Configuring SSPR parameters

CA Top Secret support is added for (SPE2107).

ACF2 support is added for (SPE2204).

After installing BMC AMI Resident Security Server (RSS), configure the following parameters for BMC AMI Security Self Service Password Reset (SSPR):

Parameter

Description

PasswordReset

Head of the block of SSPR definitions

AccessCode Email|Fixed|None

Method of access code management for password reset

If the MemorableWords and PIN parameters are set to Disable, you must set the AccessCode parameter to Email.

Value

Description

Email

An access code is emailed to the user who wants to reset a password.

To use this option, you must correctly configure RSS EmailProfile.

Fixed

Fixed access codes are used.

To use this option, you must define the AccessCodeField and AccessCodeName parameters.

None

(Default) Access codes are not used.

Users resetting their password need only a PIN and memorable words.

AccessCodeField fieldName

Name of the CA ACF2, RACF, or CA Top Secret custom field that defines the fixed access code for each user

You must set this parameter when the AccessCode parameter is set to Fixed. The custom field must have been defined to CA ACF2, RACF, or CA Top Secret and populated with valid values for each user.

AccessCodeName description

Required when AccessCode is set to Fixed, Description of the CA ACF2, RACF, or CA Top Secret custom field that defines the fixed access code for each user

You must set this parameter when the AccessCode parameter is set to Fixed. The description is displayed on the access code entry panel.

AllowInactive Enable|Disable

(SPE2204)

When the product runs on a RACF system, it issues an ALU RESUME command to clear the inactive status of the requested user ID.

The default is Disable.

AllowResume No|Yes

Determines whether SSPR should resume a revoked user after receiving a valid password reset for the user

The default value is No.

EmailCustomField SSPRMAIL|fieldName|*WorkAttr*

Name of the CA ACF2, RACF, or CA Top Secret custom field that contains the email address of the user

This parameter overrides the value set in the EmailProfile configuration statement. To use this parameter, you must set the AccessCode parameter to Email.

Value

Description

SSPRMAIL

(Default) SSPR extracts the email address

SSPR

 is extracted from the RACF CSDATA field SSPR EMAIL.

fieldName

SSPR

 extracts the email address from the CA ACF2, RACF, or CA Top Secret CSDATA field fieldName.

*WorkAttr*

(SPE2010)

SSPR extracts the email address from the RACF WORKATTR (work attribute) segment instead of from the CSDATA fields.

For installations in which email addresses are not already defined in CA ACF2, RACF, or CA Top Secret, users can define their email address by using the SSPR setup process.

ExpirePassword No|Yes

Determines whether a reset password should expire

If set to Yes, users must change their passwords again when they log in using a new password.

The default is No.

ExpireUnlock Enable|Disable

(SPE2210)

Controls the process for unlocking a user ID when its password has expired

If set to Enable, users with an expired password can unlock their user IDs. If set to Disable, SSPR displays an error message when users try to unlock their user IDs.

The default is Disable.

If this parameter is enabled, the started task user ID must have sufficient RACF privileges to issue the ALTUSER command.

HelpText memberName

(SPE2101)

Member name of the custom text to display in the help panel for SSPR

For more information, see Customizing-SSPR-windows.

InnerBoxImage memberName

(Deprecated in SPE2101) Member name of the custom image to display at the inside the inner box of the SSPR window

For more information, see Customizing-SSPR-windows.

IPLockout numberOfSeconds

(SPE2107)

The amount of time a user is locked out of the system after trying to reset a password

Lockouts can occur after five failed reset attempts or if the user tries to reset multiple passwords at the same time.

Enter the number of seconds that you want the user to be locked out.

If you omit this parameter, the default 900 seconds (15 minutes) is used.

LogoImage memberName

(SPE2101)

Member name of the custom image to replace the BMC AMI logo.

For more information, see Customizing-SSPR-windows.

LogoImageWidth width

(SPE2101)

Percentage width of the logo image, which is specified as a value between 0 and 100.
For example, LogoImageWidth 50 sets the logo to be 50 percent of the available width.

The default width is 20 percent.

MaxPassLength 8|length

(SPE2301)

Maximum length for passwords

This parameter does not apply to passphrases.  The maximum value that you can set for this parameter is 64 and the default value is 8.

MemorableWords 3|count|Disable

If the MemorableWords and PIN parameters are both set to Disable, you must set the AccessCode parameter to Email.

Value

Description

count

Number of memorable words (1 to 3) that users must enter during the password reset process

The default value is 3.

Disable

No memorable words are requested

MinimumPhraseLength 14 | length

(SPE2107)

Minimum length for password phrases

Define a length from 9 to 98 characters. SSPR validates whether the password phrases meet the required length.

If you omit this parameter, the minimum length is 14 characters.

MinimumWordLength 4 | length


Minimum length for memorable words

The maximum value is 16 characters.

(SPE2010) If you omit this parameter, the minimum length is 4 characters.

For versions prior to SPE2010, this parameter has no default value.

MixedCase Off | On

(SPE2301)

Determines whether users can set mixed case passwords

The default value is Off.

PassPhrase Setup | Reset | Unlock

Feature with passphrase support activated

Value

Description

Setup

SSPR uses passphrases.

Reset

SSPR resets passphrases.

Unlock

Passphrases unlock the user ID.

PassPhraseOnly No|Yes

Is access to the selected PassPhrase Setup feature available with password or passphrase, or only with a passphrase

To use this parameter:

  • You must have selected the PassPhrase Setup feature.
  • The user ID must have a phrase defined in RACF.

If set to Yes, users with a passphrase can use or reset their phrase with SSPR only. Users without a phrase defined can continue to use or reset a password. 

If you omit this parameter, the default value No is used.

PIN Enable|Disable

Does SSPR require a user PIN before progressing with further authorization checks

If MemorableWords and PIN are both set to Disable, AccessCode must be set to Email.

The default value is Enable.

ResetEmail memberName

Member name of the custom text to send as an email when a reset operation is complete

For more information, see Configure SSPR Email Formatlater in this topic.

ResetHelpText memberName

(Deprecated in SPE2101) Member name of the custom text to display in the help panel of the SSPR reset window

For more information, see Customizing-SSPR-windows.

SetupHelpText

(Deprecated in SPE2101) Member name of the custom text to display in the help panel of the SSPR setup window

For more information, see Customizing-SSPR-windows.

SelfUnlock Enable|Disable

Determines whether revoked users can unlock their user ID if they enter the current password and the password has not expired

The default value is Disable.

SetupEmail

Member name of the custom text to send as an email when a setup operation is complete

For more information, see Configure SSPR Email Formatlater in this topic.

SystemList name1 name2 name3 …

Name or names of systems on which a user can replicate a password reset request and user ID unlock request

The entered name or names must match the system name defined in the RSS Servers definition.

(SPE2301) You must define this parameter for SSPR to display the System list on the BMC AMI Security Self Service Password Reset window.

TopCenterImage memberName

(Deprecated in SPE2101) Member name of the custom image to display at the top center of the SSPR window

For more information, see Customizing-SSPR-windows.

TopLeftImage memberName

(Deprecated in SPE2101) Member name of the custom image to display at the top-left side of the SSPR window

For more information, see Customizing-SSPR-windows.

TopRightImage memberName

(Deprecated in SPE2101) Member name of the custom image to display at the top-right side of the SSPR window

For more information, see Customizing-SSPR-windows.

UnlockEmail memberName

Member name of the custom text to send as an email when an unlock operation is complete

For more information, see Configure SSPR Email Formatlater in this topic.

WindowWidth width

(SPE2204)

Defines the width of the product window

The default value is 750 pixels.

Important

Enter the value in numbers only and do not include units.

WriteSMF True|False

(SPE2107)

Writes SMF records for particular actions

SMF records are written when the following actions are completed:

  • Password reset
  • User setup
  • User unlock
  • Temporary password set

You can also use Yes or No for WriteSMF.

If you omit this parameter, the default False or No is used.

(SPE2201)

The default SMF type used to identify SSPR records is 175, and the subtype is 21. This default is used if no SMFRecordType type parameter is defined in the Global configuration parameters for RSS.

If you choose to define an SMF type for RSS, we recommend that you use any number between 128 and 255 that is available to be collected by SMF.

EndPasswordReset

Terminates the block of SSPR definitions

Sample code

The following code displays a sample Password Reset member (SSPR):

*********************************************
* SSPR Configuration                        *
*********************************************
PasswordReset
  AccessCode          Email                                     
* AccessCodeField     EMPNO          
* AccessCodeName      Employee ID    
  MemorableWords      3  
  MinimumWordLength   4                           
  PIN                 Disable        
  ExpirePassword      No             
  AllowResume         No             
  EmailCustomField    SSPRMAIL       
  SelfUnlock          Enable          
  PassPhrase          Setup Reset      
  PassPhraseOnly      No
  MinimumPhraseLength 16              
  LogoImage           BMC2            
  LogoImageWidth      40               
  HelpText            HELP            
  UnlockEmail         EMAIL1           
  ResetEmail          EMAIL2
  SetupEmail          EMAIL3  
  WriteSMF            Yes
  IPLockout           300                           
EndPasswordReset

Configure SSPR Email Format

The ResetEmail, SetupEmail, and UnlockEmail parameters specify a member name that contains custom email text to override the default email format sent by SSPR.

The format of the member should be as follows:

Subject: Email subject test
Email body text
Email body text
Email body text
Email body text

The subject or body text can contain the following variables:

  • &SYS—Replaced by the system name on which the operation was performed
  • &USERID—Replaced by the user ID for which the operation was performed

Sample code

The following code displays a sample Password Reset email member:

Subject: Password Reset on system &SYS
The password for userid &USERID has been reset on system &SYS.

Where to go from here

After you complete the SSPR configuration, you can now create your SSPR security credentials.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*