Kisco Systems

Kisco U

Custom password validation on IBM i

Home : Kisco U : Custom password validation on IBM i

Your organization's password policy might exceed the capabilities of the IBM i OS. For example, you might want to exclude any passwords found on a "common passwords" list. Or maybe you want to only enforce strict password rules for certain sensitive users. In cases like this you will need to run your own password validation program.

Update the system value "Password validation program" (QPWDVLDPGM). The default value is *NONE.

The solution for this depends on your password settings.

If you're using long passwords:

Set QPWDVLDPGM to *REGFAC then use WRKREGINF to register an exit point for password validation.

Reference the IBM password exit point documentation here:

https://www.ibm.com/docs/en/i/7.2?topic=ssw_ibm_i_72/apis/xsyvlphr.html

See the Kisco U "exit points" unit for more information.

For older 10 character password configurations:

Enter your custom program name in QPWDVLDPGM.

The OS passes four values to your custom program:

  • New password
  • Old password
  • Return code
  • User profile

Use the return code value to let the OS know if the password passes validation.

Here is a little sample CL script for this method:

PGM PARM(&NEWPWD &OLDPWD &RC &USRPRF)
DCL VAR(&NEWPWD) TYPE(*CHAR) LEN(10)
DCL VAR(&OLDPWD) TYPE(*CHAR) LEN(10)
DCL VAR(&RC) TYPE(*CHAR) LEN(1)
DCL VAR(&USRPRF) TYPE(*CHAR) LEN(10)
CHGVAR VAR(&RC) VALUE('0') /* Initialize to OK */

/*-----------------------------------------------------------------*/
/* Following section should be changed to implement your controls */
/*-----------------------------------------------------------------*/

IF COND(&NEWPWD *EQ 'ABCDEF') THEN(GOTO +
CMDLBL(BADPWD)) /* Example - Using +
specific value? */
GOTO CMDLBL(PWDOK)

BADPWD:
CHGVAR VAR(&RC) VALUE('1') /* Pass return code +
indicating an error */
PWDOK:
RETURN

ENDPGM