For the green screen I suppose an "Initial Program" or INLPGM from the user
profile, could then activate any extraneous authorization methods; up to,
and including, retinal scanning.  And it could use the swap profile api's,
if need be.  I know there is an api that will retrieve the IP address of
the 5250 session being used.

Quite Easily Done or QED.

The hard part is matching the physical retinal scan to a known
database.  But that, I assume we are using a canned package for. That's the
"standing on the shoulders of giants" part.

Rob Berendt
--
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com


|-----------------------------+-------------------------------------------|
|   Patrick Botz              |                                           |
|   <botz@xxxxxxxxxx>         |                                           |
|   Sent by:                  |                                         To|
|   midrange-l-bounces@midrang|                                      Midra|
|   e.com                     |                                      nge  |
|                             |                                      Syste|
|   08/05/2004 02:50 PM       |                                      ms   |
|                             |                                      Techn|
|         Please respond to   |                                      ical |
|         Midrange Systems    |                                      Discu|
|       Technical Discussion  |                                      ssion|
|      <midrange-l@xxxxxxxxxxx|                                      <midr|
|                m>           |                                      ange-|
|                             |                                      l@mid|
|                             |                                      range|
|                             |                                      .com>|
|                             |                                         cc|
|                             |                                           |
|                             |                                    Subject|
|                             |                                      Re:  |
|                             |                                      Repla|
|                             |                                      cing |
|                             |                                      the  |
|                             |                                      AS400|
|                             |                                      signo|
|                             |                                      n    |
|                             |                                      manag|
|                             |                                      er?  |
|                             |                                           |
|                             |                                           |
|                             |                                           |
|                             |                                           |
|                             |                                           |
|                             |                                           |
|-----------------------------+-------------------------------------------|







Depending on the interfaces you want to enable for this, it may be
possible. What you are asking is for two different things.

First, you want to authenticate with -- what to OS/400 is -- a "foreign"
authentication mechanism. Second, based on the ID in this other
authentication mechanism you want to choose the appropriate "local" user
profile to run under.

As long as you control the interfaces (cleint and server) that are doing
the authentication, then you can make this work. You have to change the
client side that actually prompts the user for authentication (e.g. the FTP
client, or the Telnet Client) and provide an exit point for the server side
that verifies the authetication mechanism provided by the client.  This is
exactly what we did to enable SSO with Windows Domain sign-on to many of
the OS owned interfaces.

To get the second part, you would include in your exit point program a call
to EIM to map from the ID provided by the user to an ID you wanted that
user to use for that specific application. I won't go into all of the
possible ways you could configure the info in EIM to do what you want,
suffice it to say that you could make it do what you have stated below.

The reality of the situation is that you probably don't own the client-side
code for at least some of the interfaces you would want to enable to use a
different authentication mechanism. Also, there is no approach that will
work today for changing the behavior of a green screen sign-on from a dumb
terminal.

Patrick Botz
Senior Technical Staff Member
eServer Security Architect
(507) 253-0917, T/L 553-0917
email: botz@xxxxxxxxxx




jared
<jhunter@xxxxxxxx
.edu>                                                      To
Sent by:                  Midrange Systems Technical
midrange-l-bounce         Discussion
s@xxxxxxxxxxxx            <midrange-l@xxxxxxxxxxxx>
cc

08/05/2004 02:24                                      Subject
PM                        Re: Replacing the AS400 signon
manager?

Please respond to
Midrange Systems
Technical
Discussion






> Others have responded more clearly than me.
>
> What "very strong authentication" may mean can differ from one to
> another.  For example, how would one stop and prompt for a retinal scan
> during the middle of a ftp session, versus during the middle of a 5250
> signon?

That's actually a lot closer to what I'm asking.  How can I start an
out-of-band authentication protocol with the client host (based on retinal
scans, or cryptographic certificates, or midi keyboards, whatever) and use
the result of that conversation to either allow or disallow signon?

And maybe I want to let the connection proceed, but under a different user
profile...is that possible?

-Jared



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.




As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.