ACF2, RACF, and Top Secret Profiles
CA Top Secret support is added for (SPE2107).
CA ACF2 support is added for (SPE2204).
Users who are permitted access to the BMC AMI Security Self Service Password Reset (SSPR) facility must have at least READ access to the CA ACF2, RACF, or CA Top Secret resource RSM.RSS.SSPR, which is located by default in the FACILITY class.
To allow all users access to SSPR, specify UACC(READ). Otherwise, specify UACC(NONE) and permit groups to this resource.
Parameter | Description |
---|---|
RSM.RSS.SSPR | READ Access |
CA Top Secret profiles
You can use the following commands to define the SSPR profile for CA Top Secret:
TSS PERMIT(acid) IBMFAC(RSM.RSS.SSPR) ACCESS(READ)
SSPR custom fields
Before deploying SSPR, you must define a set of CA ACF2, RACF, or CA Top Secret custom fields. The following custom fields are required:
Parameter | Description | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
SSPRPIN | SSPR PIN (Encrypted)
| ||||||||||||
SSPRMAIL | SSPR Email Address The SSPRMAIL custom field is required only when AccessCode Email is defined and email addresses are not already defined in RACF.
| ||||||||||||
SSPRSDTE | SSPR Setup time stamp
| ||||||||||||
SSPRRDTE | SSPR Reset time stamp
| ||||||||||||
SSPRWRD1 | Memorable Word 1 (Encrypted)
| ||||||||||||
SSPRWRD2 | Memorable Word 2 (Encrypted)
| ||||||||||||
SSPRWRD3 | Memorable Word 3 (Encrypted)
| ||||||||||||
SSPRREM1 | Memorable Word Reminder 1
| ||||||||||||
SSPRREM2 | Memorable Word Reminder 2
| ||||||||||||
SSPRREM3 | Memorable Word Reminder 3
|
SSPR custom field sample commands
Custom fields for RACF
You can use the following JCL to initially define the custom fields to RACF:
//*********************************************************************************************************
//* 'DEFINE' builds SSPR Custom Fields *
//* 'UPDATE' updates the RACF Profile Segment Parsing Table with these SSPR Custom Fields *
//* 'LIST' lists the RACF Profile Segment Parsing Table to check the SSPR Custom Fields are in this Table *
//*********************************************************************************************************
//DEFINE EXEC PGM=IKJEFT1A
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
SETROPTS CLASSACT(CFIELD)
RDEFINE CFIELD +
USER.CSDATA.SSPRPIN +
UACC(NONE) +
CFDEF(TYPE(CHAR) MAXLENGTH(40) LISTHEAD('SSPR Pin') +
FIRST(ALPHANUM) OTHER(ALPHANUM) )
RDEFINE CFIELD +
USER.CSDATA.SSPRMAIL +
UACC(NONE) +
CFDEF(TYPE(CHAR) MAXLENGTH(64) LISTHEAD('SSPR Email') +
FIRST(ANY) OTHER(ANY) MIXED(YES) )
RDEFINE CFIELD +
USER.CSDATA.SSPRSDTE +
UACC(NONE) +
CFDEF(TYPE(CHAR) MAXLENGTH(64) LISTHEAD('SSPR Setup') +
FIRST(ANY) OTHER(ANY) MIXED(YES) )
RDEFINE CFIELD +
USER.CSDATA.SSPRRDTE +
UACC(NONE) +
CFDEF(TYPE(CHAR) MAXLENGTH(64) LISTHEAD('SSPR Reset') +
FIRST(ANY) OTHER(ANY) MIXED(YES) )
RDEFINE CFIELD +
USER.CSDATA.SSPRWRD1 +
UACC(NONE) +
CFDEF(TYPE(CHAR) MAXLENGTH(40) LISTHEAD('SSPR Word 1') +
FIRST(ALPHANUM) OTHER(ALPHANUM) )
RDEFINE CFIELD +
USER.CSDATA.SSPRWRD2 +
UACC(NONE) +
CFDEF(TYPE(CHAR) MAXLENGTH(40) LISTHEAD('SSPR Word 2') +
FIRST(ALPHANUM) OTHER(ALPHANUM) )
RDEFINE CFIELD +
USER.CSDATA.SSPRWRD3 +
UACC(NONE) +
CFDEF(TYPE(CHAR) MAXLENGTH(40) LISTHEAD('SSPR Word 3') +
FIRST(ALPHANUM) OTHER(ALPHANUM) )
RDEFINE CFIELD +
USER.CSDATA.SSPRREM1 +
UACC(NONE) +
CFDEF(TYPE(CHAR) MAXLENGTH(64) LISTHEAD('SSPR Reminder 1') +
FIRST(ANY) OTHER(ANY) MIXED(YES) )
RDEFINE CFIELD +
USER.CSDATA.SSPRREM2 +
UACC(NONE) +
CFDEF(TYPE(CHAR) MAXLENGTH(64) LISTHEAD('SSPR Reminder 2') +
FIRST(ANY) OTHER(ANY) MIXED(YES) )
RDEFINE CFIELD +
USER.CSDATA.SSPRREM3 +
UACC(NONE) +
CFDEF(TYPE(CHAR) MAXLENGTH(64) LISTHEAD('SSPR Reminder 3') +
FIRST(ANY) OTHER(ANY) MIXED(YES) )
SETROPTS RACLIST(STARTED) REFRESH
//*
//UPDATE EXEC PGM=IKJEFT01,PARM='IRRDPI00 UPDATE'
//SYSTSPRT DD SYSOUT=*
//SYSUT1 DD DISP=SHR,DSN=SYS1.SAMPLIB(IRRDPSDS)
//SYSTSIN DD DUMMY
//LIST EXEC PGM=IKJEFT01,PARM='IRRDPI00 LIST (USER CSDATA) '
//SYSTSPRT DD SYSOUT=*
//SYSUT1 DD DISP=SHR,DSN=SYS1.SAMPLIB(IRRDPSDS)
//SYSTSIN DD DUMMY
Custom fields for CA Top Secret
For a list of the custom fields for CA Top Secret, see Example CA Top Secret configuration in User-credentials.
Related topic