Create and Customize an IBM iSystem (AS/400) Template to use the new IBM iSeries (AS/400) Password Changer

The IBM iSeries (AS/400) Terminal password changer is based on the z/OS Mainframe password changer. It uses the 5250 terminal connection and scripting to perform the password change and heartbeat. You can modify the script for any advanced configuration requirements, and Delinea Professional Services is available to help you.

You can also change passwords on the AS/400 using SSH. See Creating a Custom Password Changer for IBM AS/400.

Create an AS/400 Secret Template

  1. Navigate to Admin > Secret Templates.

  2. On the Manage Secret Templates page, select the z/OS Mainframe template from the drop-down list.

  3. Click the Edit button.

    image-manage-secret-templates-z-os-mainframe

  4. On the Secret Template Designer page, click the Copy Secret Template button.

  5. On the popup page, type IBM iSeries (AS400) in the Name text box.

    image-name-new-template-ibm-iseries-as400

  6. Click the OK button.

  7. On the confirmation page, click the Continue button.

    image-secret-template-copied

Optional: on the Secret Template Designer page, you can deactivate the Passphrase field by clicking the deactivate icon image-deactivate-this-field to the right of the Passphrase row. Unlike the z/OS, the iSeries does not need an additional passphrase and will not have an option for it unless adjusted. Unless your environment specifically requires the passphrase text-entry field, we recommend deactivating it.

Modify Your AS/400 Secret Template to use the AS/400 Password Changer

  1. On the Secret Template Designer page, click the Configure Password Changing button.

  2. On the Secret Template Edit Password Changing page, click the Edit button. The page becomes editable.

    image-secret-template-edit-pw-changing

  3. Next to Password Type to Use, click the drop-down list and select IBM iSeries Mainframe.

    image-pw-type-to-use-ibm-iseries-mainframe

  4. Make required changes, if any, to the text boxes and lists.

  5. Click the Save button. The page is no longer editable.

  6. Click the Back button.

  7. On the Secret Template Designer page, create secrets based on the new template as desired.

Customize Your AS/400 Password Changer for Your Environment

For the default IBM iSeries (AS/400) systems, the default password changer configuration requires no adjustment. However, additional parameters and connection string options are available.

  1. Navigate to Admin > Remote Password Changing.

  2. Click the Configure Password Changers button.

  3. On the Password Changer Configuration page, click the IBM iSeries Mainframe link.

  4. On the IBM iSeries Mainframe page, scroll to the bottom and click Edit.

  5. On the Edit Password Changer page, adjust ports and other parameters as desired.

    image-edit-pw-changer-ibm-iseries-mainframe

  6. Click the Save button.

The trace function can be a powerful tool for troubleshooting and debugging, especially for complex RPC implementations in unique environments. The trace function logs emulator input, mainframe output, and ASCII screenshots of what is happening on the terminal GUI. To write a trace file to the Secret Server website or engine, just add TRACEto the connection string. If using the model option, this needs to be an integer, for example, model=4.
It is important to delete trace files after debugging—they could contain sensitive data.

Additional Functions, Adjustments, and Parameters

For unique IBM iSeries environments, the IBM iSeries password changer offers extra features, options, adjustments and parameters for customization, including the commands in the table below. To implement these commands successfully, it helps to keep in mind that the password changer is emulating user input. Some of these commands are designed for very fine emulations of unique IBM iSeries environments, and Delinea Professional Services can help you with these. Other commands are implemented and tested on a base environment, so before implementing them in a production environment, you should verify that they are working as expected through testing or by using the trace function.

The commands below are followed by an <ENTER> command by default. To prevent this, you must add ##NOENTER in the comment of the previous command. For example:

image-20220113102006146

Table: Secret Template Commands

Command Action Description or Example
<Backtab> Tab to the previous input field.
<Clear> Clear the screen. Mostly used for trace.
<Close> End the session to the mainframe.
<Delete> Delete a character under the cursor; can be used with <MoveCursor(#, #)>
<DeleteField> Delete the entire text input or field.
<DeleteWord> Delete the current word if available, otherwise delete the previous word.
<Disconnect> Disconnect the password changer's connection to the mainframe.
<Down> Move cursor down.
<Enter> Send the Enter key press command.
<Erase> Erase previous character on a selected text input. <Erase>
<EraseEOF> Erase end-of-field of current text input. <EraseEOF>
<Execute( )> Execute commands in shell. <Execute(USRMGR)>
<HexString( # )> Insert a control character in a text field or string. <HexString(41)>
<Key( # )> Execute named iSeries keys. Execute unique keys via hex, character code, or key symbol.
<Left> Move cursor left.
<PF( # )> Execute program function. Program function keys 1 to 24
<PA( # )> Execute program attention. Program attention functions 1 to 3
<MoveCursor(#, #)> Move the cursor by row and column. <MoveCursor(10,2)>
<Right> Move cursor right.
<Tab> Tab to the next line.
<Up> Move cursor up.

IBM iSeries Mainframe

Usernames and passwords can run into length issues during remote password changing and heartbeat. The issue stems from the behavior in the client; when a user logs in and enters a username of 10 characters, the client will auto-tab to the next field (the password field). The heartbeat and remote password changing process automatically inserts this tab, which can cause improper behavior in the headless client when the username or password is 10 characters.

This can be avoided by setting three properties on the Custom Commands for the IBM iSeries Mainframe password changer:

  • Username Length Before AutoTab on Login
  • Password Length Before AutoTab, Password Change
  • New Password Length Before AutoTab, Password Change

Go to Remote Password Changing > Configure Password Changers > IBM iSeries Mainframe.

alt

Typically, the console will auto-tab after 10 characters. If your environment behaves differently, note in the console how many characters are entered until auto-tab to the next field occurs, and enter that number into the proper field.