ACF2, RACF, and Top Secret Profiles

Users who are permitted access to the BMC AMI Security Self Service Password Reset (SSPR) facility must have at least READ access to the Access Control Facility (ACF2), Resource Access Control Facility (RACF), or Top Secret (TSS) resource RSM.RSS.SSPR, which is located by default in the FACILITY class.

If you use a multisystem configuration, make sure that your agent systems use the same external security manager (ESM) as your master system. For example, if your master system uses RACF, your agent systems must also use RACF.

Related topic

Administering

To allow all users access to SSPR, specify UACC(READ). Otherwise, specify UACC(NONE) and permit groups to this resource.

Parameter

Description

RSM.RSS.SSPR

READ Access
Required for all users who are permitted to use SSPR

CA Top Secret profiles

You can use the following commands to define the SSPR profile for CA Top Secret:

TSS ADDTO(MASTER) IBMFAC(RSM.RSS.)
TSS PERMIT(acid) IBMFAC(RSM.RSS.SSPR) ACCESS(READ)

SSPR custom fields

Before deploying SSPR, you must define a set of CA ACF2, RACF, or CA Top Secret custom fields. The following custom fields are required:

Parameter

Description

SSPRPIN

SSPR PIN (Encrypted)

Attribute

Value

TYPE

CHAR

MAXLENGTH

40

FIRST

ALPHANUM

OTHER

ALPHANUM

SSPRMAIL

SSPR Email Address

The SSPRMAIL custom field is required only when AccessCode Email is defined and email addresses are not already defined in RACF.

Attribute

Value

TYPE

CHAR

MAXLENGTH

64

FIRST

ANY

OTHER

ALPHANUM

MIXED

YES

SSPRSDTE

SSPR Setup time stamp

Attribute

Value

TYPE

CHAR

MAXLENGTH

64

FIRST

ANY

OTHER

ANY

MIXED

YES

SSPRRDTE

SSPR Reset time stamp

Attribute

Value

TYPE

CHAR

MAXLENGTH

64

FIRST

ANY

OTHER

ANY

MIXED

YES

SSPRWRD1

Memorable Word 1 (Encrypted)

Attribute

Value

TYPE

CHAR

MAXLENGTH

40

FIRST

ALPHANUM

OTHER

ALPHANUM

SSPRWRD2

Memorable Word 2 (Encrypted)

Attribute

Value

TYPE

CHAR

MAXLENGTH

40

FIRST

ALPHANUM

OTHER

ALPHANUM

SSPRWRD3

Memorable Word 3 (Encrypted)

Attribute

Value

TYPE

CHAR

MAXLENGTH

40

FIRST

ALPHANUM

OTHER

ALPHANUM

SSPRREM1

Memorable Word Reminder 1

Attribute

Value

TYPE

CHAR

MAXLENGTH

40

FIRST

ANY

OTHER

ANY

MIXED

YES

SSPRREM2

Memorable Word Reminder 2

Attribute

Value

TYPE

CHAR

MAXLENGTH

64

FIRST

ANY

OTHER

ANY

MIXED

YES

SSPRREM3

Memorable Word Reminder 3

Attribute

Value

TYPE

CHAR

MAXLENGTH

40

FIRST

ANY

OTHER

ANY

MIXED

YES

SSPR custom field sample commands

Custom fields for RACF

You can use the following JCL to initially define the custom fields to RACF:

//JOBCARD
 //*********************************************************************************************************
 //* 'DEFINE' builds SSPR Custom Fields                                                                    *
 //* 'UPDATE' updates the RACF Profile Segment Parsing Table with these SSPR Custom Fields                 *
 //* 'LIST' lists the RACF Profile Segment Parsing Table to check the SSPR Custom Fields are in this Table *
 //*********************************************************************************************************
 //DEFINE EXEC PGM=IKJEFT1A
 //SYSTSPRT DD SYSOUT=*
 //SYSTSIN DD *
 SETROPTS CLASSACT(CFIELD)
 RDEFINE CFIELD +
 USER.CSDATA.SSPRPIN +
 UACC(NONE) +
 CFDEF(TYPE(CHAR) MAXLENGTH(40) LISTHEAD('SSPR Pin') +
 FIRST(ALPHANUM) OTHER(ALPHANUM) )
 RDEFINE CFIELD +
 USER.CSDATA.SSPRMAIL +
 UACC(NONE) +
 CFDEF(TYPE(CHAR) MAXLENGTH(64) LISTHEAD('SSPR Email') +
 FIRST(ANY) OTHER(ANY) MIXED(YES) )
 RDEFINE CFIELD +
 USER.CSDATA.SSPRSDTE +
 UACC(NONE) +
 CFDEF(TYPE(CHAR) MAXLENGTH(64) LISTHEAD('SSPR Setup') +
 FIRST(ANY) OTHER(ANY) MIXED(YES) )
 RDEFINE CFIELD +
 USER.CSDATA.SSPRRDTE +
 UACC(NONE) +
 CFDEF(TYPE(CHAR) MAXLENGTH(64) LISTHEAD('SSPR Reset') +
 FIRST(ANY) OTHER(ANY) MIXED(YES) )
 RDEFINE CFIELD +
 USER.CSDATA.SSPRWRD1 +
 UACC(NONE) +
 CFDEF(TYPE(CHAR) MAXLENGTH(40) LISTHEAD('SSPR Word 1') +
 FIRST(ALPHANUM) OTHER(ALPHANUM) )
 RDEFINE CFIELD +
 USER.CSDATA.SSPRWRD2 +
 UACC(NONE) +
 CFDEF(TYPE(CHAR) MAXLENGTH(40) LISTHEAD('SSPR Word 2') +
 FIRST(ALPHANUM) OTHER(ALPHANUM) )
 RDEFINE CFIELD +
 USER.CSDATA.SSPRWRD3 +
 UACC(NONE) +
 CFDEF(TYPE(CHAR) MAXLENGTH(40) LISTHEAD('SSPR Word 3') +
 FIRST(ALPHANUM) OTHER(ALPHANUM) )
 RDEFINE CFIELD +
 USER.CSDATA.SSPRREM1 +
 UACC(NONE) +
 CFDEF(TYPE(CHAR) MAXLENGTH(64) LISTHEAD('SSPR Reminder 1') +
 FIRST(ANY) OTHER(ANY) MIXED(YES) )
 RDEFINE CFIELD +
 USER.CSDATA.SSPRREM2 +
 UACC(NONE) +
 CFDEF(TYPE(CHAR) MAXLENGTH(64) LISTHEAD('SSPR Reminder 2') +
 FIRST(ANY) OTHER(ANY) MIXED(YES) )
 RDEFINE CFIELD +
 USER.CSDATA.SSPRREM3 +
 UACC(NONE) +
 CFDEF(TYPE(CHAR) MAXLENGTH(64) LISTHEAD('SSPR Reminder 3') +
 FIRST(ANY) OTHER(ANY) MIXED(YES) )
 SETROPTS RACLIST(STARTED) REFRESH
 //*
 //UPDATE EXEC PGM=IKJEFT01,PARM='IRRDPI00 UPDATE'
 //SYSTSPRT DD SYSOUT=*
 //SYSUT1 DD DISP=SHR,DSN=SYS1.SAMPLIB(IRRDPSDS)
 //SYSTSIN DD DUMMY
 //LIST EXEC PGM=IKJEFT01,PARM='IRRDPI00 LIST (USER CSDATA) '
 //SYSTSPRT DD SYSOUT=*
 //SYSUT1 DD DISP=SHR,DSN=SYS1.SAMPLIB(IRRDPSDS)
 //SYSTSIN DD DUMMY

Custom fields for CA Top Secret

For a list of the custom fields for CA Top Secret, see Example CA Top Secret configuration in User-credentials.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*