains AS/400 password changes from the AS/400 Password Comm
Program, caches them in the NT Password Cache File. It also returns
entries from this file when polled by the NT Security DLL. This service
is started during NT boot. It performs no activity initially.
The NT Security DLL makes an initialization call to this program when
that DLL is initialized by SNA Host Account Synchronization Service. The
service starts the AS/400 Password Comm Programs on each AS/400 it is
configured for. Control is then returned to the DLL.
When this service gets a password change entry from the AS/400 Password
Comm Program via SNA Server's CPI/C interface, it checks if the NT
Password cache File exists. If not, it creates it. This program then
opens the file appends the entry and closes the file. This methodology
allows the file to survive abnormal termination.
When this service is polled by the NT Security DLL, if there is a cached
entry, it opens the cache file, destructively reads the oldest entry and
closes the file. This entry is returned to the NT Security DLL.
When this service gets a cleanup messages from the NT Security DLL (it
having gotten a cleanup message from SNA Host Account Synchronization
Service), the service terminates the AS/400 Password Comm programs on
all active AS/400s. After informing the DLL this has been done, the
service waits for an initialization call from the DLL.
LIMITATIONS: It will ignore an AS/400 if it loses its comm session to it
or if a comm error occurs with the AS/400.
INSTALLATION: The service is automatically started at NT boot.
PERSISTENCE and ADMINISTRATION: This program is restarted when the NT is
booted. When it is not running, AS/400 password changes continue to be
cached in the AS/400 Password User Queue.
SHUTDOWN and RESTART: This service can be terminated with the NT Stop
Comm and NT Cleanup options in the NT Utility Program. It can also be
stopped and restarted by the NT Services Control Panel. or the NT
Utility Program.
When the service is terminated, it first stops the AS/400 Password Comm
Programs on all AS/400 it has active, error free sessions with. When the
service is restarted, it restarts these AS/400 comm programs on all
configured AS/400s.
SUPPORT CAPABILITIES: Each time this service starts, it checks for the
existence of the NT Start Comm Trace File. If it is found this service
records its detailed activity by creating or appending to the NT Comm
Trace File. The NT Password Comm Service should be stopped, the NT Start
Comm Trace File should be deleted, and the service restarted before the
trace file is Emailed to support.
|
NT Password Cache File |
This
file caches in chronological order the encrypted AS/400 password changes
received from the AS/400 Password Comm Program. They are retained until
they can be sent to the NT Security DLL. This cache is not affected by
NT restarts and it survives abnormal program and NT terminations.
LIMITATIONS: None.
CHANGED BY: This cache is created and maintained in chronological order
by the NT Password Comm Service. It can be deleted by the NT Cleanup
option in the NT Utility Program.
INSTALLATION: The cache is created when needed.
PERSISTENCE and ADMINISTRATION: This cache is not affected by NT
restarts. No administration is required.
NAMES: The NT Password Cache File is recov_file in the installation
directory e.g. C:\usignon.
|
NT Security DLL |
This
program obtains AS/400 password changes from the NT Password Comm
Service and effects them using SNA Server's MDSI (Multiple Domain
Security Interface).
This DLL is loaded and sent an initialization message by SNA Host
Account Synchronization Service. The DLL sends an initialization message
to the NT Password Comm Program (which starts AS/400 Password Comm
Programs on all configured AS/400s). When the 400 Comm Programs are
initialized, the DLL informs SNA Host Account Synchronization Service.
Every 2 seconds this DLL polls the NT Password Comm Service for a
password change. If one is returned, the DLL calls SNA Server's MDSI
providing it the AS/400 user ID, old and new passwords. The MDSI
Interface makes the password change to the equivalent NT user ID
throughout the NT network.
(The MDSI Interface will also call this NT Security DLL on this and
other domains to make the password change on configured AS/400s. The NT
to 400 synchronization features are not further described here.)
If it finds NT Password Comm Service is not active, it writes an event
to the NT Event Log and keeps retrying. It will write an event to the
log once an hour while retrying. If the service is again active, it
records the event in the NT Event Log and sends an initialization call
to the NT Password Comm Program (which starts AS/400 Password Comm
Programs on all configured AS/400s).
When SNA Host Account Synchronization Service issues a cleanup message
to this DLL, it issues a cleanup message to the NT Password Comm Service
(which terminates the AS/400 Password Comm Programs on all active
AS/400s). The DLL then informs SNA Host Account Synchronization Service,
which terminates the DLL.
LIMITATIONS: It cannot be stopped or started other than by stopping and
starting the SNA Host Account Synchronization Service.
INSTALLATION: This program is started and terminated by SNA Host Account
Synchronization Service.
PERSISTENCE and ADMINISTRATION: This program is started and terminated
by SNA Host Account Synchronization Service. When it is not running,
AS/400 password changes continue to be cached in either the AS/400
Password User Queue or the NT Password Cache File.
SHUTDOWN and RESTART: None.
SUPPORT CAPABILITIES: Each time this DLL starts, it checks for the
existence of the NT Start Security DLL Trace File. If it is found this
DLL records its detailed activity by creating or appending to the NT
Security DLL Trace File. SNA Host Account Synchronization Service should
be stopped, the NT Start Security DLL Trace File should be deleted, and
SNA Host Account Synchronization Service restarted before the trace file
is Emailed to support.
NAMES: The NT Security DLL is called USIGNSEC.dll.