IKJ56420I Useri DFRMG16 not authorized to use TSO

This forum provides the support of Dezhi Mainframe systems. Please post your questions about logon, usage of our mainframe environment.

Moderators: sysprog, prino, sfan, steve-myers, Tim001

IKJ56420I Useri DFRMG16 not authorized to use TSO

Postby dgrmf16 » Sat 08 Jun 2013, 02:04

I am new here but have seen the rules.

I created this ID a few weeks ago, logged on once or twice but didn't do anything. So far as I know I didn't break any rules.

The next day I began getting the above message. A couple of weeks passed and though i knew it would not help I resumed the ID and reset the password.

Can anyone tell me what happend so I don't do it again and what i need to do to get the ID 'authorized' again?

Thanks,

Don
dgrmf16
 
Posts: 4
Joined: Wed 15 May 2013, 03:43

Re: IKJ56420I Useri DFRMG16 not authorized to use TSO

Postby dgrmf16 » Sat 08 Jun 2013, 02:10

Please forgive my poor typing my ID is DGRMF16 - not DFRMG16 as is in the title.
dgrmf16
 
Posts: 4
Joined: Wed 15 May 2013, 03:43

Re: IKJ56420I Useri DFRMG16 not authorized to use TSO

Postby steve-myers » Sat 08 Jun 2013, 04:03

The admin's note reported DGRMF16 was banned for "suspicious behavior." Unfortunately, "suspicious behavior" is very subjective, so I can't guess what you did, or even the exact date so I could go back to SYSLOG and try to guess what the admins were thinking. I'm just guessing here, but I'd bet you were executing all sorts of DISPLAY operator commands. Individually, the admins regard this as harmless, but, in bulk, the admins might think you are looking for some place to insert malware. In any event, there are better ways to do this than operator commands; ways the admins can't easily discover what you are doing.

The admins are under no illusion all the holes in our system have been filled in, so they react harshly if they think a user is trying to find a hole. Given that it has been more than 13 months since the last IPL, it seems they are doing a pretty good job!
steve-myers
 
Posts: 452
Joined: Tue 04 May 2010, 15:43

Re: IKJ56420I Useri DFRMG16 not authorized to use TSO

Postby dgrmf16 » Sat 08 Jun 2013, 05:02

i have been a cics sysprog for nearly 30 years. i am sure i did not do console displays but must have done SOMEthing to catch their eye.

So at this point am i banned for life?
dgrmf16
 
Posts: 4
Joined: Wed 15 May 2013, 03:43

Re: IKJ56420I Useri DFRMG16 not authorized to use TSO

Postby prino » Sat 08 Jun 2013, 14:03

Your userid was deleted on 3 June, it may have been removed because a (suspiciously) high number of LOGON attempts with an invalid password on 14 May.

You could apply for a new one, and if you do so, please provide a more real name than "D R", it will make the admins look twice. Also, providing a bit more background info about yourself to the admins via a PM might work wonders, as Steve mentioned the last IPL was well over a year ago, and although there are probably still holes in the system, we don't really want to go back to a situation where the system is more down than up, and for that reason the admins have taken the decision to ban first and wait for questions later.
Robert AH Prins
robert.ah.prins @ the.17+Gb.Google thingy
Some programming here :mrgreen:
prino
 
Posts: 479
Joined: Sat 06 Jun 2009, 21:41
Location: Vilnius, Lithuania

Re: IKJ56420I Useri DFRMG16 not authorized to use TSO

Postby steve-myers » Sat 08 Jun 2013, 16:42

Going back to May 14 I see LOGON attempts with a bad password. Lots of them. This is quite common with new users, so that's not usually an issue.

Then it appears you switched over to CICS and kept on trying. The admins regard CICS as a soft underbelly in security since it doesn't seem to drop a terminal if there are too many LOGON attempts. There has been some indication of "bots" trying to break in through CICS, at least to get a valid userid/password. Switching between TSO and CICS like that is unusual. Perhaps that's why the admins banned the ID; they thought it was a successful attempt to "brute force" the userid/password.

Then you went back to TSO and got a

IKJ606I TSOLOGON REJECTED. USERID DGRMF16 IN USE

though I didn't see a successful LOGON. I next see a successful TSO cancel from the web interface, though I don't see a matching ABEND message. Next I see a TSO session from 22:58:32 to 23:08:44 immediately followed by a TSO session from 23:08:51 to 23:09:13. There is nothing in SYSLOG to indicate any issues.

Then, May 18 we go back to password violations followed by on-off, on-off, more password violations, on-off, on-off. It appears the ID was banned at that point, though not deleted yet. Later in the day I see an on-off sequence. May 20 I see another on-off sequence, and nothing since then.

As far as I can tell, DGRMF16 is no longer banned. You are correct, though. Usually, once banned, forever banned. Just today it appears an attempt to get new IDs from a previously banned user were blocked.

As Prino says, the admins bann an ID first, but it is usually left so it can be revived if it turns out they goofed. From time to time "banned" IDs are deleted as happened June 3.
steve-myers
 
Posts: 452
Joined: Tue 04 May 2010, 15:43

Re: IKJ56420I Useri DFRMG16 not authorized to use TSO

Postby dgrmf16 » Sun 09 Jun 2013, 01:07

i remember the many login failures. It took me a while to realize the password for this site and the tso password were not the same.

I would change one and fail to get on the other thinking I misspelled it when I changed it. Then it would fail at the other place and I'd go through the same exercise and fail for the same reason.

Sorry to cause you to do so much research - I will be less intrusive in your lives in the future.

I'll also update my profile with better information about myself.

Don Ritchie
dgrmf16
 
Posts: 4
Joined: Wed 15 May 2013, 03:43


Return to Dezhi systems: Mainframe

Who is online

Users browsing this forum: No registered users and 0 guests