By Rich Loeber
The classic IBM i signon screen has been around since forever. I first saw it in 1988 when I took delivery of my first AS/400 system, a lowly B10. In the old days, the appearance of the signon screen made no difference since the system was a closed system. With the advent of networks, this situation changed dramatically.
Today, all IBM i systems are networked and users connect via that network connection. The signon screen is projected to terminal emulation software throughout the network and even over the Internet for users that are accessing the system from remote locations. Because of this, the signon screen standard context can be easily recognized by people with malicious intent and scrubbed (sniffed) for user id and password information.
Granted, for many users, this information is encrypted. But, with the proliferation of open access protocols, there are many emulators that do not encrypt this information. Examples of this are hand-held devices (tablets and phones) and the Telnet capabilities of Windows platforms. For my own system, I access it when traveling via my Android smartphone and no encryption is taking place.
A second reason is that the classic signon screen presents a field that could provide a saavy user with a way to bypass your intended signon process sequence. Next time you sign on using this screen, just type QCMD in the “Program/procedure” field and you will get a demonstration of what I mean.
For these reasons, it is probably a good idea to design your own signon screen so you change the standard terminology used to identify the User and Password fields and disallowing the “Program/procedure” field. Making the change is fairly easy, but you need to be careful and you need to test your new screen before rolling it out for general use.
IBM ships the source code for the standard signon screen in a source physical file named QAWTSSRC in library QSYS. In this source file, you will find two sets of code for the two possible standard screens on your system, QDSIGNON and QDSIGNON2. The first is used when you have standard 10 character passwords configured and the latter is used when you have set your system up for long (128 character) passwords/pass-phrases. I recommend that you move the source that you want to use into a separate library, thereby preserving the original source in case you get in trouble.
Once you have the source moved into your own library, you can then use Screen Design Aid (SDA, PDM option #17) to make your changes. When working on your screen, make sure that you observe the following:
- Do not delete any of the input capable fields that are on the signon screen.
- Do not change the sequence of any of the input capable fields. You can move them around on the screen, but keep their sequence in tact.
- Do not change the characteristics, especially field lengths, for any of the input capable fields.
- Do not attempt to use any DDS HELP capabilities for the signon screen.
Since one objective is to change the reference to “User” and “Password”, pick out suitable replacements for these and make sure to change the text for those areas. I would suggest alternatives here, but that could just start a new default standard which would defeat the objective of this tip.
The second objective can be accomplished by removing the text field for the “Program/procedure” field and then changing the PROGRAM field so that it is non-display. This will keep the integrity of the signon screen while preventing this field from being used.
When you are all done, compile the screen into a library other than QSYS. To implement the new screen, you will need to update the subsystem description. You can use the Change Subsystem Description (CHGSBSD) command; press the F10 key to display all parameters and you’ll find one that controls the signon screen in use. Test your new screen in the QPGMR subsystem to make sure it works as desired before rolling it out to QINTER and other production subsystems. I strongly recommend that you NOT use an alternate signon screen for your system console which is typically associated with the QCTL subsystem.
If you have any questions about this topic, you can reach me at rich at kisco.com, I’ll give it my best shot. All email messages will be answered.