Universal Password  Concept

 Full Story

 Features

 Concept

 Prices & Options

 Download

 

Universal Password, in conjunction with Microsoft's SNA Server's Host Account Synchronization Service, provides single sign-on, single password access to multiple AS/400 and Windows NT servers in a distributed computing environment.

Quick Links

 lnter-Relationship
 AS/400 Components
 Windows NT Components

The main components are shown below, aligned to the left edge. An indication is given for each component about how it is normally started.

 

Inter-Relationship of Components

Below each component are shown components which affect that component. Components marked 'support' are typically used to provide application traces to support personnel. Components marked 'utility' are typically used by administrators to manage the application.

AS/400 password change

 

AS/400 Password Program started by: OS/400 on password change

 

utility: 400 Start Password Application
utility: 400 Stop All Utility

 

AS/400 Password User Queue

 

utility: NT Cleanup option on NT Utility Program

 

AS/400 Password Comm Program started by : NT Password Comm Service

 

AS/400 Password Restart File

 

utility: NT Cleanup option on NT Utility Program

 

AS/400 console messages

 

support: AS/400 Start Comm Trace File

 

utility: NT Cleanup option on NT Utility Program

 

support: AS/400 Comm Trace File

 

utility: NT Cleanup option on NT Utility Program

 

utility: 400 Stop Comm Utility
utility: 400 Stop All Utility
utility: NT Cleanup option on NT Utility Program

   

SNA Server's CPI/C Interface

   

NT Password Comm Service started by: NT boot & initialized by: NT Security DLL

 

NT Password Cache File

 

utility: NT Cleanup option on NT Utility Program

 

NT Event Log
support: NT Start Comm Trace File

 

utility: NT Cleanup option on NT Utility Program

 

support: NT Comm Trace File

 

utility: NT Cleanup option on NT Utility Program

 

utility: NT Stop Comm option on NT Utility Program
utility: NT Cleanup option on NT Utility Program

NT Security DLL started by: SNA Host Account Synchronization Service

 

NT Event Log
support: NT Start Security DLL Trace File

 

utility: NT Cleanup option on NT Utility Program

 

support: NT Security DLL Trace File

 

utility: NT Cleanup option on NT Utility Program

 

SNA Server's Host Account Synchronization Service MDSI Interface


The components are described in more detail in the following sections.

 

AS/400 Components

Universal Password enables bi-directional passwords synchronization with participating Windows NT domains. In order to enable bi-directional synchronization, some AS/400 components of Universal Passwords must be installed on the AS/400. A detailed description of each component is described below so you can have a good understanding of the role and implications of each component.

AS/400 Password Program

This program identifies password changes on the AS/400 and caches them in the AS/400 Password User Queue. This program is started by OS/400 whenever a password is changed. It checks if the AS/400 Password User Queue exists. If it does not, it creates the queue. This program obtains each password change on the AS/400 as that password change is being effected. It encrypts the user ID, old and new passwords and places them in chronological order on the AS/400 Password User Queue.

LIMITATIONS: It does not identify user IDs that are created, inactivated or removed. It does not identify password changes made with Change User Profile. It will not cache password changes should the AS/400 Password User Queue exceeds its 64 meg limit.

INSTALLATION: It is activated by a Security Officer or better with the 400 Start Password Application on the 400 Utility Menu. No restrictions are placed on the AS/400 during these processes.

PERSISTENCE and ADMINISTRATION: IPL does not affect this program. The administrator does not have to perform any maintenance on this program once it is activated.

SHUTDOWN and RESTART: This program can be disabled by a Security Officer or better with either the 400 Stop All Utility or the NT Cleanup option on NT Utility Program. Shut downs and restarts of this program do not affect other components. Password changes made while this program is shut
down will be lost.

This program can be restarted with the 400 Start Password Application on the 400 Utility Menu.

SUPPORT CAPABILITIES: This program has no trace capabilities.

AS/400 Password User Queue

This user queue caches the encrypted AS/400 password changes in chronological order. They are retained until they can be sent to the NT.

LIMITATIONS: It is limited to 64 megs.

CHANGED BY: This queue can be created by either the AS/400 Password Program or the AS/400 Password Comm Program. It is written to in chronological order by the AS/400 Password Program. It is destructively read from in chronological order by the AS/400 Password Comm Program. It can be deleted by the NT Cleanup option on NT Utility Program.

INSTALLATION: The queue is created when needed.

PERSISTENCE and ADMINISTRATION: This queue is not affected by an AS/400 IPL. No administration is required.

AS/400 Password Comm Program

This program transfers password changes from the AS/400 Password User Queue to the NT Password Comm Program. This program is started by the NT Password Comm Service. Installation configuration is minimized by having the NT Comm start the 400 Comm.

When this program starts up, it checks if the AS/400 Password User Queue exists. If not, it creates it. The program then checks if the AS/400 Password Restart File exists. If it does not, it creates the file. If it exists and contains an entry, that entry is erased from the file and then transmitted to the NT Password Comm Program. Normal processing then commences.

This program destructively reads the first entry on the queue. It then transmits it to the NT Password Comm Program using SNA Server's CPI/C interface. If the transmission is successful, this program waits for the next queue entry.

If the transmission returns an error condition, this program writes the unsent queue entry into the AS/400 Password Restart File. It then sends a message to the AS/400 console identifying the problem encountered and stating it is terminating abnormally. It then terminates.

LIMITATIONS: It will terminate on any error condition from the CPI/C interface. Tests have shown that recovery in such conditions is problematic. No messages are presently being sent to the console. This feature will be included in version 2 of the product.

INSTALLATION: This program is activated by the NT Password Comm Service each time the latter is initialized.

PERSISTENCE and ADMINISTRATION: This program is started by the NT Password Comm Program. When it is not running, AS/400 password changes continue to cache in the AS/400 Password User Queue.

SHUTDOWN and RESTART: This program can be stopped using either the 400 Stop Comm Utility, 400 Stop All Utility or the 400 Cleanup Utility on the 400 Utility Menu. Password changes made while this program is shut down will not be lost.

When this program terminates, the session to the NT Password Comm Service will be dropped. That service will note the event in the NT Event Log and ignore the 400 until the service is restarted.

This program is restarted when the NT Password Comm Service is restarted.

SUPPORT CAPABILITIES: Each time this program starts, it checks for the existence of the AS/400 Start Comm Trace File. If it is found this program records its detailed activity by creating or appending to the AS/400 Comm Trace File. The NT Password Comm Service should be stopped, the AS/400 Start Comm Trace File should be deleted, and the service restarted before the trace file is Emailed to support.

AS/400 Password Restart File

This file contains the entry from the AS/400 Password User Queue which the AS/400 Password Comm Program was unable to transmit, causing that program to terminate abnormally. When the program restarts, it uses this file to retry the unsuccessful transmission.

LIMITATIONS: none.

CHANGED BY: This file can be created and maintained by AS/400 Password Comm Program. It can be deleted by the NT Cleanup option on NT Utility Program.

INSTALLATION: The file is created when needed.

PERSISTENCE and ADMINISTRATION: This file is not affected by an AS/400 IPL. No administration is required.

NAMES: The AS/400 Password Restart File is physical file USIGNRECOV in library USIGNON.

 

Windows NT Components

The Windows NT components of Universal Password will propagate the password changes initiated by the participating Windows NT domains and will also receive and propagate passwords changes initiated on the participating AS/400s.

NT Password Comm Service

This service obtains AS/400 password changes from the AS/400 Password Comm Program, caches them in the NT Password Cache File. It also returns entries from this file when polled by the NT Security DLL. This service is started during NT boot. It performs no activity initially.

The NT Security DLL makes an initialization call to this program when that DLL is initialized by SNA Host Account Synchronization Service. The service starts the AS/400 Password Comm Programs on each AS/400 it is configured for. Control is then returned to the DLL.

When this service gets a password change entry from the AS/400 Password Comm Program via SNA Server's CPI/C interface, it checks if the NT Password cache File exists. If not, it creates it. This program then opens the file appends the entry and closes the file. This methodology allows the file to survive abnormal termination.

When this service is polled by the NT Security DLL, if there is a cached entry, it opens the cache file, destructively reads the oldest entry and closes the file. This entry is returned to the NT Security DLL.

When this service gets a cleanup messages from the NT Security DLL (it having gotten a cleanup message from SNA Host Account Synchronization Service), the service terminates the AS/400 Password Comm programs on all active AS/400s. After informing the DLL this has been done, the service waits for an initialization call from the DLL.

LIMITATIONS: It will ignore an AS/400 if it loses its comm session to it or if a comm error occurs with the AS/400.

INSTALLATION: The service is automatically started at NT boot.

PERSISTENCE and ADMINISTRATION: This program is restarted when the NT is booted. When it is not running, AS/400 password changes continue to be cached in the AS/400 Password User Queue.

SHUTDOWN and RESTART: This service can be terminated with the NT Stop Comm and NT Cleanup options in the NT Utility Program. It can also be stopped and restarted by the NT Services Control Panel. or the NT Utility Program.

When the service is terminated, it first stops the AS/400 Password Comm Programs on all AS/400 it has active, error free sessions with. When the service is restarted, it restarts these AS/400 comm programs on all configured AS/400s.

SUPPORT CAPABILITIES: Each time this service starts, it checks for the existence of the NT Start Comm Trace File. If it is found this service records its detailed activity by creating or appending to the NT Comm Trace File. The NT Password Comm Service should be stopped, the NT Start Comm Trace File should be deleted, and the service restarted before the trace file is Emailed to support.

NT Password Cache File

This file caches in chronological order the encrypted AS/400 password changes received from the AS/400 Password Comm Program. They are retained until they can be sent to the NT Security DLL. This cache is not affected by NT restarts and it survives abnormal program and NT terminations.

LIMITATIONS: None.

CHANGED BY: This cache is created and maintained in chronological order by the NT Password Comm Service. It can be deleted by the NT Cleanup option in the NT Utility Program.

INSTALLATION: The cache is created when needed.

PERSISTENCE and ADMINISTRATION: This cache is not affected by NT restarts. No administration is required.

NAMES: The NT Password Cache File is recov_file in the installation directory e.g. C:\usignon.

NT Security DLL

This program obtains AS/400 password changes from the NT Password Comm Service and effects them using SNA Server's MDSI (Multiple Domain Security Interface).

This DLL is loaded and sent an initialization message by SNA Host Account Synchronization Service. The DLL sends an initialization message to the NT Password Comm Program (which starts AS/400 Password Comm Programs on all configured AS/400s). When the 400 Comm Programs are initialized, the DLL informs SNA Host Account Synchronization Service.

Every 2 seconds this DLL polls the NT Password Comm Service for a password change. If one is returned, the DLL calls SNA Server's MDSI providing it the AS/400 user ID, old and new passwords. The MDSI Interface makes the password change to the equivalent NT user ID throughout the NT network.

(The MDSI Interface will also call this NT Security DLL on this and other domains to make the password change on configured AS/400s. The NT to 400 synchronization features are not further described here.)

If it finds NT Password Comm Service is not active, it writes an event to the NT Event Log and keeps retrying. It will write an event to the log once an hour while retrying. If the service is again active, it records the event in the NT Event Log and sends an initialization call to the NT Password Comm Program (which starts AS/400 Password Comm Programs on all configured AS/400s).

When SNA Host Account Synchronization Service issues a cleanup message to this DLL, it issues a cleanup message to the NT Password Comm Service (which terminates the AS/400 Password Comm Programs on all active AS/400s). The DLL then informs SNA Host Account Synchronization Service, which terminates the DLL.

LIMITATIONS: It cannot be stopped or started other than by stopping and starting the SNA Host Account Synchronization Service.

INSTALLATION: This program is started and terminated by SNA Host Account Synchronization Service.

PERSISTENCE and ADMINISTRATION: This program is started and terminated by SNA Host Account Synchronization Service. When it is not running, AS/400 password changes continue to be cached in either the AS/400 Password User Queue or the NT Password Cache File.

SHUTDOWN and RESTART: None.

SUPPORT CAPABILITIES: Each time this DLL starts, it checks for the existence of the NT Start Security DLL Trace File. If it is found this DLL records its detailed activity by creating or appending to the NT Security DLL Trace File. SNA Host Account Synchronization Service should be stopped, the NT Start Security DLL Trace File should be deleted, and SNA Host Account Synchronization Service restarted before the trace file is Emailed to support.

NAMES: The NT Security DLL is called USIGNSEC.dll.