Creating your SSPR security credentials

As a user, you must create your security credentials in the BMC AMI Security Self Service Password Reset (SSPR) Setup facility for use during subsequent reset requests.

Before you begin

Make sure that users have read access to the RSM.RSS.SSPR ACF2, RACF, or Top Secret resource, as described in ACF2-RACF-and-Top-Secret-Profiles.

You can require all user credentials or a subset of credentials. The minimum configuration allows authentication through an emailed access code only, which bypasses the need for users to perform an initial setup.

Initial configuration

You can configure SSPR to require all or just a subset of user credentials. The minimum configuration allows authentication through an emailed access code, bypassing the need for the user to perform an initial setup. Examples are provided for RACF, ACF2, and Top Secret.

Sample RACF configuration

You can use the following JCL to initially define the SSPR custom fields in RACF.

//JOBCARD
//***************************************************
//* Build SSPR Custom Fields *
//***************************************************
//DEFINE EXEC PGM=IKJEFT1A
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
SETROPTS CLASSACT(CFIELD)
RDEFINE CFIELD +
   USER.CSDATA.SSPRPIN +
   UACC(NONE) +
   CFDEF(TYPE(CHAR) MAXLENGTH(40) LISTHEAD('SSPR Pin') +
   FIRST(ALPHANUM) OTHER(ALPHANUM) )
RDEFINE CFIELD +
   USER.CSDATA.SSPRMAIL +
   UACC(NONE) +
   CFDEF(TYPE(CHAR) MAXLENGTH(64) LISTHEAD('SSPR Email') +
   FIRST(ANY) OTHER(ANY) MIXED(YES) )
RDEFINE CFIELD +
   USER.CSDATA.SSPRSDTE +
   UACC(NONE) +
   CFDEF(TYPE(CHAR) MAXLENGTH(64) LISTHEAD('SSPR Setup') +
   FIRST(ANY) OTHER(ANY) MIXED(YES) )
RDEFINE CFIELD +
   USER.CSDATA.SSPRRDTE +
   UACC(NONE) +
   CFDEF(TYPE(CHAR) MAXLENGTH(64) LISTHEAD('SSPR Reset') +
   FIRST(ANY) OTHER(ANY) MIXED(YES) )
RDEFINE CFIELD +
   USER.CSDATA.SSPRWRD1 +
   UACC(NONE) +
   CFDEF(TYPE(CHAR) MAXLENGTH(40) LISTHEAD('SSPR Word 1') +
   FIRST(ALPHANUM) OTHER(ALPHANUM) )
RDEFINE CFIELD +
   USER.CSDATA.SSPRWRD2 +
   UACC(NONE) +
   CFDEF(TYPE(CHAR) MAXLENGTH(40) LISTHEAD('SSPR Word 2') +
   FIRST(ALPHANUM) OTHER(ALPHANUM) )
RDEFINE CFIELD +
   USER.CSDATA.SSPRWRD3 +
   UACC(NONE) +
   CFDEF(TYPE(CHAR) MAXLENGTH(40) LISTHEAD('SSPR Word 3') +
   FIRST(ALPHANUM) OTHER(ALPHANUM) )
RDEFINE CFIELD +
   USER.CSDATA.SSPRREM1 +
   UACC(NONE) +
   CFDEF(TYPE(CHAR) MAXLENGTH(64) LISTHEAD('SSPR Reminder 1') +
   FIRST(ANY) OTHER(ANY) MIXED(YES) )
RDEFINE CFIELD +
   USER.CSDATA.SSPRREM2 +
   UACC(NONE) +
   CFDEF(TYPE(CHAR) MAXLENGTH(64) LISTHEAD('SSPR Reminder 2') +
   FIRST(ANY) OTHER(ANY) MIXED(YES) )
RDEFINE CFIELD +
   USER.CSDATA.SSPRREM3 +
   UACC(NONE) +
   CFDEF(TYPE(CHAR) MAXLENGTH(64) LISTHEAD('SSPR Reminder 3') +
   FIRST(ANY) OTHER(ANY) MIXED(YES) )
SETROPTS RACLIST(STARTED) REFRESH
//*
//UPDATE EXEC PGM=IKJEFT01,PARM='IRRDPI00 UPDATE'
//SYSTSPRT DD SYSOUT=*
//SYSUT1 DD DISP=SHR,DSN=SYS1.SAMPLIB(IRRDPSDS)
//SYSTSIN DD DUMMY
//LIST EXEC PGM=IKJEFT01,PARM='IRRDPI00 LIST (USER CSDATA) '
//SYSTSPRT DD SYSOUT=*
//SYSUT1 DD DISP=SHR,DSN=SYS1.SAMPLIB(IRRDPSDS)
//SYSTSIN DD DUMMY

Sample ACF2 configuration

To configure ACF2 fields, create an APPLDEF record for SSPR with a corresponding entry in the INFODIR record. For more information, see the Infostorage Rule Directories (INFODIR) and Structured Infostorage Record Definitions (APPLDEF) topics in Broadcom documentation.

To create an APPLDEF record

Assemble and link the SSPRRSB member (provided below) in the SAMPLIB to create a record structure block (RSB) to define the SSPR fields used during the SETUP process:
************************************************
* BMC AMI SECURITY SELF SERVICE PASSWORD RESET *
*                                              *
* SAMPLE RECORD STRUCTURE BLOCK                *
* REQUIRED FOR ACF2 APPLDEF SETUP              *
*                                              *
* (C) BMC SOFTWARE LTD.                        *
************************************************
*
* SAMPLE RECORD STRUCTURE BLOCK
*
** THE RECORD MAPPING DSECT
*        SSPRMAP ,
SSPRMAP DSECT              SSPR   MAPPING MACRO
SSPRDATL DS    H            TRIMMED LENGTH OF RECORD
SSPRPIN DS    CL40         SSPR PIN
SSPRMAIL DS    CL64         SSPR MAIL
SSPRSDTE DS    CL64         SSPR SETUP DATE
SSPRRDTE DS    CL64         SSPR RESET DATE
SSPRWRD1 DS    CL40         SSPR WORD1
SSPRWRD2 DS    CL40         SSPR WORD2
SSPRWRD3 DS    CL40         SSPR WORD3
SSPRREM1 DS    CL40         SSPR REMINDER WORD1
SSPRREM2 DS    CL40         SSPR REMINDER WORD2
SSPRREM3 DS    CL40         SSPR REMINDER WORD3
SSPRLEN EQU   *-SSPRMAP    *** LENGTH OF RECORD ***
*
** GENERATE THE RSB HEADER
SSPRRSB ACRSB                                                         X
               INFOLST=YES,                                            X
               RECBASE=SSPRMAP,                                        X
               RECLEN=SSPRLEN,                                         X
               DYNAMRL=SSPRDATL
*
** SPECIFY FIELD DEFINITIONS
*
         @CFDE PIN,SSPRPIN,CHAR,                                       X
               DFTAD=DFTCHAR,                                          X
               ALTER=SECURITY,LIST=ALL
         @CFDE MAIL,SSPRMAIL,CHAR,                                     X
               DFTAD=DFTCHAR,STATUS=LOWERCSE,                          X
               ALTER=SECURITY,LIST=ALL
         @CFDE SDTE,SSPRSDTE,CHAR,                                     X
               DFTAD=DFTCHAR,                                          X
               ALTER=SECURITY,LIST=ALL
         @CFDE RDTE,SSPRRDTE,CHAR,                                     X
               DFTAD=DFTCHAR,                                          X
               ALTER=SECURITY,LIST=ALL
         @CFDE WORD1,SSPRWRD1,CHAR,                                    X
               DFTAD=DFTCHAR,STATUS=LOWERCSE,                          X
               ALTER=SECURITY,LIST=ALL
         @CFDE WORD2,SSPRWRD2,CHAR,                                    X
               DFTAD=DFTCHAR,STATUS=LOWERCSE,                          X
               ALTER=SECURITY,LIST=ALL
         @CFDE WORD3,SSPRWRD3,CHAR,                                    X
               DFTAD=DFTCHAR,STATUS=LOWERCSE,                          X
               ALTER=SECURITY,LIST=ALL
         @CFDE REM1,SSPRREM1,CHAR,                                     X
               DFTAD=DFTCHAR,STATUS=LOWERCSE,                          X
               ALTER=SECURITY,LIST=ALL
         @CFDE REM2,SSPRREM2,CHAR,                                     X
               DFTAD=DFTCHAR,STATUS=LOWERCSE,                          X
               ALTER=SECURITY,LIST=ALL
         @CFDE REM3,SSPRREM3,CHAR,                                     X
               DFTAD=DFTCHAR,STATUS=LOWERCSE,                          X
               ALTER=SECURITY,LIST=ALL
*
** GENERATE FIELD DEFINITION ENTRIES
         @GENFDES ,
*
** GENERATE FIELD DEFAULT VALUES
*
* DEFAULT DATATYPE
DFTCHAR @CFDEDFT NULL,TYPE=CHAR
*
         END
Use the following JCL from the SSPRASML member in the SAMPLIB to create a job to assemble and link the SSPRRSB member:
//JOBCARD
//***********************************************************************
//* BMC AMI RESIDENT SECURITY SERVER                                    *
//*                                                                     *
//* SAMPLE ASSEMBLE/LINK JOB TO CREATE THE RSB (RECORD STRUCTURE BLOCK) *
//* REQUIRED FOR THE SETUP RECORDS FOR ACF2 SSPR                        *
//*                                                                     *
//***********************************************************************
//* 1) SUBSTITUTE THE FOLLOWING VARIABLES WITH YOUR DATASETS            *
//*                                                                     *
//* @@YOUR.SSPR.SAMPLIB@@ - THE SAMPLIB DSN FOR RSS/SSPR                *
//*                                                                     *
//* @@YOUR.ACF2.MACLIB@@ - THE DSN WHERE THE ACF2 MACROS RESIDE        *
//*                                                                     *
//* @@YOUR.OBJ@@          - THE OBJECT DSN YOU ARE USING FOR ASSEMBLY   *
//*                                                                     *
//* @@YOUR.ACF2.LOADLIB@@ - THE LOADLIB DSN YOU USE FOR ACF2            *
//***********************************************************************
//* 2) CHECK OVER JOB AND SUBMIT                                        *
//***********************************************************************
//* 3) ISSUE "F LLA,REFRESH"                                            *
//***********************************************************************
//*                                                                     *
//* (C) BMC SOFTWARE LTD. 2020-2023                                     *
//*                                                                     *
//***********************************************************************
//ASM      EXEC PGM=ASMA90,REGION=4096K,
//         PARM='DECK,OBJ'
//SYSIN    DD DISP=SHR,DSN=@@YOUR.SSPR.SAMPLIB@@(SSPRRSB)
//SYSLIB   DD DISP=SHR,DSN=@@YOUR.ACF2.MACLIB@@
//SYSLIN   DD DISP=SHR,DSN=@@YOUR.OBJ@@(SSPRRSB)
//SYSPUNCH DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//SYSUT1   DD UNIT=SYSDA,SPACE=(800,(50,50),,,ROUND)
//SYSUT2   DD UNIT=SYSDA,SPACE=(800,(50,50),,,ROUND)
//SYSUT3   DD UNIT=SYSDA,SPACE=(800,(50,50),,,ROUND)
//*
//LKED     EXEC PGM=IEWL,
//         PARM='RENT,NCAL,LET,MAP,LIST,XREF'
//SYSPRINT DD SYSOUT=*
//SYSUT1   DD UNIT=VIO,SPACE=(CYL,(5,2))
//SYSLMOD DD DSN=@@YOUR.ACF2.LOADLIB@@(SSPRRSB),DISP=SHR
//SYSPUNCH DD SYSOUT=*
//SYSLIN   DD DSN=@@YOUR.OBJ@@(SSPRRSB),DISP=SHR
Run the F LLA,REFRESH command.
Use the following JCL from the SSPRAPPI member in the SAMPLIB to create a job to add the APPLDEF record required for SSPR:
//JOBCARD
//************************************************
//* SAMPLE PROCEDURE FOR ADDING THE              *
//* ACF2 APPLDEF RECORD REQUIRED FOR SSPR        *
//*                                              *
//* AN APPLDEF.BMCSSPR WILL BE NEEDED SO         *
//* SET UP RECORDS CAN BE CREATED/MAINTAINED     *
//* FOR EACH LID USING SSPR                      *
//*                                              *
//* (C) BMC 2025                                 *
//************************************************
//*                                              *
//* GLOBALLY SUBSTITUTE THE FOLLOWING VARIABLES *
//* BEFORE RUNNING THIS BATCH JOB.              *
//*                                              *
//* @@SSPRRSB.LOADLIB@@ -> THE LOADLIB WHERE    *
//*                         THE SSPRRSB RESIDES *
//*                                              *
//************************************************
//************************************************
//*                                              *
//* (OPTIONAL) ADD INFODIR RECORD TO BE USED    *
//* FOR THE REQUIRED APPLDEF RECORD FOR SSPR    *
//*                                              *
//* THIS STEP ADDS A RESIDENT PROFILE RECORD    *
//* FOR BMC APPLICATIONS                        *
//*                                              *
//* IF YOU ALREADY HAVE A CLASS/TYPE DEFINED    *
//* FOR YOUR APPLDEF RECORD THEN IGNORE THIS    *
//* STEP.                                       *
//*                                              *
//************************************************
//STEP1 EXEC PGM=ACFBATCH,REGION=0M
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
SET CONTROL(GSO)
CHANGE INFODIR TYPESX(R-PBMC) ADD
F ACF2,REFRESH(INFODIR)
//************************************************
//*                                              *
//* CREATE THE APPLDEF RECORD REQUIRED FOR       *
//* SSPR SETUP PROCESS                           *
//*                                              *
//* SET THE SELAUTH TO THE DESIRED AUTHORITY     *
//* NEEDED TO USE THESE RECORDS IF YOU WANT      *
//* OTHER THAN SECURITY AUTHORITY                *
//*                                              *
//* CHANGE THE RECID VALUE TO THE NAME OF THE    *
//* RSB MEMBER CREATED IF NOT SSPRRSB            *
//*                                              *
//************************************************
//STEP2 EXEC PGM=ACFBATCH,REGION=0M
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
SET CONTROL(GSO)
INSERT APPLDEF.BMCSSPR APPLDIV(-) APPLDLEN(8) CLASS(P/SSPR) -
       DFTDRTN() RECID(SSPRRSB/-) RECIDLEN(8)                -
       RSBLIB(@@SSPRRSB.LOADLIB@@) TYPE(BMC/BMCR)       -
       SELAUTH(SECURITY) REP
F ACF2,REFRESH(APPLDEF)
SET SSPR(BMCR) DIVISION(-)
/*
//

To update an APPLDEF record

Use the following JCL from the SSPRAPPC member in the SAMPLIB:

//JOBCARD
//************************************************
//* SAMPLE PROCEDURE FOR MODIFYING THE           *
//* ACF2 APPLDEF RECORD REQUIRED FOR SSPR        *
//*                                              *
//* AN APPLDEF.BMCSSPR WILL BE NEEDED SO         *
//* SET UP RECORDS CAN BE CREATED/MAINTAINED     *
//* FOR EACH LID USING SSPR                      *
//*                                              *
//* (C) BMC 2025                                 *
//************************************************
//*                                              *
//* GLOBALLY SUBSTITUTE THE FOLLOWING VARIABLES *
//* BEFORE RUNNING THIS BATCH JOB.              *
//*                                              *
//* @@SSPRRSB.LOADLIB@@ -> THE LOADLIB WHERE    *
//*                         THE SSPRRSB RESIDES *
//*                                              *
//************************************************
//************************************************
//*                                              *
//* MODIFY THE APPLDEF RECORD REQUIRED FOR       *
//* SSPR SETUP PROCESS                           *
//*                                              *
//* SET THE SELAUTH TO THE DESIRED AUTHORITY     *
//* NEEDED TO USE THESE RECORDS IF YOU WANT      *
//* OTHER THAN SECURITY AUTHORITY                *
//*                                              *
//* CHANGE THE RECID VALUE TO THE NAME OF THE    *
//* RSB MEMBER CREATED IF NOT SSPRRSB            *
//*                                              *
//************************************************
//STEP1 EXEC PGM=ACFBATCH,REGION=0M
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
SET CONTROL(GSO)
CHANGE APPLDEF.BMCSSPR APPLDIV(-) APPLDLEN(8) CLASS(P/SSPR) -
       DFTDRTN() RECID(SSPRRSB/-) RECIDLEN(8)                -
       RSBLIB(@@SSPRRSB.LOADLIB@@) TYPE(BMC/BMCR)       -
       SELAUTH(SECURITY) REP
F ACF2,REFRESH(APPLDEF)
SET SSPR(BMCR) DIVISION(-)
/*
//

To delete an APPLDEF record

Use the following JCL from the SSPRAPPD member in the SAMPLIB:

//JOBCARD
//************************************************
//* SAMPLE PROCEDURE FOR DELETING THE            *
//* ACF2 APPLDEF RECORD FOR SSPR AND THE         *
//* CORRESPONDING SETUP RECORDS                  *
//*                                              *
//* (C) BMC 2025                                 *
//************************************************
//*                                              *
//* GLOBALLY SUBSTITUTE THE FOLLOWING VARIABLES *
//* BEFORE RUNNING THIS BATCH JOB.              *
//*                                              *
//* @@SSPRRSB.LOADLIB@@ -> THE LOADLIB WHERE    *
//*                         THE SSPRRSB RESIDES *
//*                                              *
//************************************************
//STEP1    EXEC PGM=ACFBATCH,REGION=0M
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
SET SSPR(BMCR) DIVISION(-)
DELETE LIKE(-)
LIST LIKE(-)
SET CONTROL(GSO)
DELETE APPLDEF.BMCSSPR
F ACF2,REFRESH(APPLDEF)
/*
//
//************************************************
//*                                              *
//* OPTIONALLY INCLUDE STEP2 TO REMOVE THE      *
//* INFODIR RECORD FOR THE CLASS/TYPE           *
//*                                              *
//************************************************
//STEP2    EXEC PGM=ACFBATCH,REGION=0M
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
SET CONTROL(GSO)
CHANGE INFODIR TYPESX(R-PBMC) DEL
F ACF2,REFRESH(INFODIR)
/*
//

Sample Top Secret configuration

You can use the following command deck to initially define the CA Top Secret custom fields for the Field Descriptor Table (FDT). Select appropriate fdtcodes (nn) as required by your organization.

tss addto(fdt) fdtname(SSPRSDTE) fdtcode(nn) maxlen(64) display(SSPRSDTE) attr(mixed)
tss addto(fdt) fdtname(SSPRPIN) fdtcode(nn) maxlen(64) display(SSPRPIN) attr(mixed)
tss addto(fdt) fdtname(SSPRWRD1) fdtcode(nn) maxlen(64) display(SSPRWRD1) attr(mixed)
tss addto(fdt) fdtname(SSPRWRD2) fdtcode(nn) maxlen(64) display(SSPRWRD2) attr(mixed)
tss addto(fdt) fdtname(SSPRWRD3) fdtcode(nn) maxlen(64) display(SSPRWRD3) attr(mixed)
tss addto(fdt) fdtname(SSPRREM1) fdtcode(nn) maxlen(64) display(SSPRREM1) attr(mixed)
tss addto(fdt) fdtname(SSPRREM2) fdtcode(nn) maxlen(64) display(SSPRREM2) attr(mixed)
tss addto(fdt) fdtname(SSPRREM3) fdtcode(nn) maxlen(64) display(SSPRREM3) attr(mixed)

To create SSPR security credential for users

In a web browser, enter https://sysid:port/sspr/, substituting the following values:
- For sysid, use the address or name of the system on which SSPR is running.
- For port, use the networking port number.
On the BMC AMI Security Self Service Password Reset window, enter your CA ACF2, RACF, or CA Top Secret user ID.
Click the System list and select the required system.
By default, the System list displays your local system. To display the System list, you must define the SystemList parameter. For more information, see Configuring-SSPR-parameters.
Click Setup.
Enter your password or passphrase (if defined) and click Continue.
Warning
Important
To reduce misuse by automated systems, the SSPR connection permits only three connection attempts per workstation. After a third unsuccessful attempt, the workstation is locked out of SSPR for 15 minutes.
In the SSPR setup window, enter your credentials for future reset requests:
- Numeric PIN
- Three security questions (maximum length of a question is 63 characters)
  You cannot use parentheses or single quotation marks in a security question. If you use them, SSPR displays an error message.
- Reminder answers for each question (maximum length of an answer is 31 characters)
If SSPR is configured for multiple systems, select the system or systems on which you want to save the SSPR credentials. Enter the current password or passphrase (if defined) for each system and click Continue. The setup request status is displayed.
Warning
Important
If you have SSPR configured for multiple systems, you must use the same pin, security questions, and answers for all systems.
To update the status panel, click Refresh Status. To complete the setup process, click Close.