Morning all
I think the RFE is in place for this one, please take a look and if you agree, vote and comment.
https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=97972The good news is that the status is
Planned for Future Release So, I think IBM has it on the roadmap.
You can influence a lot of these messages already using the method that Glenn has highlighted. I've listed more of them in the Preventing User Enumeration article:
https://powerwire.eu/protecting-against-user-enumeration-in-ibm-i
How do you prevent this sort of user enumeration?
The answer is as simple as changing the messages you get when you fail to sign on. Fortunately, that is as simple as issuing a CHGMSGD change message description command for each message that could be used to enumerate.
You can make these changes whilst the system is in use, no need for downtime or asking anyone to sign out and you can reverse them in the exact same way.
https://powerwire.eu/wp-content/uploads/2020/07/pic-6-300x190.png 300w" sizes="(max-width: 668px) 100vw, 668px">
So in my first example, we had message CPF1107 – Password not correct for user profile, using command:
CHGMSGD MSGID(CPF1107) MSGF(QCPFMSG) MSG('Invalid sign on attempt')
We remove the key piece of information that the user was correct and that just the password was wrong.
I would suggest you use exact same "Invalid sign on attempt" message text for the following messages:
- CPF1108 USRPRF &1 not found for JOBD &2 in &3.CPF1109 Not authorized to subsystem.
- CPF1109 Not authorized to subsystem.
- CPF1110 Not authorized to work station.
- CPF1116 Next not valid sign-on attempt varies off
- CPF1117 User &1 not accessible.
- CPF1118 No password associated with user &1
- CPF1120 – User &1 does not exist.
- CPF1392 Next not valid sign-on disables user profile
- CPF1393 User profile &2 has been disabled.
- CPF1394 User profile &1 cannot sign on.
- CPIAD06 – Invalid sign on attempt made.
You can use the same CHGMSGD command for each, just changing the Message ID as appropriate.
This is great as far as it goes but I think Glenn is after a way to change the ACS messages like:
"MSGSY0001 - User rowton1 on system RIT RITMON does not exist"
@Glenn please confirm I'm barking up the right tree?
Which I believe are encoded in the acsbundle.jar, I started searching for them in this jar file, as theoretically you could find and edit them in there. But no luck so far.
Certainly an interesting challenge in the short term, let's hope that this functionality is added to ACS soon.
#Keep you ACS up to date ;-)
------------------------------
Steve Bradshaw Friendly Techie Bloke
------------------------------
Original Message:
Sent: Thu November 18, 2021 02:27 PM
From: Bryan Dietz
Subject: Amending ACS failed login messages
probably going to have to submit a RFE to have it changed
IBM Software RFE Community: RFE Community
------------------------------
Bryan Dietz
Original Message:
Sent: Wed November 17, 2021 09:50 AM
From: Glenn Robinson
Subject: Amending ACS failed login messages
If sign in fails on a 5250 sign in display I get either message:
CPF1120 - User XXXXXXX does not exist
CPF1107 - Password nit correct for user
My customer wants to make these a little less vague by replacing the text with "Authorisation failure" or something similar. We can do this easily with CHGMSGD.
BUT, if the user is logging in using ACS or Client Access using the host server Signon server how can we change the messages to make them as vague as the green screen messages? Is there a message file per language? If so, is it supported to change this?
Glenn
------------------------------
Glenn Robinson
------------------------------