IBM Db2 Web Query for i

I have a user who writes her own DB2 reports and creates the schedules for them.  Our system requires that we change our iSeries password every 90 days.  So every time she changes her password, her scheduled DB2 Web Query reports do not run.  Apparently they can't run because the password has changed.  The scheduled log report says 'Task error:  IBFSException 6000:  Bad userid'.  Her profile shows that there were 74 'Password verifications not valid' from last night's attempts to run her reports.  Note:  she does not use her iSeries User/password for anything else, she works outside of the iSeries otherwise.

Where/how is the userid/password attached to the scheduled report?  is it on the report, or is it on the scheduling setup?  My own scheduled reports, and others that also schedule reports, do not have a problem when changing password.  Is there a setting that she may have set somewhere that is requiring the userid/password in order for the schedule job to run?

------------------------------
Kathy Ried
------------------------------

Hi Kathy.

In my humble opinion, if this user does not work in iSeries for anything else than this schedule report, the easiest way to solve this problems would be changing her user profile (CHGUSRPRF) and set PWDEXPITV parameter to *NOMAX value, with this change, you will be sure, the password won´t expire nevermore and the report will works to infinity and beyond. But I do not know if this is possible according your internal security rules.

By the way, clicking "View Log" on the webQuery schedule you can see the user profile used by the schedule job to connect with EDASERVE:   


Mario Barrios

------------------------------
Mario Barrios
------------------------------

Original Message:
Sent: Mon January 23, 2023 06:58 AM
From: Kathy Ried
Subject: Where is the iSeries User/password tied to a scheduled report?

I have a user who writes her own DB2 reports and creates the schedules for them.  Our system requires that we change our iSeries password every 90 days.  So every time she changes her password, her scheduled DB2 Web Query reports do not run.  Apparently they can't run because the password has changed.  The scheduled log report says 'Task error:  IBFSException 6000:  Bad userid'.  Her profile shows that there were 74 'Password verifications not valid' from last night's attempts to run her reports.  Note:  she does not use her iSeries User/password for anything else, she works outside of the iSeries otherwise.

Where/how is the userid/password attached to the scheduled report?  is it on the report, or is it on the scheduling setup?  My own scheduled reports, and others that also schedule reports, do not have a problem when changing password.  Is there a setting that she may have set somewhere that is requiring the userid/password in order for the schedule job to run?

------------------------------
Kathy Ried
------------------------------

Dear Kathy

Just for your awareness. There are 13 members in this DB2 Web Query for i group but there are about a thousand members in IBM i Global group. I'm fairly certain you may stand a better chance getting more answers from the latter group if there is no more response to you here in this group.  If you decide to ask your question in IBM i Global group, I suggest you change the subject a bit to "Db2 Web Query - cannot run scheduled report after user password change".

------------------------------
Right action is better than knowledge; but in order to do what is right, we must know what is right.
-- Charlemagne

Satid Singkorapoom
------------------------------

Original Message:
Sent: Mon January 23, 2023 06:58 AM
From: Kathy Ried
Subject: Where is the iSeries User/password tied to a scheduled report?

I have a user who writes her own DB2 reports and creates the schedules for them.  Our system requires that we change our iSeries password every 90 days.  So every time she changes her password, her scheduled DB2 Web Query reports do not run.  Apparently they can't run because the password has changed.  The scheduled log report says 'Task error:  IBFSException 6000:  Bad userid'.  Her profile shows that there were 74 'Password verifications not valid' from last night's attempts to run her reports.  Note:  she does not use her iSeries User/password for anything else, she works outside of the iSeries otherwise.

Where/how is the userid/password attached to the scheduled report?  is it on the report, or is it on the scheduling setup?  My own scheduled reports, and others that also schedule reports, do not have a problem when changing password.  Is there a setting that she may have set somewhere that is requiring the userid/password in order for the schedule job to run?

------------------------------
Kathy Ried
------------------------------

Satid - this is a brand new group in the IBM i Community so it is just getting started. Web query questions should be asked here as they will be monitored by the  Db2 Web Query team. I'll answer Kathy here in a sec, but we want to encourage web query questions to come specifically into this group/topic. We're hoping to get the now retired web query Q&A database that previously existed copied into this one as well but still working on that. Hopefully with time this membership will grow. 

-Doug

------------------------------
Doug Mack
mackd@us.ibm.com
------------------------------

Original Message:
Sent: Tue January 24, 2023 10:53 PM
From: Satid Singkorapoom
Subject: Where is the iSeries User/password tied to a scheduled report?

Dear Kathy

Just for your awareness. There are 13 members in this DB2 Web Query for i group but there are about a thousand members in IBM i Global group. I'm fairly certain you may stand a better chance getting more answers from the latter group if there is no more response to you here in this group.  If you decide to ask your question in IBM i Global group, I suggest you change the subject a bit to "Db2 Web Query - cannot run scheduled report after user password change".

------------------------------
Right action is better than knowledge; but in order to do what is right, we must know what is right.
-- Charlemagne

Satid Singkorapoom

Original Message:
Sent: Mon January 23, 2023 06:58 AM
From: Kathy Ried
Subject: Where is the iSeries User/password tied to a scheduled report?

I have a user who writes her own DB2 reports and creates the schedules for them.  Our system requires that we change our iSeries password every 90 days.  So every time she changes her password, her scheduled DB2 Web Query reports do not run.  Apparently they can't run because the password has changed.  The scheduled log report says 'Task error:  IBFSException 6000:  Bad userid'.  Her profile shows that there were 74 'Password verifications not valid' from last night's attempts to run her reports.  Note:  she does not use her iSeries User/password for anything else, she works outside of the iSeries otherwise.

Where/how is the userid/password attached to the scheduled report?  is it on the report, or is it on the scheduling setup?  My own scheduled reports, and others that also schedule reports, do not have a problem when changing password.  Is there a setting that she may have set somewhere that is requiring the userid/password in order for the schedule job to run?

------------------------------
Kathy Ried
------------------------------

Hi Kathy, 
I'm part of the Db2 Web Query team - I've been trying this on one of our systems at 2.3.0 and I can certainly change passwords all day long and the schedules will still run without having to alter the schedule properties -  but if the user profile goes into a disabled state it does not run. Once the user profile is back in enabled state the schedule runs fine.

What version of web query are you running (you can do a WRKWEBQRY to see that). Have you experienced different behavior (if the user profile is re-enabled do the schedules run)? If so, I'd suggest you open a case with IBM support so they can have a look at some things to understand what might be going on. You can do that via http://www.ibm.com/mysupport . 

Hope that helps - we also have some built in reports just to see who owns schedules in the Db2 Web Query Information folder, Schedule Properties report. 

--Doug

------------------------------
Doug Mack
mackd@us.ibm.com
------------------------------

Original Message:
Sent: Mon January 23, 2023 06:58 AM
From: Kathy Ried
Subject: Where is the iSeries User/password tied to a scheduled report?

I have a user who writes her own DB2 reports and creates the schedules for them.  Our system requires that we change our iSeries password every 90 days.  So every time she changes her password, her scheduled DB2 Web Query reports do not run.  Apparently they can't run because the password has changed.  The scheduled log report says 'Task error:  IBFSException 6000:  Bad userid'.  Her profile shows that there were 74 'Password verifications not valid' from last night's attempts to run her reports.  Note:  she does not use her iSeries User/password for anything else, she works outside of the iSeries otherwise.

Where/how is the userid/password attached to the scheduled report?  is it on the report, or is it on the scheduling setup?  My own scheduled reports, and others that also schedule reports, do not have a problem when changing password.  Is there a setting that she may have set somewhere that is requiring the userid/password in order for the schedule job to run?

------------------------------
Kathy Ried
------------------------------

Dear Doug

Your message was understood.  Please read on to the end as I have a question for you.

Dear Kathy

From a Google search, I found this old IBM Support Forum entry discussing a problem in running Web Query report : https://www.ibm.com/mysupport/s/question/0D50z000060GUoHCAW/webquery-scheduled-jobs  which indicated that Web Query report failed to run when the user's password expired. This is a standard IT security practice not to allow a user with expired password to get into the system.

So, I believe the problem you asked about must have the cause in the possibility that your user's password had already passed its expiration date at the moment your user tried to run the report which subsequently failed.  You can easily test this by using CHGUSRPRF with PWDEXP(*YES) (do not change the password yet) and try to run a report for that user profile to see if it fails with the error that you described.   If this is the case, it explains your statement that other users who use IBM i regularly never has this problem because they are always prompted to supply a new password when they access IBM i from any user interface other than Web Query's.

The solution is that you need to find a way for that problematic user to check if the password is expired yet before running the report. Or you change the report to run under a different user profile WITHOUT password expiration (read the thread above how to do this). If this latter method causes a violation in your organization's IT security policy, then what you can do is to create a new user with PASSWORD (*NONE) which should not violate the policy because a user profile with PASSWORD(*NONE) cannot be used to sign on to IBM i system (and therefore no worry about password expiration) and it is used to run batch jobs when normal user profile has any problem running jobs like what you asked.  You ALSO need to assign proper access authority to this user profile object with no password so that it can be used by only a limited group of users who have a need for it. Also assign this new user proper access authority to your application data objects

Doug

This problematic user accesses IBM i ONLY from Web Query interface. I wonder if you or your colleague can inform  Kathy if there is a proper practice in Web Query usage for such a user to get IBM i prompt asking for a new password when the existing one already expires before they can proceed with using Web Query ? 

------------------------------
Right action is better than knowledge; but in order to do what is right, we must know what is right.
-- Charlemagne

Satid Singkorapoom
------------------------------

Original Message:
Sent: Mon January 23, 2023 06:58 AM
From: Kathy Ried
Subject: Where is the iSeries User/password tied to a scheduled report?

I have a user who writes her own DB2 reports and creates the schedules for them.  Our system requires that we change our iSeries password every 90 days.  So every time she changes her password, her scheduled DB2 Web Query reports do not run.  Apparently they can't run because the password has changed.  The scheduled log report says 'Task error:  IBFSException 6000:  Bad userid'.  Her profile shows that there were 74 'Password verifications not valid' from last night's attempts to run her reports.  Note:  she does not use her iSeries User/password for anything else, she works outside of the iSeries otherwise.

Where/how is the userid/password attached to the scheduled report?  is it on the report, or is it on the scheduling setup?  My own scheduled reports, and others that also schedule reports, do not have a problem when changing password.  Is there a setting that she may have set somewhere that is requiring the userid/password in order for the schedule job to run?

------------------------------
Kathy Ried
------------------------------

Satid (and Kathy), 

The reason I suggested she open a case is to stop guessing at this and talk to the appropriate IBM support channel. I have consulted with the development team and there is a belief that she is either running on an older version of web query or the schedules were created on an older version of web query. An expired password should not stop a schedule from running (in recent versions), but a disabled user profile will. Opening a support case, gathering some info and/or having a quick webex to take a look should provide more insight and better recommendations. 

-Doug 


------------------------------
Doug Mack
mackd@us.ibm.com
------------------------------

Original Message:
Sent: Thu January 26, 2023 03:26 AM
From: Satid Singkorapoom
Subject: Where is the iSeries User/password tied to a scheduled report?

Dear Doug

Your message was understood.  Please read on to the end as I have a question for you.

Dear Kathy

From a Google search, I found this old IBM Support Forum entry discussing a problem in running Web Query report : https://www.ibm.com/mysupport/s/question/0D50z000060GUoHCAW/webquery-scheduled-jobs  which indicated that Web Query report failed to run when the user's password expired. This is a standard IT security practice not to allow a user with expired password to get into the system.

So, I believe the problem you asked about must have the cause in the possibility that your user's password had already passed its expiration date at the moment your user tried to run the report which subsequently failed.  You can easily test this by using CHGUSRPRF with PWDEXP(*YES) (do not change the password yet) and try to run a report for that user profile to see if it fails with the error that you described.   If this is the case, it explains your statement that other users who use IBM i regularly never has this problem because they are always prompted to supply a new password when they access IBM i from any user interface other than Web Query's.

The solution is that you need to find a way for that problematic user to check if the password is expired yet before running the report. Or you change the report to run under a different user profile WITHOUT password expiration (read the thread above how to do this). If this latter method causes a violation in your organization's IT security policy, then what you can do is to create a new user with PASSWORD (*NONE) which should not violate the policy because a user profile with PASSWORD(*NONE) cannot be used to sign on to IBM i system (and therefore no worry about password expiration) and it is used to run batch jobs when normal user profile has any problem running jobs like what you asked.  You ALSO need to assign proper access authority to this user profile object with no password so that it can be used by only a limited group of users who have a need for it. Also assign this new user proper access authority to your application data objects

Doug

This problematic user accesses IBM i ONLY from Web Query interface. I wonder if you or your colleague can inform  Kathy if there is a proper practice in Web Query usage for such a user to get IBM i prompt asking for a new password when the existing one already expires before they can proceed with using Web Query ? 

------------------------------
Right action is better than knowledge; but in order to do what is right, we must know what is right.
-- Charlemagne

Satid Singkorapoom

Original Message:
Sent: Mon January 23, 2023 06:58 AM
From: Kathy Ried
Subject: Where is the iSeries User/password tied to a scheduled report?

I have a user who writes her own DB2 reports and creates the schedules for them.  Our system requires that we change our iSeries password every 90 days.  So every time she changes her password, her scheduled DB2 Web Query reports do not run.  Apparently they can't run because the password has changed.  The scheduled log report says 'Task error:  IBFSException 6000:  Bad userid'.  Her profile shows that there were 74 'Password verifications not valid' from last night's attempts to run her reports.  Note:  she does not use her iSeries User/password for anything else, she works outside of the iSeries otherwise.

Where/how is the userid/password attached to the scheduled report?  is it on the report, or is it on the scheduling setup?  My own scheduled reports, and others that also schedule reports, do not have a problem when changing password.  Is there a setting that she may have set somewhere that is requiring the userid/password in order for the schedule job to run?

------------------------------
Kathy Ried
------------------------------