IBM iSeries (AS/400)

Status: Released Updated: 24 Feb 2026

MyPass Cloud integrates with IBM iSeries (AS/400) systems through the dedicated iSeries Connector, a component of the MyPass Gateway Server. This connector enables secure password synchronization, reset, and validation operations directly against iSeries user profiles. By leveraging the Gateway Server as a trusted on-premises intermediary, MyPass Cloud ensures that password changes originating from self-service actions (e.g., user-initiated resets via the MyPass portal) are accurately propagated to iSeries, maintaining a single source of truth for credentials across hybrid environments.

This integration empowers end-users with self-service password management for iSeries accounts while reducing IT overhead. All operations comply with iSeries security models and are executed under a privileged service profile, preserving auditability and administrative control.

Quick Implementation Pointers

Verify Network and Infrastructure Pre-requisites
Gather iSeries Configuration Parameters
Configure iSeries Service Account
Customize Connector Behavior (Optional)

Network and Infrastructure Pre-requisites

To ensure successful integration, the following network and infrastructure components must be in place:

IBM iSeries Environment: IBM i OS/400 V4R5 or later, accessible over the network.
MyPass Gateway Server: A Windows Server (2016 or later) to host the MyPass Gateway application. The iSeries Connector is installed automatically with the Gateway package.
Java Runtime Environment (JRE): A compatible JRE must be present on the Gateway Server. Supported options include Oracle JRE or open-source builds such as ojdkbuild (minimum Java 8, aligned with IBM Toolbox for Java compatibility).
Network Connectivity: Outbound TCP access from the Gateway Server to the iSeries host on ports 8475/9475 (Remote Command), 8476/9476 (Signon Verification), and 449 (Port Mapper).
Open corresponding firewall rules bidirectional between the Gateway Server and iSeries host.
Internet access from the Gateway Server to MyPass Cloud (HTTPS, port 443) remains required for relay operations.

Required System Parameters

The following parameters are required to configure the integration with your IBM iSeries (AS/400) system:

Parameter	Description
Hostname	Fully qualified hostname or IP address of the IBM iSeries (AS/400) host.
Service Account	Name of the iSeries user profile with privileges to perform password operations.
Password	Password for the specified iSeries service profile.
SSL Mode	Enable or disable SSL encryption for Toolbox for Java connections (recommended: enabled).

These parameters are used to establish connectivity through IBM Toolbox for Java. Sensitive data such as credentials are stored securely with strong encryption. Additional connector behaviour can be customized via the fpc101.properties configuration file.

Additional Requirements

A dedicated server or virtual machine within your infrastructure must be available to host the MyPass Gateway Server, meeting the hardware and software specifications provided in the MyPass Gateway Server installation guide.
The Gateway Server must have network access to the iSeries host on the required service ports (see Network and Infrastructure Pre-requisites).
A compatible Java Runtime Environment (JRE) must be installed on the Gateway Server prior to connector operation.

iSeries Service Account

Password operations are performed by logging into the iSeries system using a dedicated service profile. This account must be created on the iSeries host and granted the minimum privileges required for MyPass to perform password resets.

Required Permissions

Privilege	Requirement	Purpose
`*SECADM`	Mandatory	Enables user profile management, including password changes.
`*ALLOBJ`	Conditional	Required only if MyPass must reset passwords for elevated profiles (e.g., security administrator accounts).
Remote Command (`*RMTSRV`)	Mandatory	Allows execution of remote commands (e.g., `CHGUSRPRF`) via the connector.

Additional iSeries Configuration

Remote Command Exit Point: Configure the exit point for the Remote Command server to permit connections from the MyPass Gateway Server IP address.
Integrated File System (IFS): For environments using IFS-mounted shares with password synchronization from Active Directory, set the system password level to 2 or higher. Password level 1 is supported only when enforcing AD policy restrictions via the MyPass Password Filter.
SSL/TLS (Recommended): Default configuration uses encrypted connections. Follow IBM's guidance for Toolbox for Java SSL setup: IBM i SSL Configuration. MyPass includes a keystore generation utility—refer to the Appendix: SSL Keystore Setup.

Connector Configuration and Customization

The iSeries Connector leverages IBM Toolbox for Java and the AS400 class for host connectivity. By default, password reset executes:

CHGUSRPRF USRPRF(<username>) PASSWORD(<new_password>) STATUS(*ENABLED) PWDEXP(*NO)

Configuration File

Edit settings in: <INSTALLDIR>\MyPassGateway\bin\ConnectorIBMSystemI\fpc101.properties

Key	Default Value	Description
`SSLmode`	`true`	Set to `false` to disable SSL (not recommended).
`command`	`CHGUSRPRF USRPRF({user}) PASSWORD({pwd}) STATUS(ENABLED) PWDEXP(NO)`	Customize the command string. Example to enforce system password expiration: `CHGUSRPRF USRPRF({user}) PASSWORD({pwd}) STATUS(ENABLED) PWDEXPITV(SYSVAL)`

Note: Refer to IBM documentation for CHGUSRPRF parameters specific to your OS version: CHGUSRPRF Command Reference.

Logging

Log File: Operations are recorded via Log4j.
Configuration File:
<INSTALLDIR>\MyPassGateway\bin\ConnectorIBMSystemI\classes\log4j.properties

Property	Example Value	Purpose
`log4j.appender.file.File`	`C:\MyPassLogs\iSeriesConnector.log`	Defines the full path to the log file.
`log4j.rootLogger`	`INFO, file`	Sets global log level: `INFO` (default), `DEBUG` (verbose), `WARN`, `ERROR`.

Recommended Debug Workflow:
1. Update log4j.rootLogger=DEBUG, file to enable detailed tracing.
2. Reproduce the scenario.
3. Review logs and revert to INFO for production use.

Optionals: SSL Keystore Setup

MyPass Gateway includes a graphical utility to simplify Java keystore creation:

Navigate to <INSTALLDIR>\MyPassGateway\tools\KeystoreWizard.exe.
Follow prompts to import the iSeries DCM certificate or generate a self-signed trust store.
Specify the output keystore path (default: connector directory).
Restart the MyPass Gateway service to apply changes.

This ensures encrypted communication without manual keytool commands.

Licensing – Simple Summary

What you pay for	How it’s calculated
Active Directory (required)	One fee per managed user
Each additional system (IBM iSeries / IBM i)	Additional fee per managed user × per IBM i partition / LPAR

Real-world example
If you manage 600 users:

Active Directory → 600 × base user license
- 4 IBM i partitions (e.g., Production, Test, Development, HA) → + 2 400 × IBM i connector user license (600 users × 4 partitions)
Total = base AD license + IBM i connector license for 2 400 “user-partition” seats

Predictable and transparent - you pay only for the IBM i user profiles that MyPass actually rotates on each partition.

Quick Implementation Pointers​

Network and Infrastructure Pre-requisites​

Required System Parameters​

Additional Requirements​

iSeries Service Account​

Required Permissions​

Additional iSeries Configuration​

Connector Configuration and Customization​

Configuration File​

Logging​

Optionals: SSL Keystore Setup​

Licensing – Simple Summary​