Skip to Content

Configuring after installation

Use the parameters in this topic to specify BMC AMI Security Privileged Access Manager (PAM) settings in the BMC AMI Resident Security Server (RSS) configuration. These parameters are not required for other RSS components.

Related topics

Sample-configurations

Configuration parameters syntax

You must conform to the following rules while specifying the parameters in the configuration data set:

  • Only one parameter is allowed on each line and can start in any position on that line.
  • Parameters must be specified in full and are not case-sensitive except for hierarchical file system (HFS) path names.
  • A line with an asterisk * in the first position is treated as a comment.
  • RSS parameters support standard z/OS ampersand-prefixed (&) variables (for example, &SYSNAME).
  • (SPE2507) You can include static and dynamic system symbols in the parameters. For more information, see Using static and dynamic system symbols in parameters.

Using static and dynamic system symbols in parameters

(SPE2507)

System symbols act as placeholders and are replaced by substitution text (a character string) to maintain unique values in your shared parameter library definitions (accessible to multiple systems). There are two types of system symbols:

  • Static system symbol—The substitution text for these symbols are either system-defined or defined in the IEASYMxx member via the SYMDEF subcommand processing. Static system symbols are set during IPL (Initial Program Load) and do not normally change.
  • Dynamic system symbol—The substitution text for these symbols can change in real time at any point in an IPL and it is available via the IBM ASASYMBM or ASASYMBF service. You can use dynamic system symbols to build dynamic paths and file names.
Information
Example

If you define AuditLogFileName rss.&SYSNAME..audit.D&YYMMDD..T&HHMMSS..log in your configuration member, and TSOP is your system name, it is resolved to AuditLogFileName rss.TSOP.audit.D250311.T203405.log.

Static or dynamic system symbols that you use must be defined in the "z/OS MVS Initialization and Tuning Reference" manual.

The following table lists commonly used dynamic system symbols:

Dynamic system symbolDescription
&MONMonth of the year
&DAYDay of the month
&JDAYJulian day of the year
&YR2Year in two digits
&YR4Year in four digits
&WDAYName of the day of the week
&HRHour
&MINMinute
&SECSecond
&JOBNAMEJob name of task
&HHMMSSTime of day. Use &LHHMMSS for local time.
&YYMMDDDate. Use &LYYMMDD for local date.

For more information about system symbols, see the "z/OS MVS Initialization and Tuning Reference" manual.

PAMProject table

The PAM configuration statements are grouped into projects, in which a project is a specific group of PAM user IDs used to access a specific system resource.

For example, you might define one project for access to CICS, a second project for Db2, and a third project for z/OS.

The PAM configuration member (BGLASS) uses the following parameters:

Parameter

Description

PAMProject projectName

Indicates the start of a project definition

Enter a name of up to eight characters for projectName.

 AccessRetention number type REVOKE|INACTIVE|ACTIVEONTERM

Time period to retain access to project resources

Enter the following values and keywords:​​

Value or KeywordDescription
number

Enter the amount of time (minutes, hours, or days) users can retain their user pool ID or self-elevation privileges. The maximum value is 90.

The value you enter here is loaded by default into the Duration box for users requesting a user ID.

type

(Optional) Enter the unit of measure: Minutes, Hours, or Days.

If you omit type, the default Minutes is used.

REVOKE

(Optional) Enter this keyword to flag user IDs that are not in use as revoked (in addition to resetting the passwords). This is helpful for projects with very powerful user IDs and privileges.

INACTIVE

(Optional) Enter this keyword for PAM to clear the inactive status of the requested user ID by issuing an ALU RESUME command. Specifying INACTIVE is equivalent to setting the AllowInactive parameter to Enable.

ACTIVEONTERM

(Optional) Enter this keyword to retain the privileged access of active user IDs even after a WARM start

The following table describes the behavior of user IDs in user pool and self-elevation mode projects when you specify (enable) or do not specify (disable) this keyword:

Project typeACTIVEONTERM status

Behavior when ​​​​​PAM stops

Behavior after WARM start
User poolEnabled

PAMneither revokes the user nor resets the password for any InUse ID in the PAM project.

If a user ID was in the InUse state before the shutdown and subsequent WARM start, PAM recovers the user ID back to InUse. The user has continued ID access after the WARM start.

All other user IDs in the project are recovered to the state that they were in before the WARM start. 

Disabled

PAMrevokes the user and resets the password for all IDs defined within the PAM project.

If a user ID was in the InUse state before the shutdown and subsequent WARM start, PAM recovers the user ID back to PasswordWait. To use the ID again after the WARM start, the user must log on to PAM and reset the password.

Self-elvationEnabled

PAMdoes not remove the self-elevated privileged access of the logged-on user.

If the self-elevated user ID was in the InUse state before the shutdown and subsequent WARM start, PAM recovers the user ID back to InUse.

Disabled

PAMremoves the self-elevated privileged access of the logged-on user

If the self-elevated user ID was in the InUse state before the shutdown and subsequent WARM start, PAM recovers the user ID back to InUse.

​​
Error
Warning

If you do not specify ACTIVEONTERM, when a user stops PAM, the access that the user obtained while using PAM is removed and reverted to the state when PAM started originally. If you specify ACTIVEONTERM and do not expect to restart PAM, you must ensure that you remove the privileged access of user IDs.

Once the time is up, privileges are revoked, and any passwords the user created are removed.

(SPE2410)If you omit this parameter, its value is loaded from the DefaultRetention parameter, and REVOKE is used by default.

ACF2Mask uidMask

Indicates the uidMask used to select users for a PAM project

This parameter is required for ACF2 projects. For more information, see ACF2 mask.

AllowInactive Enable|Disable

When the product runs on a RACF system, it issues an ALU RESUME command to clear the inactive status of the requested user ID.

The default is Disable.

Setting the AllowInactive parameter to Enable is similar to specifying the INACTIVE keyword with the AccessRetention parameter.

AllowRepeatedRequests All|Unique|None

Make multiple requests against your own linked user ID. The AllowRepeatedRequests parameter is valid for user pool mode (Mode UserPool) projects only and is not valid for self-elevation mode (Mode SelfElevation) projects.

Select one of the following options:

  • All—approves all requests and does not validate the request for duplicate environments
  • Unique—approves all requests that does not match a previous set of systems. Your request for the same user ID is approved, but if you request the same set of systems, the request is rejected.
  • None—rejects repeated requests.

The default is None.

Warning

Important

Before you define this parameter, you must define the CSDATAField parameter.

Approver type value

(Optional) TSO user ID or email address of the person who will approve access requests for the project

This parameter is useful for sending notifications to support mailboxes or to a mailing list of approvers. Notification is not sent for automatic approvals.

  • type indicates how the approver is notified:
    • EMAIL specifies the email address of the approver.
    • TSO specifies the TSO user ID of the approver.
  • value contains the corresponding email or TSO user ID.
Warning

Important

If you specify EMAIL, PAM uses the value from the EmailProfile block of the RSS server configuration parameters. For the notification process to operate correctly, you must have previously configured these parameters. For more information, see Email Configuration parameters (EMAILDEF).

AutoGenerate Password|Passphrase Email

(SPE2507)

Generates a random password or passphrase when a user sets or resets the password or passphrase of a user pool user ID

ValueDescription
PasswordGenerates a random password
PassphraseGenerates a random passphrase
Email(Optional) Sends a notification to a previously specified email address with the new password or passphrase
Warning

Important

For the notification process to operate correctly, you must have previously configured the EmailCustomField parameter in the EmailProfile block. For more information, see Email Configuration parameters (EMAILDEF).

AutoGeneratedPassword On|Off|Overwrite Email

(Deprecated from SPE2507 onwards) Determines whether to automatically generate a random password during the password reset process

Value

Description

On

Automatically generates a random password that is not editable

Overwrite

Automatically generates a random password that is editable

Off

(Default) Does not generate a random password. Users must enter the password manually.

Email

(Optional) Sends a notification to a previously specified email address with the new password

Warning

Important

For the notification process to operate correctly, you must have previously configured the EmailCustomField parameter in the EmailProfile block. For more information, see Email Configuration parameters (EMAILDEF).

AutoPeriod hh:mm hh:mm WEEKDAYS|WEEKENDS

(Optional) Enables automatic access-request approval for the specified time period

Users must receive manager approval when requesting user ID pool or self-elevation access. Managers may not always be available when access requests come in. To address such issues you can specify periods of time that approvals are given automatically. For example, on weekends or holidays when a project manager might be traveling or on vacation.

  • Enter start and end times in hours and minutes using hh:mm hh:mm.
  • Use either WEEKDAYS or WEEKENDS (you can only use one) to specify when the time period occurs.

  • Define one or more AutoPeriod parameters as needed for the project.

    Warning

    Important

    AutoPeriod uses a 24–hour clock. If a time period spans midnight, the start time must be greater than the end time. For example:
    AutoPeriod 23:30 08:30 WEEKDAYS

If you omit AutoPeriod, the default is that manager approval is required for all access requests.

AutoStep step

(SPE2507)PAMperforms the step specified with this parameter automatically after a user performs the preceding step

This parameter takes the following value:

Accept—automatically accepts a user ID and changes the request state to active when a manager approves a request. This value is valid for self-elevation projects only.

BMCHelixAuth dataSet

Name of the data set containing the authentication token that is used to authenticate the change ID (or incident ID) validation request sent from PAM to the BMC Helix ITSM instance

For more information, see Validating Security PAM change IDs and incident IDs by using BMC Helix ITSM.

BMCHelixUser userID

Base64-encoded BMC Helix ITSM user ID that is used to authenticate the change ID (or incident ID) validation request sent from PAM to the BMC Helix ITSM instance

Make sure that the user ID that you specify with this parameter has the required permissions to read change IDs and incident IDs in BMC Helix ITSM. For more information, see Validating Security PAM change IDs and incident IDs by using BMC Helix ITSM.

BMCHelixPass password

Base64-encoded password for the BMC Helix ITSM userID

BMCHelixURL url

Endpoint URL for sending the REST API requests from PAM

If your endpoint URL is https://exampleurl.com, then specify it as exampleurl.com.

For more information, see Validating Security PAM change IDs and incident IDs by using BMC Helix ITSM.

ChangeIDPrefix prefix1 prefix2 prefix3 ...

Force specific change or incident ID prefixes for the project

You can configure multiple, custom change or incident ID prefixes to use for tracking requests from the project. Users are shown the required prefixes when requesting a user ID. The prefixes are not case sensitive.

(SPE2407)

The prefixes are displayed in the Change or Incident ID list in the UI.

If PAM change or incident ID validation against ServiceNow records is enabled, the Change or Incident ID list in the UI displays CHG and INC only. No other prefix is displayed.

CommandUserID Job|Group

User ID for issuing commands

Ensure that the user ID for the specified value has sufficient privileges to issue the necessary commands.

  • Job, issues commands under the user ID for the started task running PAM.
  • Group, issues commands under the owning user ID for the group or profile associated with the project. On non-RACF installations, we recommend to use Job .

If you omit CommandUserID, the default Job is used.

CommentField Enable|Disable

Determines whether users must mandatorily enter a comment in the Comment box on the Confirm PAM Access Request modal window

If you omit CommentField, the default Disable is used.

ConcurrentMode True|False

(For self-elevation projects only) The project allows concurrent use in valid instances

Users can self-elevate in multiple projects concurrently when:

  • The user initially chooses and is currently elevated in a project where ConcurrentMode = True.
  • The next project the user chooses is also ConcurrentMode = True

If the user initially chooses or is currently elevated in a project where ConcurrentMode = False, they cannot concurrently elevate to another project.

If you omit ConcurrentMode, the default False is used.

ConnectACF2 priv1 priv2 priv3 ...

ConnectGroup group1 group2 group3 ...

ConnectProfile profile1 profile2 profile3 ...

(For self-elevation projects only) Names of the user-access ESM resources associated with the project

ESM user-access resources provide projects with access to required system resources. These are primarily in the form of RACF groups, TSS profiles, and ACF2 departments. Projects created for self-elevation can connect to multiple resources, providing a wide range of access for the user. You can define multiple resources for a single Connect parameter or you can use multiple Connect parameters instead.

In addition, when operating PAM on a RACF or TSS system, users are connected automatically to the RACF group or TSS profile defined specifically for the project via the RACFGroup or TSSProfile keyword. For more information, see RACF groups and TSS profiles.

ACF2 supports additional processing with this keyword because of the flexibility of ACF2 installations and the various differences in the organization structure. The ConnectACF2 parameter supports any string of the format parameter(value) and two special keywords: ACCOUNT and SECURITY. The parameter options are those defined for your organization's UID string. To find the parameter, issue a LIST userid ACF2 command. The output for the command is as follows: DIV(XXX) ENDVRDEF( ) JTTL() LOC() SECT() STAFFID( )
In this example, the available options are DIV, ENDVRDEF, JTTL, LOC, SECT, and STAFFID. ACF2 administrators can then use any of these options to filter access to the required resources.

Warning

Important

Use the SECURITY or ACCOUNT keywords with caution. Make sure that adequate protections are in place for the PAM configuration data sets when using these options.

You can specify up to 24 ACF2 departments, RACF groups, and TSS profiles with ConnectACF2, ConnectGroup, and ConnectProfile. If you exceed this limit, PAM ignores the rest and issues the following error message: Connect group limit exceeded

Warning

Important

If you are using a multisystem configuration, you must have the same ESM resources for your master and agent systems. For example, if your master system runs on RACF, your agent systems must also run on RACF. So, if you use the ConnectGroup parameter in a project in your master system, you must use ConnectGroup only in your projects in your agent systems; you cannot use ConnectACF2 or ConnectProfile in your projects in your agent system.

CSDATAField fieldName

Name of the CSDATA field in RACF that has the project user ID that you want to link to a manager-level logon user ID

When you define this parameter in a project, a manager must request and gain approval to use a project user ID that is linked to their logon user ID. This same manager can approve project user ID requests raised by other users in projects to which the manager has access.

Make sure that the CSDATA field is protected by RACF to prevent unauthorized changes. For more information, see Self-managed projects.

A sample code to create the CSDATA field follows:

//JOBCARD   JOB  (),CLASS=A,MSGCLASS=X,NOTIFY=&SYSUID         
//***************************************************        
//* BUILD PAM CUSTOM FIELDS *                                
//***************************************************        
//DEFINE EXEC PGM=IKJEFT1A                                   
//SYSTSPRT DD SYSOUT=*                                       
//SYSTSIN DD *                                               
 SETROPTS CLASSACT(CFIELD)                                   
 RDEFINE CFIELD +                                            
   USER.CSDATA.PAMLINK +                                     
   UACC(NONE) +                                              
   CFDEF(TYPE(CHAR) MAXLENGTH(8) LISTHEAD('PAM LINKED ID') +
   FIRST(ALPHANUM) OTHER(ALPHANUM) )                                                  
//*
//UPDATE EXEC PGM=IKJEFT01,PARM='IRRDPI00 UPDATE'            
//SYSTSPRT DD SYSOUT=*                                       
//SYSUT1 DD DISP=SHR,DSN=SYS1.SAMPLIB(IRRDPSDS)              
//SYSTSIN DD DUMMY                                           
//LIST EXEC PGM=IKJEFT01,PARM='IRRDPI00 LIST (USER CSDATA) '
//SYSTSPRT DD SYSOUT=*                                       
//SYSUT1 DD DISP=SHR,DSN=SYS1.SAMPLIB(IRRDPSDS)
//SYSTSIN DD DUMMY
//*
//***************************************************
//* SET PAMLINK CSDATA FOR USERID                     
//***************************************************
//CSDATA EXEC PGM=IKJEFT1A                            
//SYSTSPRT DD SYSOUT=*                                
//SYSTSIN DD *                                        
 ALTUSER  LogonUserID CSDATA(PAMLINK(ProjectUserID))             
 LISTUSER LogonUserID CSDATA                               
//*

DefaultRetention number type

(SPE2410)

A safeguard to ensure that both MaximumRetention and AccessRetention parameters are updated if either of them is unavailable

If the MaximumRetention or AccessRetention parameter is unavailable, it is updated by using the value in the DefaultRetention parameter.

  • number is the number of minutes, hours, or days. The maximum value is 90.
  • type is the unit of measure: Minutes (the default), Hours, or Days.

If you do not specify a value for DefaultRetention, 30 Days (the default) is used.

Description text

Description of the project

The description can be up to 31 bytes and is visible to users requesting and approving access to the project.

ESMProfile profileName

Resource profile containing the access level requirements for the project

Anyone working with this project must have the permissions defined in the specified resource profile. For more information about setting up resource profiles, see Administering.

​​​​​This parameter was previously known as RACFProfile.

ExpiryNotify type value

(Optional) TSO user ID or email address for project expiry warnings

Use this parameter to notify people when access for any of the project's user IDs is about to expire. First choose the method of notification and then fill in the details:

  • type, indicates the how the approver is notified.
    • EMAIL, specifies the email address of the approver.
    • TSO, specifies the TSO user ID of the approver.
  • value, contains the corresponding contact information
    • For EMAIL, enter the email address of the person you want notified.
    • For TSO, enter the TSO user ID of the person you want to notify or one of the following:
      • USER, sends the notification to the PAM user ID requested from the project.
      • REQUESTER, sends the notification to the person who requested the PAM user ID from the project.

You can add multiple ExpiryNotify parameters to add multiple email recipients.

Warning

Important

  • If you configure ExpiryNotify:

    • The values entered here appear as default settings on the Confirm PAM Access Request page.
    • Modifications made on the Confirm PAM Access Request page override the values configured here.

    For more information see, Task 2—To request a user ID.

  • If you specify EMAIL, PAM uses the value from the EmailProfile block of the RSS server configuration parameters. For the notification process to operate correctly, you must have previously configured these parameters. For more information, see Email Configuration parameters (EMAILDEF).

If the email address is longer than 64 characters, you can enter it in two lines. To enter an email address in two lines, in the first line, specify the parameter with a + sign at its end and enter the first part of the email address. In the second line, specify the parameter again without a + sign and enter the second part of the email address. You can enter 64 characters in each line. So, you can enter an email address of up to 128 characters.

For example:
ExpiryNotify  EMAIL+  userName 
ExpiryNotify  EMAIL   @bmc.com

ExpiryTimer number type

Time period before access requests expire that notifications are sent

(Optional) For use with ExpiryNotify, specify the amount of lead time you want for notifications before project IDs expire. The maximum value is 90 days.

  • number is the number of minutes, hours, or days.
  • type is the unit of measure: Minutes (the default), Hours, or Days.

If you omit ExpiryTimer, the default value of 5 minutes is used.

LocalAuthenticate resourceProfileName

(Optional) resource profile containing the list of users permitted to use local authentication

Defining this parameter enables local authentication. As a result, users on the list must enter their password only once and authenticate on the master system to gain access to all systems in the request. You must use this parameter in a multisystem configuration only and need READ or higher access to grant this privilege.

This parameter controls system visibility on the UI and password authentication in the following ways:

  • If a user ID has access to the relevant profile in the master (or agent) system and LocalAuthenticate is defined, the project is displayed on the UI.
  • If a user ID does not have access to a specific profile in the agent system and LocalAuthenticate is not defined, the project is not displayed on the UI.
  • If you omit LocalAuthenticate, users must enter passwords for each system in the request.

MaximumRetention number type

Maximum time to retain access to project resources

Enter the maximum amount of time users can retain their user pool ID or self-elevation privileges.

  • number is the number of minutes, hours, or days. The maximum value is 90.
  • type is the unit of measure: Minutes (the default), Hours, or Days.

If the user enters a value in the Duration box when requesting a user ID that is greater than the MaximumRetention value, MaximumRetention takes precedence.

If you omit type, the default Minutes is used.

(SPE2410)If you omit this parameter, its value is loaded from the DefaultRetention parameter.

Mode UserPool|SelfElevation

Access mode for project

  • UserPool, provides temporary user IDs from a predefined pool.
  • SelfElevation, provides users the ability to temporarily extend the privileges of their own user ID.

If you omit Mode, the default UserPool is used.

Notify activity emailAddress|CSDATA

(Optional) Sends a notification to the specified email address when the specified project activity occurs

Value

Description

activity

Project activity that the user receives notification for

If you specify any of the following activities, then an email is sent only when its corresponding condition exists:

Activity

Condition

Request

Elevation requested

Approve

Elevation request approved (SPE2407) or refused

Expired

User ID expired

Release

User ID released

Active

User ID active

Cancel

Elevation request canceled

NotAuth

Elevation request not authorized

Sendemail

Sends an email when any of the following conditions exist:

  • Elevation requested
  • User ID released
  • User ID active
  • User ID expired
  • Elevation request not authorized
  • Elevation request canceled
  • (SPE2407)Elevation request approved
  • (SPE2407)Elevation request refused

Sessionend

Sends an email when any of the following conditions exist:

  • User ID released
  • User ID expired
  • Elevation request canceled

If you do not specify an activity, then the default value is Sendemail.

emailAddress

Email address to which the notification email about project activity is sent

PAMvalidates the email address that you specify by checking for an @ character and ignores incorrect email specifications.

CSDATA

Sends the project activity notification to an email address defined in the CSDATA segment

For the notification process to operate correctly when CSDATA is specified, you must have previously configured the EmailCustomField parameter in the EmailProfile block in RSS. For more information, see Email Configuration parameters (EMAILDEF). If the CSDATA segment does not have an email address specified in it, then notification emails are not sent.

Typically, you would enter the project manager's email address to trigger notification to that address from users. To add multiple email recipients, define multiple Notify parameters with the required email addresses.

If the email address is longer than 64 characters, you can enter it in two lines. To enter an email address in two lines, in the first line, specify the parameter with a + sign at its end and enter the first part of the email address. In the second line, specify the parameter again without a + sign and enter the second part of the email address. You can enter 64 characters in each line. So, you can enter an email address of up to 128 characters.

For example:
Notify  userName 
Notify  @bmc.com

Notify  Release+  userName 
Notify  Release   @bmc.com

NotifyURL protocol domain

(Optional) Adds a URL to the notification email that users receive when performing a project activity. The URL redirects users to the BMC AMI Security Logon window. This parameter takes the following values:

  • protocol is the network protocol that is prefixed in the URL. Specify one of the following values:
    • HTTP—The browser creates an insecure connection to the product.
    • HTTPS(Default) The browser creates a secure connection to the product.
  • domain is the domain name in the URL. Specify one of the following values:
    • IP—PAM provides the IP address from the IPAddress parameter (defined in the RSS HTTPServer block). If the IPAddress parameter is not defined, PAM uses the local TCP/IP stack IP address.
    • Host(Default) PAM resolves the IP address to a host name
    • hostName—User-specified host name

RACFGroup groupName

RACF group associated with the project

Every project has an associated RACF group. For more information, see RACF groups.

RACFProfile profileName

(Optional) RACF profile containing the access level requirements for the project

Anyone working with this project must have the permissions defined in the specified RACF profile.

  • Users requesting IDs and self-elevation must have READ access.
  • Managers who will be approving the requests must have ALTER access.

For a multisystem configuration, users in a self-elevation mode project must have one of the following levels of access:

  • Same level of access to the required profiles on both the master and agent systems
  • READ access on the master system and ALTER access on the agent system

If you omit RACFProfile, the default used is RSM.RSS.projectname, where projectname is the value specified in the PAMProject parameter.

RestrictRelease Yes|No

Denies a user the privilege of releasing other user IDs that are in the same project

The default is No.

Warning

Important

Before you define this parameter, you must define the CSDATAField parameter.

SNOWInstance instance

(SPE2407)

ServiceNow instance name used as part of PAM REST API requests.

If your ServiceNow URL is https://companyName.service-now.com, replace companyName with the instance name, which you must provide in the PAM parameter file for REST API access.

SystemList systemName1 systemName2 systemName3 ...

(Optional) Names of servers defined for the project

This parameter applies if you use PAM in a multisystem configuration. Specify one or more servers that user pool or self-elevation IDs associated with the project can access. When a user requests an ID from the project, their authorization to access these servers is verified.

You must make sure that all servers defined for this parameter are also defined in the PAMServers configuration block.

The total list of systems for this parameter always includes the local system on which the master instance is installed. You do not need to define it here.

If you omit SystemList, PAM runs as a single-system instance.

TSSProfile profile

TSS profile associated with the project

This parameter is required for TSS projects. For more information, see TSS profiles.

UniversalMode Yes|No

Determines whether PAM should allow a manager to request a project user ID

When you enable this parameter in a project, to use a project user ID, a manager must request and gain approval. The same manager can approve project user ID requests raised by other users in projects to which the manager has access.

User IDs for managers must have ALTER access.

User IDs for users only must have READ access.

You can use this parameter with user pool mode and self-elevation mode projects. UniversalMode is mutually exclusive with the CSDATAField parameter—if you define both these parameters, PAM considers the CSDATAField configuration only and ignores UniversalMode. For more information, see  Self-managed projects.

EndPAMProject

Indicates the end of a project definition

PAMServers table

Located on the master PAM instance, the server configuration member uses the following parameters:

Parameter

Description

PAMServers

Indicates the start of the server definitions

name ipAddress portNumber

name ipAddress portNumber

Defines the agent system that PAM user IDs can access

Enter the name, IP address, and port number of the servers that you want to associate with PAM. The name can be up to 15 characters and does not have to match the actual name of the server. You can repeat this parameter as many times as needed to include all desired systems.

EndPAMServers

Indicates the end of the server definitions

Warning

Important

You do not need to define the local system on which the master instance is installed in the PAMServers member. It is included automatically for all users with authorization on the local system.

PAMAgent table

Located on the agent instance, the agent configuration member uses the following parameters:

Parameter

Description

PAMAgent

Indicates the start of the agent definition

name ipAddress

Defines the name and IP address of the local agent system

Enter the name and IP address of the system that PAM user IDs will access. The name can be up to 15 characters and must match the name of a system defined in the master (PAMServers block).

port portNumber

Defines the port number for the local agent system

The number must match the port number defined in the master (PAMServers block) for the specified IP address.

EndPAMAgent

Indicates the end of the agent definition

PAM parameters

PAM uses the following optional configuration parameters:

ParameterDescription
PAMParmsIndicates the start of a block of PAM definitions

AutoGenPhraseLength Length

(SPE2507)

Length of the passphrase that PAM generates while resetting user pool user IDs and while activating user pool user IDs for use

If the installation site uses RACF passphrases, you must define this parameter. Valid values are from 9 to 100.

PAMAgentAlertInterval interval

Controls the interval between two consecutive PAM0481I messages being displayed.

interval is the interval between two consecutive PAM0481I messages in seconds. Valid values are from 60 to 86400. If you set 0, PAM0481I messages are not displayed. If you set any other values outside of this specified range, PAM displays the following error:

RSS0010E Configuration error PAMAgentAlertInterval: outside valid range of 60 - 86400

If you do not define this parameter, 60 (the default) is used.

EndPAMParmsIndicates the end of a block of PAM definitions

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Security Privileged Access Manager 2.3