Volume 10, Number 22 -- July 21, 2010

Admin Alert: The Poor Manager's 5250 Single Sign-On

Published: July 21, 2010

by Joe Hertvik

Properly implemented, single sign-on (SSO) is a blessing for i/OS shops. With it, users log on to their desktops once and then access all their servers without entering several different passwords. But it's always been problematic enabling SSO for Power i machines, causing some administrators to skip the process all together. This week, I'll present a workaround for making PC5250 sessions act like single sign-on participants without configuring SSO.

Same as Single Sign-On, Only Different

In earlier articles, I outlined how to set up an i/OS system for single sign-on. (See Related Stories below.) A true SSO environment provides access control to multiple related (but independent) software systems using a single password. Under SSO, a user logs in once to their desktop and then gains access to all the systems on their network (including their iSeries, System i, and Power i machines). Because sign-on credentials can be different for different servers, SSO also has a mechanism for translating desktop user names into corresponding user IDs on other servers, allowing the user to sign on to each server in the network, regardless of whether the user names and passwords are the same.

However, SSO can be difficult to implement on i/OS machines. In a Windows environment, it requires implementing a Kerberos server, modifying your Windows Active Directory environments, and setting up and maintaining an Enterprise Identity Mapping (EIM) server. SSO can also be overkill in a medium-sized i/OS environment where the organization may only want to eliminate PC5250 password entry without having to support a larger infrastructure.

Enter the Poor Manager's PC5250 Single Sign-On (PMPSSO). With this technique, you can get many of the benefits of implementing SSO for PC5250 without incurring the costs of maintaining an SSO infrastructure. The downsides of implementing the technique are: a) it only works for enabling PC5250 for SSO (it doesn't work with any other i/OS connectivity technique); b) you must use iSeries Access for Windows; and c) your user's Windows passwords must be the same as their i/OS passwords.

How It Works

The Poor Manager's PC5250 SSO consists of the following components.

  • Changing the PC5250 user ID signon information to always use Windows user name and password, no prompting as its default value when signing on to the designated iSeries, System i, or Power i machine.
  • Setting up your PC5250 session to enable the bypass signon feature.
  • Changing the i/OS remote sign-on control system value (QRMTSIGN) to allow i/OS to accept the user ID and password of the remote system as credentials for signing on to the system.

Now let's look at how it all fits together.

Client Access Setup

Client Access setup is easy and similar to what you use to set up most PC5250 sessions. You set up the following parameters in your PC5250 configuration to enable PMPSS0 for this user session.

First, click on Communication, Configure from the PC5250 menu bar. This will bring up the Configure PC5250 screen. Click the Properties button on this screen and the PC5250 Connection screen will appear as shown below. Change the User ID signon information value to Use Windows user name and password, no prompting, if it isn't already set to that option. Your screen will now look like this.

Click the OK button after you make the change. This will take you back to the Configure PC5250 screen. On this screen, check the Bypass signon check box. Your screen should now look like this.

Together, these two settings enable PMPSSO on your Windows desktop.

i/OS Configuration

The entire Poor Manager's PC5250 SSO setup hinges on changing one i/OS system value: Remote sign-on control (QRMTSIGN). QRMTSIGN tells i/OS what to do when a client wants to sign on remotely. It is used to control whether or not a user sees an i/OS sign-on screen when he's connecting to the system by using any of these methods:

  • A pass-through session started on another i/OS partition by using the Start Pass-Through (STRPASTHR) command.
  • Starting a PC5250 session by using the Display Emulator feature in iSeries Navigator.
  • Starting a TELNET session with the partition by using PC5250 or another emulation program.

By default, QRMTSIGN is set to Forced Signon (*FRSIGNON), which means that all remote sign-on sessions must go through normal sign-on processing. However, if you change QRMTSIGN to Same Profile (*SAMEPRF) or Verify (*VERIFY), i/OS allows the user to bypass the sign-on display and automatically log onto the system. You can view and change your QRMTSIGN value by running Work with System Values (WRKSYSVAL) command for QRMTSIGN and then placing a 2=Change in front of the QRMTSIGN entry and pressing enter.


This will give you a screen that looks like this.

If you change the Remote sign-on control parameter from *FRCSIGNON to *SAMEPRF, i/OS will check the passed-in Windows user ID and password for your PC5250 clients who are configured correctly. If their credentials match a corresponding user ID and password inside i/OS, the user will be automatically signed on to their PC5250 green-screen session. If the credentials do not match, the user will be presented with a sign-on screen. If after signing in, the unmatched user changes their password so that the user ID and password now match their signed-on Windows credentials, they will be able to automatically sign in on their next try.

See, I told you it was easy.

The Downsides

The biggest downside to this technique is that you have now opened up i/OS green-screen access to anyone who sits down at a PMPSSO-enabled desktop. Your users will no longer have to sign in to get access to your production data, which may also include financial data. If your users leave their desk without locking their Windows desktop, other users can sit down at the open desk and automatically sign on. You can mitigate that risk somewhat if your organization requires users to automatically lock their desktops after so many minutes of inactivity. With a self-locking desktop, you reduce the risk of unauthorized sign-on.

It's also worth considering that many users have a PC5250 session open all day. If a user leaves their desktop with a connected PC5250 session signed on, it's exactly the same risk as if another user clicks on a PMPSSO-enabled session and signs on automatically. The end result is the same: an unnamed user is getting into i/OS data using another person's profile. A wise administrator should plan for either eventuality and configure their desktop protection to provide as little unauthorized usage as possible.

In this non-password environment, you may also want to consider the following items:

  • Research carefully if your systems are reachable by Telnet directly on the Internet, as this scenario can make your iSeries, System i, or Power i system more vulnerable. This technique works best in a closed network where your system is not exposed to the outside world.
  • If you enable automatic sign-on, you may want to restrict where security officer-enabled users can sign on by using the Limit security officer device access system value (QLMTSECOFR). Activating QLMTSECOFR restricts security officer users from logging onto any device that they are not explicitly authorized to use. For more information on using QLMTSECOFR, see this article on limiting security officer telnet access.


Editor's Note: The stories linked below were written in 2005, so the material may be a little dated. Use these references as a starting point for other i/OS SSO research

Admin Alert: Configuring an i5/OS-based EIM Table for Single Sign-On

Admin Alert: Configuring i5/OS and a Windows Network Server for SSO

Admin Alert: Getting Ready for Single Sign-On

Admin Alert: Limiting the Long Reach of OS/400 Security Officers

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By

Automate AP Workflow and Go Paperless

With WebDocs you can electronically store, manage
and distribute all of your critical business information.

Think of WebDocs as an electronic filing cabinet that allows you
to securely access and share information from anywhere at anytime.

Visit us at www.rjssoftware.com
or call us at 1-888-RJS-SOFT for a free 30-day demo.

Senior Technical Editor: Ted Holt
Technical Editor: Joe Hertvik
Contributing Technical Editors: Erwin Earley, Brian Kelly, Michael Sansoterra
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Help/Systems:  Drive your enterprise with event-driven scheduling. FREE white paper!
PowerTech:  FREE Webinar! An Auditor's View: Assess Your IBM i in 15 Minutes. July 28, 10 a.m. CT
COMMON:  Join us at the Fall 2010 Conference & Expo, Oct. 4 - 6, in San Antonio, Texas


IT Jungle Store Top Book Picks

Easy Steps to Internet Programming for AS/400, iSeries, and System i: List Price, $49.95
The iSeries Express Web Implementer's Guide: List Price, $49.95
The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
Can the AS/400 Survive IBM?: List Price, $49.00
Chip Wars: List Price, $29.95

The Four Hundred
The Rest of the Power7 Lineup Is Coming August 17

Microsoft Azure: An AS/400 for Private and Public Clouds

Increase in IT Jobs Led by Contract Worker Demands

Mad Dog 21/21: Smart Cube Is IBM's Half-AS Imitation of Apple

QlikTech Soars in IPO

Four Hundred Stuff
'Birst'-ing Onto the Cloud-BI Scene

inFORM Introduces High Speed Batch Scanning

RTC Partners with Manthan to Sell BI to Retailers

10ZiG Welcomes WES 7 as New Thin Client OS

New GXS Analytics App to Live on Microsoft's Azure Cloud

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

System i PTF Guide
July 10, 2010: Volume 12, Number 28

July 3, 2010: Volume 12, Number 27

June 26, 2010: Volume 12, Number 26

June 19, 2010: Volume 12, Number 25

June 12, 2010: Volume 12, Number 24

June 5, 2010: Volume 12, Number 23

TPM at The Register
IBM zEnterprise 196 mainframe due July 22

RNA rejiggers server memory pooling

HP, Red Hat chase Solaris shops

NASA and Rackspace open source cloud fluffer

Dell proposes settlement with SEC

AMD sales up but ink still red

Ellison loses bid for US basketball franchise

So long then, Windows 2000

Dell OEMs server management from Microsoft

Neon Software sells cut-down zPrime for IMS

IDC: Second quarter PC sales hit the bull's eye

Top Solaris developer flees Oracle


WorksRight Software
System i Developer
RJS Software Systems

Printer Friendly Version

AAA Secures IBM i Server

It's My (De)fault That You're a Zero

Admin Alert: The Poor Manager's 5250 Single Sign-On

Four Hundred Guru


Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2010 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement