Thanks Alan for the useful information,
I did mention "through some authorized method".
Without an ESM, I believe that the password is stored clear-text in the source
VM directory.
For the password, I am more thinking about generating a new one each time
and pushing it to the security function: ESM, DIRMAINT or whatever.
That password can be the password of a userid simply used for LOGONBY.
I have no intention of tampering with the SVM passwords.
Besides the autofill of userid and password, as far as I know, most of us
will start multiple 3270 emulator sessions and work in parallel as much as
our brain can multitask.
This is not very much different of what one would get by using a SNA
multi-session
product like supersession.
If I remember, Computer Associates used to have a product called V-Term
doing something similar.
On PC, there are many automated logon tools that need to store the password
locally to automate the logon. I want to avoid having to store the password
outside VM. That should be more secure not less.
Regards,
Michel Beaulieu
|*|
> Date: Mon, 20 Sep 2010 13:31:35 -0400
> From: alan_altm...@us.ibm.com
> Subject: Re: Automated Logon (autofill userid and password) using TN3270 of
> TCP/IP for VM or Logical Device
> To: IBMVM@LISTSERV.UARK.EDU
>
> On Friday, 09/17/2010 at 01:50 EDT, Michel Beaulieu
> <beaulieumic...@live.ca> wrote:
> > We are not using an External Security Manager(no ESM).
> >
> > I am trying to see if it is possible to do the following:
> >
> >
> > 1. Logon to CMS with userid'A'
> > 2. (Get userid'B' and password through some authorized method)
> > 3. using the telnet command (in transparent mode) and automatically
> login to
> > userid'B'.
> > 4. (do some work with userid'B' interacting with the physical person)
> > 5. logoff userid'B' and return control to userid'A'
> >
> > I could probably achieve what I want by programming using Logical Device
> and
> > doing the logon in my code.
> > Then I have to manage all the 3270 conversation from beginning to end.
> >
> > I am just wandering if such a solution already exists.
> >
> > I would hate to re-invent something like that.
>
> You've gotten lots of ideas from people about SVMs that can do work on
> your behalf. But what you *won't* get with that paradigm is the concept
> that you are acting as "User B". SVMs are privileged and they can be
> programmed to do different things for different people, but it is always a
> client-server model. You make a request, it acts with it's own
> privileges. At no time does the SVM actually *become* User B so that the
> system will enforce User B's privileges on the the SVM. As others have
> said, this is a direct result of the fact that virtual machines are
> separate servers, not processes within a single server.
>
> When tied into a real programming interface rather than a MSG/SMSG model,
> you can even get a reasonable facsimile of an interactive command session.
> E.g. DOAS user2 this_command. The SVM can see if you are authorized to
> act as user2 and whether or not user2 has access to this_command. The
> more sophisticated the SVM, the more automated such things can be, and
> they can even integrate with ESMs.
>
> Beware of step 2. It will attract auditors like moths to a flame. Any
> ability to extract another user's password is simply going to highlight
> that you are storing passwords in clear-text, which a violation of most
> modern password security standards. (Hence the need for an ESM.)
>
> Alan Altmark
>
> z/VM and Linux on System z Consultant
> IBM System Lab Services and Training
> ibm.com/systems/services/labservices
> office: 607.429.3323
> alan_altm...@us.ibm.com
> IBM Endicott
