Creating your SSPR security credentials

As a user, you must create your security credentials in the BMC AMI Security Self Service Password Reset (SSPR) Setup facility for use during subsequent reset requests.

CA Top Secret support is added for (SPE2107).

CA ACF2 support is added for (SPE2204).

Before you begin

Make sure that users have read access to the RSM.RSS.SSPR CA ACF2, RACF, or CA Top Secret resource, as described in ACF2-RACF-and-Top-Secret-Profiles.

You can require all user credentials or a subset of credentials. The minimum configuration allows authentication through an emailed access code only, which bypasses the need for users to perform an initial setup.

Initial configuration

You can configure SSPR to require all or just a subset of user credentials. The minimum configuration allows authentication through an emailed access code, bypassing the need for the user to perform an initial setup. Examples are provided for RACF and CA Top Secret.

(SPE2204) To configure CA ACF2 fields, you must define them to the ACF Field Definition Records (ACFFDR) in accordance to your company policies. For more information, see Field Definition Records (ACFFDR).

Sample RACF configuration

You can use the following JCL to initially define the SSPR custom fields in RACF.

//JOBCARD
//***************************************************
//* Build SSPR Custom Fields *
//***************************************************
//DEFINE EXEC PGM=IKJEFT1A
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
SETROPTS CLASSACT(CFIELD)
RDEFINE CFIELD +
   USER.CSDATA.SSPRPIN +
   UACC(NONE) +
   CFDEF(TYPE(CHAR) MAXLENGTH(40) LISTHEAD('SSPR Pin') +
   FIRST(ALPHANUM) OTHER(ALPHANUM) )
RDEFINE CFIELD +
   USER.CSDATA.SSPRMAIL +
   UACC(NONE) +
   CFDEF(TYPE(CHAR) MAXLENGTH(64) LISTHEAD('SSPR Email') +
   FIRST(ANY) OTHER(ANY) MIXED(YES) )
RDEFINE CFIELD +
   USER.CSDATA.SSPRSDTE +
   UACC(NONE) +
   CFDEF(TYPE(CHAR) MAXLENGTH(64) LISTHEAD('SSPR Setup') +
   FIRST(ANY) OTHER(ANY) MIXED(YES) )
RDEFINE CFIELD +
   USER.CSDATA.SSPRRDTE +
   UACC(NONE) +
   CFDEF(TYPE(CHAR) MAXLENGTH(64) LISTHEAD('SSPR Reset') +
   FIRST(ANY) OTHER(ANY) MIXED(YES) )
RDEFINE CFIELD +
   USER.CSDATA.SSPRWRD1 +
   UACC(NONE) +
   CFDEF(TYPE(CHAR) MAXLENGTH(40) LISTHEAD('SSPR Word 1') +
   FIRST(ALPHANUM) OTHER(ALPHANUM) )
RDEFINE CFIELD +
   USER.CSDATA.SSPRWRD2 +
   UACC(NONE) +
   CFDEF(TYPE(CHAR) MAXLENGTH(40) LISTHEAD('SSPR Word 2') +
   FIRST(ALPHANUM) OTHER(ALPHANUM) )
RDEFINE CFIELD +
   USER.CSDATA.SSPRWRD3 +
   UACC(NONE) +
   CFDEF(TYPE(CHAR) MAXLENGTH(40) LISTHEAD('SSPR Word 3') +
   FIRST(ALPHANUM) OTHER(ALPHANUM) )
RDEFINE CFIELD +
   USER.CSDATA.SSPRREM1 +
   UACC(NONE) +
   CFDEF(TYPE(CHAR) MAXLENGTH(64) LISTHEAD('SSPR Reminder 1') +
   FIRST(ANY) OTHER(ANY) MIXED(YES) )
RDEFINE CFIELD +
   USER.CSDATA.SSPRREM2 +
   UACC(NONE) +
   CFDEF(TYPE(CHAR) MAXLENGTH(64) LISTHEAD('SSPR Reminder 2') +
   FIRST(ANY) OTHER(ANY) MIXED(YES) )
RDEFINE CFIELD +
   USER.CSDATA.SSPRREM3 +
   UACC(NONE) +
   CFDEF(TYPE(CHAR) MAXLENGTH(64) LISTHEAD('SSPR Reminder 3') +
   FIRST(ANY) OTHER(ANY) MIXED(YES) )
SETROPTS RACLIST(STARTED) REFRESH
//*
//UPDATE EXEC PGM=IKJEFT01,PARM='IRRDPI00 UPDATE'
//SYSTSPRT DD SYSOUT=*
//SYSUT1 DD DISP=SHR,DSN=SYS1.SAMPLIB(IRRDPSDS)
//SYSTSIN DD DUMMY
//LIST EXEC PGM=IKJEFT01,PARM='IRRDPI00 LIST (USER CSDATA) '
//SYSTSPRT DD SYSOUT=*
//SYSUT1 DD DISP=SHR,DSN=SYS1.SAMPLIB(IRRDPSDS)
//SYSTSIN DD DUMMY

Sample Top Secret configuration

You can use the following command deck to initially define the CA Top Secret custom fields for the Field Descriptor Table (FDT). Select appropriate fdtcodes (nn) as required by your organization.

tss addto(fdt) fdtname(SSPRSDTE) fdtcode(nn) maxlen(64) display(SSPRSDTE) attr(mixed)
tss addto(fdt) fdtname(SSPRPIN) fdtcode(nn) maxlen(64) display(SSPRPIN) attr(mixed)
tss addto(fdt) fdtname(SSPRWRD1) fdtcode(nn) maxlen(64) display(SSPRWRD1) attr(mixed)
tss addto(fdt) fdtname(SSPRWRD2) fdtcode(nn) maxlen(64) display(SSPRWRD2) attr(mixed)
tss addto(fdt) fdtname(SSPRWRD3) fdtcode(nn) maxlen(64) display(SSPRWRD3) attr(mixed)
tss addto(fdt) fdtname(SSPRREM1) fdtcode(nn) maxlen(64) display(SSPRREM1) attr(mixed)
tss addto(fdt) fdtname(SSPRREM2) fdtcode(nn) maxlen(64) display(SSPRREM2) attr(mixed)
tss addto(fdt) fdtname(SSPRREM3) fdtcode(nn) maxlen(64) display(SSPRREM3) attr(mixed)

To create SSPR security credential for users

In a web browser, enter https://sysid:port/sspr/, substituting the following values:
- For sysid, use the address or name of the system on which SSPR is running.
- For port, use the networking port number.
On the BMC AMI Security Self Service Password Reset window, enter your CA ACF2, RACF, or CA Top Secret user ID.
(SPE2301) Click the System list and select the required system.
By default, the System list displays your local system. To display the System list, you must define the SystemList parameter. For more information, see Configuring-SSPR-parameters.
Click Setup.
Enter your password or passphrase (if defined) and click Continue.
Important
To reduce misuse by automated systems, the SSPR connection permits only three connection attempts per workstation. After a third unsuccessful attempt, the workstation is locked out of SSPR for 15 minutes.
In the SSPR setup window, enter your credentials for future reset requests:
- Numeric PIN
- Three security questions (SPE2301) (maximum length of a question is 63 characters)
  You cannot use parentheses or single quotation marks in a security question. If you use them, SSPR displays an error message.
- Reminder answers for each question (SPE2301) (maximum length of an answer is 31 characters)
If SSPR is configured for multiple systems, select the system or systems on which you want to save the SSPR credentials. Enter the current password or passphrase (if defined) for each system and click Continue. The setup request status is displayed.
Important
If you have SSPR configured for multiple systems, you must use the same pin, security questions, and answers for all systems.
To update the status panel, click Refresh Status. To complete the setup process, click Close.