password reset ServiceNow tool for IBM i (AS400)

shikhakhann
Tera Contributor

3 hours ago

Hi All,

Does anyone has experience on "password reset ServiceNow tool for IBM i (AS400)".
Technical specifications of ServiceNow Form
A dedicated form (called IBM i Password reset Request) should be made
available to IBM i (AS400) system’s users.
We expect that this form meets the following functions:
1) Confirms the necessity to reset the user’s password on one of AS400
servers: - - - - -
JD-Europe (A411011)
JD-France (A411010)
JD-ASIA (A411011)
JD-Japan (S6541E3)
Other servers could be added later.
2) Should retrieve the user’s email, and his network identifier. These
information’s should “surely” be those belonging to the requester to
avoid any security breach.
3) The requester can advise a different network identifier to reset the
password. However, the resulting request should contain also the one
known as the network identifier.
4) IBM i Password reset Request form will show a warning window before
accepting the request.
When the request is submitted, ServiceNow mechanism should manage to
generate a call, containing the above information, of a Windows command on
the dedicated Windows server.
The call would appear like:
ResetIBMsvrPwd IBMServer, UserId, UserId2, Email
It could also be just a line added in a remote file.
Additional security guards could be added if necessary.

Possible Responses:
-------The called script will return a code and a parameter permitting SN to show
one of these messages:
           -->The password for account GMANDO1 has been set to a temporary value. You will need to change it                        upon first login.

           --> The reset operation failed due to a technical problem. a request has been sent to system                 administrator. You will be contacted soon.

           --> It is not permitted to reset the password for the chosen account through this service. You can submit a request to system administrator.


Reset script usage
As explained before, Service-Now tool will use an ms-dos script to perform the password reset on
AS400 server. The script invoke and usage are explained in the following: - - - -
The script should receive the following parameters:
As400ResetPwd As400System NetworkId UserId [Pwd]
The command will return an exit code with the following meanings:
0 : temporary password has been set successfully.
-1 : it is not permitted to user identified by NetworkId to reset the password of UserId
-2 : unknown technical problem occurred, we need to analyze.
-3 : the script failed to find “IBM i ACS” library or Python service program.
The script uses a Python service program in addition to commands from IBM i ACS
package. These two objects should be referenced through environmental variables that
must be set before invoking the command like:
set ACS_lib=C:\Users\Public\IBM\ClientSolutions\
set A400ResetPwdService="C:\ ProgramFilesFolder\As400ResetPwd-Srvc.py"
The temporary password could be generated (using Python script) previously (if needed
to show to the user) and provided as argument number 4. If this argument is missing, the
script does have an internal sequence to generate a password. The purpose of this
sequence is to show how to put a temporary password in an environmental variable.
However, we need to send the temporary password to the requester.
IBM i ACS commands that access the server to reset the password, need to authenticate
on a dedicated administrator account on that server. The credentials to use for this
authentication should figure in the file named “_netrc” in the user’s home directory who
is invoking the command. The continent of this file will be provided upon the test phase.
In addition, IBM i ACS should be configured to read this file as follows:

0 Helpfuls
  • 185 Views
1 REPLY 1

Pavan Srivastav
ServiceNow Employee

3 hours ago

Let me break down the full implementation architecture and then go through each component.

Overall Architecture

 
 
User (Browser)
Service Catalog Item          ← The IBM i Password Reset form
Flow Designer                 ← Orchestrates the process
    ├─► MID Server            ← Executes Windows command on dedicated server
    │       │
    │       ▼
    │   Windows Server
    │       │
    │       ▼
    │   As400ResetPwd.cmd     ← Calls Python + IBM i ACS
    │       │
    │       ▼
    │   AS400 Server          ← Password reset performed
Response Handler              ← Interprets exit code, notifies user

Component 1 — Service Catalog Item (The Form)

Catalog Item Setup

Name: IBM i Password Reset Request Category: IT Services / Access Management Table: sc_request (standard catalog request)

Variables to Create

Variable Name Type Mandatory Notes
as400_server Select Box Yes Dropdown of servers
network_id Single Line Text Yes Auto-populated, read-only
alternate_user_id Single Line Text No Optional override
requester_email Single Line Text Yes Auto-populated, read-only
confirmation_warning Macro / Label Warning display only

Server Choice Values for as400_server

 
 
Label                    Value
JD-Europe               A411011
JD-France               A411010
JD-ASIA                 A411011
JD-Japan                S6541E3

⚠️ Note: JD-Europe and JD-ASIA share the same server ID A411011 per your spec. Confirm this is intentional — if they are separate physical servers you likely need distinct identifiers.

Client Script — Auto-populate Network ID and Email (onLoad)

This pulls from the logged-in user only to prevent security breaches per requirement 2:

 
 
javascript
function onLoad() {
    // Lock these fields — must belong to requester only
    g_form.setReadOnly('network_id', true);
    g_form.setReadOnly('requester_email', true);

    // Populate from current session user via GlideAjax
    var ga = new GlideAjax('IBMiPasswordResetUtils');
    ga.addParam('sysparm_name', 'getRequesterDetails');
    ga.getXMLAnswer(function(response) {
        var data = JSON.parse(response);
        g_form.setValue('network_id', data.networkId);
        g_form.setValue('requester_email', data.email);
    });
}

Script Include — IBMiPasswordResetUtils

 
 
javascript
var IBMiPasswordResetUtils = Class.create();
IBMiPasswordResetUtils.prototype = Object.extendsObject(AbstractAjaxProcessor, {

    getRequesterDetails: function() {
        var userId = gs.getUserID();
        var user = new GlideRecord('sys_user');
        user.get(userId);

        var result = {
            // Network ID — adjust field name to match your sys_user schema
            // Common mappings: user_name, employee_number, u_network_id
            networkId: user.getValue('user_name'),
            email: user.getValue('email')
        };
        return JSON.stringify(result);
    },

    type: 'IBMiPasswordResetUtils'
});

Client Script — Warning Dialog Before Submit (onSubmit)

 
 
javascript
function onSubmit() {
    var server   = g_form.getDisplayValue('as400_server');
    var userId   = g_form.getValue('network_id');
    var altId    = g_form.getValue('alternate_user_id');
    var targetId = altId ? altId : userId;

    var message = 'You are about to reset the IBM i password.\n\n' +
                  'Server: ' + server + '\n' +
                  'Account to reset: ' + targetId + '\n' +
                  'Your network ID: ' + userId + '\n\n' +
                  'Do you wish to proceed?';

    if (!confirm(message)) {
        return false; // Blocks submission if user cancels
    }
    return true;
}

Component 2 — Flow Designer

Trigger

Service Catalog → Item is IBM i Password Reset Request

Flow Steps

 
 
1. Get Catalog Variables
2. Script Step — Build command string
3. MID Server Command Step — Execute reset
4. Script Step — Interpret exit code
5. Send Email — Notify requester of outcome
6. Update Request — Set state based on result

Script Step 1 — Build Command

 
 
javascript
(function execute(inputs, outputs) {

    var as400Server = inputs.as400_server;   // e.g. A411011
    var networkId   = inputs.network_id;     // requester's own ID
    var altUserId   = inputs.alternate_user_id;

    // Requirement 3: if alternate ID provided, use it as UserId
    // but always include the requester's networkId as well
    var userId  = altUserId ? altUserId : networkId;
    var userId2 = altUserId ? networkId : '';

    // Build the command
    // Format: As400ResetPwd As400System NetworkId UserId [Pwd]
    var command = 'As400ResetPwd ' + as400Server + ' ' + networkId + ' ' + userId;

    outputs.resetCommand = command;
    outputs.userId       = userId;
    outputs.networkId    = networkId;

    gs.info('IBMi Reset — command built: ' + command);

})(inputs, outputs);

MID Server Step — Execute Windows Command

Use a Run Script or SSH step via IntegrationHub, or a custom ECC Queue entry targeting your Windows MID Server:

 
 
javascript
// If using a custom ECC Queue approach in a Script step:
var eccQueue = new GlideRecord('ecc_queue');
eccQueue.setValue('agent',   'mid.server.YOUR_MID_SERVER_NAME');
eccQueue.setValue('queue',   'output');
eccQueue.setValue('state',   'ready');
eccQueue.setValue('topic',   'Command');
eccQueue.setValue('name',    'windows_command');
eccQueue.setValue('payload', inputs.resetCommand);
eccQueue.insert();

// Store the ECC record sys_id to poll for response
outputs.eccSysId = eccQueue.getUniqueValue();

📌 The MID Server must be installed on or have network access to the Windows server where As400ResetPwd.cmd lives, and the _netrc file and environment variables (ACS_lib, A400ResetPwdService) must be configured on that Windows server before the MID Server invokes the command.

Script Step 2 — Interpret Exit Code

 
 
javascript
(function execute(inputs, outputs) {

    // Exit code returned from the Windows command via MID Server response
    var exitCode = parseInt(inputs.exitCode, 10);
    var userId   = inputs.userId;

    var message = '';
    var status  = '';

    switch (exitCode) {
        case 0:
            message = 'The password for account ' + userId + 
                      ' has been set to a temporary value. ' +
                      'You will need to change it upon first login.';
            status  = 'success';
            break;
        case -1:
            message = 'It is not permitted to reset the password for the ' +
                      'chosen account through this service. ' +
                      'You can submit a request to the system administrator.';
            status  = 'denied';
            break;
        case -2:
            message = 'The reset operation failed due to a technical problem. ' +
                      'A request has been sent to the system administrator. ' +
                      'You will be contacted soon.';
            status  = 'failed';
            break;
        case -3:
            message = 'The reset operation failed — IBM i ACS library or ' +
                      'Python service program could not be found. ' +
                      'Please contact the system administrator.';
            status  = 'failed';
            break;
        default:
            message = 'An unexpected error occurred. ' +
                      'Please contact the system administrator.';
            status  = 'failed';
    }

    outputs.responseMessage = message;
    outputs.resetStatus     = status;

    gs.info('IBMi Reset — exit code: ' + exitCode + ', status: ' + status);

})(inputs, outputs);

Email Notification Step

 
 
To:      Catalog Variables → requester_email
Subject: IBM i Password Reset — [status]
Body:    Script Step 2 → responseMessage

Component 3 — MID Server Configuration

On the Windows server that will execute the reset, ensure:

 
 
batch
REM Environment variables required before invoking the command
set ACS_lib=C:\Users\Public\IBM\ClientSolutions\
set A400ResetPwdService="C:\ProgramFilesFolder\As400ResetPwd-Srvc.py"

REM _netrc file must exist at %USERPROFILE%\_netrc
REM containing credentials for the AS400 admin account
REM Format:
REM machine A411011 login ADMIN_USER password ADMIN_PASS

The MID Server service account on Windows must:

  • Have the _netrc file in its home directory
  • Have IBM i ACS installed and on the PATH
  • Have Python available if the .py service is invoked directly

Security Considerations

Given the sensitivity of password reset operations, these additional guards are worth implementing:

Guard Implementation
Requester identity locked network_id and email read-only, populated server-side only
Alternate ID audit trail Both network_id and alternate_user_id stored on the request record and passed in the command
Rate limiting Business Rule on sc_request — block if same user submits more than N resets in 24 hours
Admin alert on failure Send email to AS400 admin group when exit code is -2 or -3
Temporary password delivery Send via email only to requester_email (never displayed on screen)
MID Server credential isolation Store _netrc credentials in ServiceNow Connection & Credential store, not hardcoded

Summary Checklist

 
 
□ Service Catalog Item created with correct variables
□ Client Script — auto-populates network_id and email on load
□ Client Script — confirmation dialog on submit
□ Script Include IBMiPasswordResetUtils — server-side user lookup
□ Flow — Catalog trigger configured
□ Flow — Script Step builds command string
□ Flow — MID Server step executes Windows command
□ Flow — Script Step interprets exit code
□ Flow — Email notification sent to requester
□ Windows Server — environment variables set
□ Windows Server — _netrc file in MID Server account home directory
□ AS400 server list maintained as catalog variable choice list
□ Admin alert configured for exit codes -2 and -3
0 Helpfuls