AUTHENTICATE

AUTHENTICATE

Top  Previous  Next

 

The AUTHENTICATE command reduces a user's privileges in a startup command script.

 

 

Format

 

AUTHENTICATE username  password

 

where

 

usernameis the user name to be used for the revised privileges.

 

passwordis the password for username.

 

 

A QM process started via the STARTUP configuration parameter without specifying a user name runs as SYSTEM on Windows and root on other operating systems. These users have very high levels of privilege that are probably inappropriate to the QM process. The AUTHENTICATE command allows a process running as one of these users to revise its level of access to that associated with some other user known to the operating system.

 

Typically, the STARTUP configuration parameter is used to run a paragraph in the VOC of the QMSYS account. This might contain, for example,

1: PA

2: LOGTO SALES

3: PHANTOM RUN MONITOR

4: PHANTOM RUN WEB.SERVER

 

The phantom processes created by this example would run as SYSTEM or root. Inserting

AUTHENTICATE username password

as the first command in the paragraph would cause the phantoms to run as the specified user. Alternatively, each phantom could contain its own use of AUTHENTICATE to become a different user.

 

The AUTHENTICATE command can only be used by SYSTEM and root. Restrictions imposed by the operating system mean that it is not possible for a user process running under any other user name to change its access privileges.

 

In the above example, the user's password has been stored in the paragraph as clear text which may reduce system security. It would be possible to adapt this example to retrieve the password from an encrypted file where access to the encryption key is restricted. Alternatively, the AUTHENTICATE command supports direct use of an encrypted password on the command line. To use this, the password element of the command is replaced by the encrypted password prefixed with ENCR: (case insensitive). The encrypted form of the password is derived using the AUTHKEY command in the QMSYS account as described below.

 

 

The AUTHKEY command is available only in the QMSYS account and is restricted to users with administrator rights. The format of this command is

AUTHKEY password

The password should be enclosed in quotes if it contains spaces. The encrypted password value is displayed on the user's screen and can be transferred easily into the AUTHENTICATE command using cut and paste in the terminal emulator. The encrypted password is further transformed into a hexadecimal encoded form to ensure that non-graphic characters cannot cause problems.

 

The STARTUP configuration parameter also has an extended form that includes the account name, user name and password. In this case, the password may be encrypted using AUTHKEY in the same way as for AUTHENTICATE and inserted into the STARTUP parameter with a ENCR: prefix.

 

 

Example

 

The earlier example, adapted to use an encrypted password, might appear as

1: PA

2: AUTHENTICATE jsmith encr:6EAE7F355E276053A27FB87E

3: LOGTO SALES

4: PHANTOM RUN MONITOR

5: PHANTOM RUN WEB.SERVER