If users are getting rejected unexpectedly and an audit report shows a "Possible Intrusion Attempt" message, consider the following:

Powertech Exit Point Manager's intrusion detection procedure validates the incoming user profile *before* it looks for a rule.  

For exit points that require a valid user (all with the possible exception of TFTP), Exit Point Manager calls an API to retrieve the User Profile information for the Username that came through the exit point. This validates the Username and gives Exit Point Manager the Group Profile & Supplemental Group Profile information needed in order to find a Rule. If that API returns an error (that is, the User Profile was *not* found), Exit Point Manager does not look for a rule, but rather rejects the transaction as a “possible intrusion attempt.”

The transaction causes the OS to generate a T:PW event in the IBM audit Journal QAUDJRN. Subtype U (User name not valid).

See the following for supporting IBM documentation: https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_71/rzarl/rzarlf45.htm

The “Possible Intrusion Attempt” message is only for invalid Usernames, not invalid passwords. Exit Point Manager only validates the Username with the OS, the OS validates the password.

Consider running an Audit report for all transactions. It's possible the user mistyped their user name. If you are using Kerberos or SSO and see the "Intrusion Attempt" messages, your options are to either remove the Exit Point Manager exit programs from the exit points affected, or stop using Kerberos/SSO.

 

 

 


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 29, 2019