Pre-Verify User ID Exit

How to:

The Pre-Verify User ID Exit (PVUIDXT) may be used with Already Verified Processing to customize a trusted node security scheme. This exit matches a user ID with the connecting partner nodes identified by the following:

Communications Protocol

Partner Communications Identifier

TCP/IP

The network ID (an alphanumeric representation of the IP address).

This exit allows or disallows connection to a WebFOCUS Reporting Server and may replace the input user ID with an appropriate user ID for the host security subsystem. It may also provide a password to be included in the verification procedure.

For example, a Windows client accesses z/OS data through a UNIX Hub server. With this configuration, the user ID and password can be verified on the UNIX Hub server, and a secure connection can be passed on to z/OS. This configuration uses Already Verified Processing, providing trusted node security.

The remainder of these topics provides an overview of how a configuration can be set up with a Hub server installed as a trusted node. If this exit is not installed, no connections are rejected, based on the partner communications ID.
x
Syntax: How to Use PVUIDXT Calling Sequences

In order for further validation of a user ID and a router address, the exit is called with the following sequence 

/*  pvuidxt( pPartner_Logical_Name, pPartner_Communications_ID, */
/*           pUserid, pPassword, pRC ) ;                        */
/*                                                              */
    void pvuidxt( char *, char *, char *, char *, long * ) ;

where:

pPartner_Logical_Name

Points to the string containing the connecting partnerentity_name.

pPartner_Communications_ID

Points to the string containing the communication ID for TCP/IP (the IP address). This is a variable length alphanumeric string. This value is not supplied for SNA connections.

pUserid

Points to an area containing the user ID provided by the client application. It is passed in uppercase. If the user exit replaces the incoming user ID, it must not use a length greater than or equal to the input string length.

pPassword

Points to an area, 8 bytes in length, into which the user exit can place a password associated with the incoming user ID from the specified partner node. If this password field contains a password to be used at the time of verification, pRC must be set equal to 1 (TRUSTED_EXIT_SUCCESS_USE_PSW).

pRC

Is the return code from the exit. Possible values are:

0 indicates the user ID/entity name combination has been validated and the user ID will be checked against your system security package.

1 indicates the user ID and password will be verified.

-1 indicates the validation check has failed and the user will be disconnected.

Top of page
x
Syntax: How to Apply Long Sequences

The trustos routine is called before PVUIDXT and determines whether the client operating system security is accepted by the server security system. 

long trustos( unsigned char ) ;

where:

trustos

Returns a value of zero or one. The default returned by z/OS, VM, and UNIX is one. All other platforms or operating systems return zero. A user who wants a different result will need to write a trustos routine.

0 indicates that the client operating system security is unacceptable.

1 indicates that the client operating system security is acceptable.

unsigned char

Is the already verified code for client applications.

0 indicates that the No already verified code is available.

1 indicates that the z/OS client is already verified.

2 indicates that the OpenVMS client is already verified.

3 indicates that the UNIX client is already verified.

4 indicates that the VM client is already verified.

5 indicates that the Windows client is already verified.

Note: Your system administration staff can create their own conventions for other known security packages.

For UNIX, a sample PVUIDXT logon is located in $EDAHOME/etc/.

For Windows, a sample PVUIDXT logon is located in $EDAHOME\etc\.

For z/OS, a template for the PVUIDXT logon is located in qualif.EDACTL.DATA(PVUIDXTA).

For more information about PVUIDXT, see your Server documentation.
Example: Using the PVUIDXT Exit

The following example authenticates users against an LDAP repository.

Compilation and usage of this exit follows the standard methods for user subroutines, which is gencpgm on most platforms. Next, copy the exit to the user directory of EDACONF, or set the environment variable IBICPG to the name of the actual working directory. For more information, see the Stored Procedures Reference manual.

/**********************************************************************/
/*                                                                    */
/* Program ID: pvuidxt.c                                              */
/*                                                                    */
/*        This code is sample code, provided as-is.                   */
/*        No warranties are made as to it's correctness or            */
/*        suitability for any purpose.                                */
/*                                                                    */
/* Brief Desc: Sample LDAP WebFOCUS Reporting Server security plug-in */
/*                                                                    */
/*                                                                    */
/**********************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include "pvuidxt.h"
#include "ldap.h"
#define MY_HOST "localhost"
#define MY_PORT 389
#define MY_SEARCHBASE "ou=Users, o=ibi.com"
#define MY_FILTER "uid="
int authenticate(char *, char *);
 
void
#ifdef WIN32
 __declspec( dllexport )
#endif
 pvuidxt(
               char     *lpid   /* entity - reserved */
              ,char     *cmpid  /* partner comm id . null terminated */
              ,char     *uid    /* n byte user id */
              ,char     *pwd    /* n byte clear password */
              ,t_pvucb *ppvucb) /* Control Block */
{
    char        *pszUser,
                *pszPass=NULL,
                sep[]=", \n\r\0",
                szUserID[FULLENGTH_USERID_MAXLEN+1],
                szPassWD[FULLENGTH_PASSWD_MAXLEN+1];
    int         rcLdap;
    /* ------------------------------------------------- */
    /* Set default return code to Failure, reset on OK   */
    /* ------------------------------------------------- */
    ppvucb->rc = PVUIDXT_FAILURE;
 
    /* ------------------------------------------------- */
    /* Copy userid and remove trailing spaces            */
    /* needed for system function calls                  */
    /* ------------------------------------------------- */
    memset(szUserID,'\0',FULLENGTH_USERID_MAXLEN+1); /* clear buffer */
    strncpy(szUserID,uid,FULLENGTH_USERID_MAXLEN);
    pszUser=strtok(szUserID,sep);
    memset(szPassWD,'\0',FULLENGTH_PASSWD_MAXLEN+1); /* clear buffer */
    strncpy(szPassWD,pwd,FULLENGTH_PASSWD_MAXLEN);
    pszPass=strtok(szPassWD,sep);
    /* ------------------------------------------------- */
    /* Authenticate User                                 */
    /* ------------------------------------------------- */
 
    rcLdap=authenticate(pszUser,pszPass);
    
    if(rcLdap==0)
        ppvucb->rc=PVUIDXT_SUCCESS; 
    else
        ppvucb->rc=PVUIDXT_FAILURE;  
}
 
/*      
*************************************************************************
**************
*
* authenticate: is a support routine used to authenticate user to an LDAP 
* Repository.
*
*************************************************************************
**************
*/
 
int authenticate(char *userid, char *passwd)
{
    LDAP            *ld;
    char            qdn[128];
    int             rc;
 
    if ((ld=ldap_init(MY_HOST,MY_PORT))==NULL)
        return ldap_get_errno(ld);
    sprintf(qdn,"%s%s,%s",MY_FILTER,userid,MY_SEARCHBASE);
 
    rc=ldap_simple_bind_s(ld,qdn,passwd);
    if ( rc != LDAP_SUCCESS )
      return ldap_get_errno(ld);
 
    ldap_unbind(ld);
 
    return(0);
}

WebFOCUS