With the Get Profile Handle (QSYGETPH) and Set Profile Handle (QWTSETP) APIs, this task is easy.
One common issue to deal with when accessing network drives from the IBM i is authority. When you access a network drive from the IBM i, as discussed in previous TechTips, the user profile that is assigned to the job is the user that is being authenticated on the Windows server. One way to resolve this is to synchronize the passwords between the IBM i and Windows, but this will reduce your password protection to the level of the Windows server, because once someone cracks the Windows password protection, they now have the IBM i user name and password.
In this TechTip, I will show you how to change the active user profile for the currently running job. This technique will allow you to set up one user profile--with minimal access to the IBM i--that maintains a synchronized user ID and password with the Windows server. Then you can simply switch over to the specially designated Windows liaison to execute the Windows operations. After you're done with the Windows operations, you can switch back to the original user profile.
I have created a user profile named IBMUSER as my Windows liaison. This will make it easy for the Windows administrators to identify the account on the network. I set up this account to have minimal access to the IBM i; that way, if the Windows passwords are compromised, the potential security exposure on the IBM i is minimized.
To change the user associated with a job, you can use a combination of the Get Profile Handle (QSYGETPH) and Set Profile Handle (QWTSETP) APIs.
The QSYGETPH API validates a user name and password and generates a 12-character handle. This handle is a randomly generated value that is valid only for the currently running job.
The QWTSETP API changes the current thread to run under the user profile specified by the handle. Note that I said "thread" not "job." But you cannot have multiple threads in RPG yet, so if you're only using CL and RPG programs, then you can think of it as being for the job. Once you set the profile handle to be a user profile other than the original user profile, it will remain active until the job ends or until you change it to another profile handle.
QWTSETP doesn't change the user association with the job, so after you execute the command, you would expect WRKACTJOB to show the new user profile name on the workstation, but it does not. And it does not even change the "Current User Profile" or the "Job User Identity" when you display the job status attributes.
During my initial test run, I was stepping through the program in the debugger to the QWTSETP program execution, finding that there were no errors, and performing a system request, expecting the user value to change, but it did not. So I was driving myself crazy trying to get this to work, and I didn't even realize that it was already working! Let me help you avoid that frustration with a simple code sample and a clear explanation of the changes that occur when the program is executed.
The Code
Here is the code to change the user profile.
D**********************************************************************
D* CHANGE THE CURRENT USER PROFILE
D* USING HARD CODED USERNAME
D**********************************************************************
D NEWUSER S 10A
D NEWPASSWORD S 10A
D NEWHANDLE S 12A
D* QUSEC IS THE COMMON ERROR CODE PARAMETER PROVIDED BY IBM
D* THAT YOU CAN FIND IN QSYSINC/QRPGLESRC,QUSEC
D* OUTERROR WAS ADDED TO RECEIVE EXCEPTION DATA
D QUSEC DS
D QUSBPRV 1 4B 0
D QUSBAVL 5 8B 0
D QUSEI 9 15
D QUSERVED 16 16
D OUTERROR 17 1040
D*
C/EJECT
C* FOR SECURITY LEVEL 10 SYSTEMS, THE PASSWORD IS NOT REQUIRED.
C EVAL NEWUSER = 'IBMUSER'
C EVAL NEWPASSWORD = '*NOPWD '
C EVAL QUSBPRV = 1040
C*
C CALL 'QSYGETPH'
C PARM NEWUSER
C PARM NEWPASSWORD
C PARM NEWHANDLE
C PARM QUSEC
C*
C IF QUSBAVL > 0
C* ERROR
C ELSE
C CALL 'QWTSETP'
C PARM NEWHANDLE
C PARM QUSEC
C IF QUSBAVL > 0
C* ERROR
C ELSE
C* SUCCESSFULLY CHANGED PROFILE HANDLE
C ENDIF
C ENDIF
C*
C EVAL *INLR = *ON
If you were to run this code and verify that no errors were found, you may not initially see that anything changed. Now, go ahead and execute the WRKSPLF command with no parameters. You will see all of the spool files listed for IBMUSER, not the user that you signed on as. Or call a program that generates a spool file and you will see IBMUSER specified as the user. Or copy a file in the IFS and you will see the new object owner is IBMUSER.
You may not be familiar with the QSYSINC/QRPGLESRC,QUSEC in the copy statement. This is not something that you have to install yourself; it's already there with i5/OS. This IBM-provided code contains the standard error code parameter. This error code parameter information is populated and returned when the QSYGETPH and QWTSETP commands are executed.
The QUSBAVL value is contained in QUSEC and is used to determine if the command was successful. A good way to troubleshoot failures is by checking the QUSEI value from the QUSEC error code parameter. The hypertext links above for QSYGETPH and QWTSETP provide a list of potential QUSEI values.
The OUTERROR field is an additional field that was added to the data structure that is defined in the QSYSINC/QRPGLESRC,QUSEC file to receive exception data. The QUSBPRV field should be initialized to the length of the QUSEC data structure, including the OUTERROR field. If this size is not set, you could end up receiving a large amount of data in the error code parameter and produce undesired results.
Restoring the Original User Profile
Once you set the profile handle to a different user profile, this user profile will remain active until the job is completed. This is undesirable; otherwise, you would have just signed on as that user profile in the first place. So you will most likely want to set the user profile back to the original user profile after you are done with the task for the profile change.
For the previous code sample, I passed the special password value of *NOPWD, which is acceptable for security level 10 systems. But for systems not using security level 10, you will have to specify the password. As of V5R3, if you specify the password, you must also provide the password length and CCSID. Prior to V5R3, the password length and CCSID were optional. You must remember to put the correct value in the password length field; otherwise, the QSYGETPH call will fail.
The following code example will...
- Retrieve the handle for the current user profile and save it
- Set the profile handle to the IBMUSER with the password
- Copy a file from a network drive to the IFS using the IBMUSER profile handle
- Restore the profile handle back to the original user profile
D**********************************************************************
D* SAVE CURRENT PROFILE HANDLE
D* SET NEW PROFILE HANDLE
D* ACCESS A SERVER WITH THE NEW PROFILE
D* RESTORE THE ORIGINAL PROFILE
D**********************************************************************
D CURUSER S 10A &nbs
Thomas Snyder has a diverse spectrum of programming experience encompassing IBM technologies, open source, Apple, and Microsoft and using these technologies with applications on the server, on the web, or on mobile devices. Tom has more than 20 years' experience as a software developer in various environments, primarily in RPG, Java, C#, and PHP. He holds certifications in Java from Sun and PHP from Zend. Prior to software development, Tom worked as a hardware engineer at Intel. He is a proud United States Naval Veteran Submariner who served aboard the USS Whale SSN638 submarine. Tom is the bestselling author of Advanced, Integrated RPG, which covers the latest programming techniques for RPG ILE and Java to use open-source technologies. His latest book, co-written with Vedish Shah, is Extract, Transform, and Load with SQL Server Integration Services. Originally from and currently residing in Scranton, Pennsylvania, Tom is currently involved in a mobile application startup company, JoltRabbit LLC.
MC Press books written by Thomas Snyder available now on the MC Press Bookstore. Now On Sale Now On Sale
Advanced, Integrated RPG
See how to take advantage of the latest technologies from within existing RPG applications.
List Price $79.95
Extract, Transform, and Load with SQL Server Integration Services
Learn how to implement Microsoft’s SQL Server Integration Services for business applications.
List Price $79.95
Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:
LATEST COMMENTS
MC Press Online