IBM Power Ideas Portal
This portal is to open public enhancement requests against IBM Power Systems products, including IBM i. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
Shape the future of IBM!
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Search existing ideas
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,
Post your ideas
Post an idea.
Get feedback from the IBM team and other customers to refine your idea.
Follow the idea through the IBM Ideas process.
Specific links you will want to bookmark for future use
Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.
IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.
ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.
In V7R5 OS, there was a changed to address this issue for jdbc / acs connection
===
Ref: https://www.ibm.com/docs/en/i/7.5?topic=changes-system-security
- Interfaces that authenticate a user profile and password now send one message or return code for user profile not found and password not correct.
- For example, green screen sign on will send CPF1120 for user does not exist and password not correct. CPF1107 for password not correct will no longer be sent.
- Change User Password (QSYCHGPW), Get Profile Handle QSYGETPH,QsyGetProfileHandle), Generate Profile Token (QSYGENPT), and Generate ProfileToken Extended (QsyGenPrfTknE) APIs now send CPF22E2 for user profile not found and password not correct.
CPF9801 or CPF2204 will no longer be sent when both the user ID and password are specified (special value for password not specified).
profile not found and password not correct. For example, green screen sign on will send CPF1120 for user
profile not found and password not correct. CPF1107 for password not correct will no longer be sent.
IBM Power Systems Development
IBM is continuing to work towards a solution for a single error message when either the user profile or password is incorrect.
The CEAC has reviewed this requirement and recommends that IBM view this as a MEDIUM priority requirement that should be addressed.
Background: The COMMON Europe Advisory Council (CEAC) members have a broad range of experience in working with small and medium-sized IBM i customers. CEAC has a crucial role in working with IBM i development to help assess the value and impact of individual RFEs on the broader IBM i community and has therefore reviewed your RFE.
To find out how CEAC help to shape the future of IBM i, see CEAC @ ibm.biz/BdYSYj and the article "The Five Hottest IBM i RFEs Of The Quarter" at ibm.biz/BdYSZT
Therese Eaton – CEAC Program Manager, IBM
Greetings one and all,
As a workaround, you can use the CHGMSGD command to change the message you get to be something more generic
For example, issuing the following command would change the "CPF1107 - Password not correct for user profile" message to 'Invalid sign on attempt'
CHGMSGD MSGID(CPF1107) MSGF(QCPFMSG) MSG('Invalid sign on attempt')
You should also consider using this method to "anoymise" the following messages, that way you will get the exact same text regardless of the reason.
CPF1108 USRPRF &1 not found for JOBD &2 in &3.
CPF1109 Not authorized to subsystem.
CPF1110 Not authorized to work station.
CPF1116 Next not valid sign-on attempt varies off
CPF1117 User &1 not accessible.
CPF1118 No password associated with user &1
CPF1120 - User &1 does not exist.
CPF1392 Next not valid sign-on disables user profile
CPF1393 User profile &2 has been disabled.
CPF1394 User profile &1 cannot sign on.
CPIAD06 - Invalid sign on attempt made.
You will need to do this every time you upgrade your operating system but as the change does not require any downtime and takes effect immediately.
Just as an FYI I believe there is a TAATOOL create called CHGSGNERRT
e.g. CHGSGNERRT ERRTXT('Invalid signon.')
My understanding is that this tool does something similar but just for messages CPF1107 and CPF1120
Hope this helps,
Steve Bradshaw
IBM Champion and CEAC Member
The CAAC has reviewed this requirement and recommends that IBM view this as a high priority requirement that is important to be addressed. This is a security issue that should be addressed. The message is too specific about the user -- IBM should fix that. Allowing the customer to change the message themselves is a bad idea since a malicious user could change it to whatever they want ...
IBM agrees with the request and intends to provide a solution in a future release. These plans may change and no commitment is made that a solution will be provided.
Due to processing by IBM, this request was reassigned to have the following updated attributes:
Brand - Servers and Systems Software
Product family - Power Systems
Product - IBM i
Component - Work Management and Messaging
Operating system - IBM i
Source - None
For recording keeping, the previous attributes were:
Brand - Servers and Systems Software
Product family - Power Systems
Product - IBM i
Component - iAccess
Operating system - IBM i
Source - None
Attachment (Use case): This was the document as attached to the PMR.