Connecting IBM iSeries (AS/400)
MyPass Cloud integrates with IBM iSeries (AS/400) systems through the dedicated iSeries Connector, a component of the MyPass Gateway Server. This connector enables secure password synchronization, reset, and validation operations directly against iSeries user profiles. By leveraging the Gateway Server as a trusted on-premises intermediary, MyPass Cloud ensures that password changes originating from self-service actions (e.g., user-initiated resets via the MyPass portal) are accurately propagated to iSeries, maintaining a single source of truth for credentials across hybrid environments.
This integration empowers end-users with self-service password management for iSeries accounts while reducing IT overhead. All operations comply with iSeries security models and are executed under a privileged service profile, preserving auditability and administrative control.
Quick Implementation Pointers
- Verify Prerequisites on MyPass Gateway Server
- Configure iSeries Server Requirements
- Ensure Network Connectivity
- Customize Connector Behavior (Optional)
Prerequisites on MyPass Gateway Server
The iSeries Connector is automatically installed with the MyPass Gateway Server package. To ensure reliable operation:
- Java Runtime Environment (JRE): A compatible JRE must be present on the Gateway Server. Supported options include Oracle JRE or open-source builds such as ojdkbuild.
- Minimum version: Java 8 or later (aligned with IBM Toolbox for Java compatibility).
- The JRE is used exclusively by the connector for IBM Toolbox for Java operations.
Prerequisites on iSeries Server
The connector supports IBM i OS/400 V4R5 and later. Password operations are performed by logging into the iSeries system using a dedicated service profile with the following minimum privileges:
| Privilege | Requirement | Purpose |
|---|---|---|
*SECADM | Mandatory | Enables user profile management, including password changes. |
*ALLOBJ | Conditional | Required only if MyPass must reset passwords for elevated profiles (e.g., security administrator accounts). |
Remote Command (*RMTSRV) | Mandatory | Allows execution of remote commands (e.g., CHGUSRPRF) via the connector. |
Additional iSeries Configuration
- Remote Command Exit Point: Configure the exit point for the Remote Command server to permit connections from the MyPass Gateway Server IP address.
- Integrated File System (IFS): For environments using IFS-mounted shares with password synchronization from Active Directory, set the system password level to 2 or higher. Password level 1 is supported only when enforcing AD policy restrictions via the MyPass Password Filter.
- SSL/TLS (Recommended): Default configuration uses encrypted connections. Follow IBM's guidance for Toolbox for Java SSL setup: IBM i SSL Configuration. MyPass includes a keystore generation utility—refer to the Appendix: SSL Keystore Setup.
Network Connectivity Between Servers
The MyPass Gateway Server must maintain outbound connectivity to the iSeries host on the following ports:
| Service | Non-SSL Port | SSL Port | Notes |
|---|---|---|---|
| Remote Command | 8475 | 9475 | Primary channel for CHGUSRPRF execution. |
| Signon Verification | 8476 | 9476 | Used for authentication and session validation. |
| Port Mapper | 449 | 449 | Service resolution (shared for SSL/non-SSL). |
- Open corresponding firewall rules bidirectional between the Gateway Server and iSeries host.
- Internet access from the Gateway Server to MyPass Cloud (HTTPS, port 443) remains required for relay operations.
Connector Configuration and Customization
The iSeries Connector leverages IBM Toolbox for Java and the AS400 class for host connectivity. By default, password reset executes:
CHGUSRPRF USRPRF(<username>) PASSWORD(<new_password>) STATUS(*ENABLED) PWDEXP(*NO)
Configuration File
Edit settings in:
<INSTALLDIR>\MyPassGateway\bin\ConnectorIBMSystemI\fpc101.properties
| Key | Default Value | Description |
|---|---|---|
SSLmode | true | Set to false to disable SSL (not recommended). |
command | CHGUSRPRF USRPRF({user}) PASSWORD({pwd}) STATUS(*ENABLED) PWDEXP(*NO) | Customize the command string. Example to enforce system password expiration: CHGUSRPRF USRPRF({user}) PASSWORD({pwd}) STATUS(*ENABLED) PWDEXPITV(*SYSVAL) |
Note: Refer to IBM documentation for CHGUSRPRF parameters specific to your OS version: CHGUSRPRF Command Reference.
Logging
- Log File: Operations are recorded via Log4j.
- Configuration File:
<INSTALLDIR>\MyPassGateway\bin\ConnectorIBMSystemI\classes\log4j.properties
| Property | Example Value | Purpose |
|---|---|---|
log4j.appender.file.File | C:\MyPassLogs\iSeriesConnector.log | Defines the full path to the log file. |
log4j.rootLogger | INFO, file | Sets global log level: INFO (default), DEBUG (verbose), WARN, ERROR. |
- Recommended Debug Workflow:
- Update
log4j.rootLogger=DEBUG, fileto enable detailed tracing. - Reproduce the scenario.
- Review logs and revert to
INFOfor production use.
- Update
Optionals: SSL Keystore Setup
MyPass Gateway includes a graphical utility to simplify Java keystore creation:
- Navigate to
<INSTALLDIR>\MyPassGateway\tools\KeystoreWizard.exe. - Follow prompts to import the iSeries DCM certificate or generate a self-signed trust store.
- Specify the output keystore path (default: connector directory).
- Restart the MyPass Gateway service to apply changes.
This ensures encrypted communication without manual keytool commands.
Licensing – Simple Summary
| What you pay for | How it’s calculated |
|---|---|
| Active Directory (required) | One fee per managed user |
| Each additional system (IBM iSeries / IBM i) | Additional fee per managed user × per IBM i partition / LPAR |
Real-world example
If you manage 600 users:
- Active Directory → 600 × base user license
-
- 4 IBM i partitions (e.g., Production, Test, Development, HA) → + 2 400 × IBM i connector user license (600 users × 4 partitions)
- Total = base AD license + IBM i connector license for 2 400 “user-partition” seats
Predictable and transparent - you pay only for the IBM i user profiles that MyPass actually rotates on each partition.