User credentials

All user credentials required for BMC AMI Security Self Service Password Reset (SSPR) are stored in custom fields in the CA ACF2, RACF, and CA Top Secret database. You must define the fields in CA ACF2, RACF, and CA Top Secret before deploying SSPR.

Related topic

Getting-started

Personal identification number

SSPR requires each user to enter a personal identification number (PIN) and three security questions and answers. These are encrypted and saved in the CA ACF2, RACF, or CA Top Secret database. SSPR can optionally support an additional access code, which provides a third method of authentication.

SSPR never decrypts saved PINs, so they can't be read from the system.

Access codes

You can use one of the following kinds of access codes:

  • Automatically generated code
  • Fixed, predefined code

Access codes are optional.

Automatically generated access codes

Automatically generated access codes require email support from the mainframe. RSS supports direct communication to a distributed SMTP server, or more commonly, supports sending emails through the SMTP or CSSMTP service running on z/OS.

When a user wishes to reset their mainframe password or phrase and following successful validation of their PIN, a unique access code will be generated by SSPR and emailed to the registered email address for that user. This access code is valid for 15 minutes after which it expires, and the user must request a new code.

On submission of a valid access code, the users might, depending on configuration, be prompted to enter one or more memorable words before they can reset their password or phrase.

Fixed, predefined access codes

Fixed access codes are values already known to the user and saved in a CA ACF2, RACF, or CA Top Secret custom field. These are typically values that already exist, such as an employee ID or insurance number. You define the custom field name in the SSPR configuration. Users must enter the appropriate value as their access code.

On submission of a valid access code, users might, depending on configuration, be prompted to enter one or more security answers before they can reset their password or phrase.

Security questions and answers

Users must set up three security questions and answers known only to them.

The answers are encrypted and saved in custom fields in the CA ACF2, RACF, or CA Top Secret database. The security questions are also saved in the CA ACF2, RACF, and CA Top Secret database (but not encrypted).SSPR never decrypts the answers, so they can't be read from the system.

You can configure SSPR to present between one and three of the questions during a password or phrase reset request. When SSPR is configured to present only one question, SSPR selects it randomly. When SSPR is configured to present multiple questions, SSPR selects them randomly and presents them in random order.

Multiple systems

You can configure SSPR to support multiple systems from a single user connection. When an enterprise has multiple CA ACF2, RACF or CA Top Secret databases, you can configure SSPR to duplicate the user credentials across one or more databases. Similarly, when users reset their users credentials (such as PINs or security questions), you can replicate them across multiple systems.

To maintain integrity, SSPR encrypts user credentials and verifies them on all target systems before they are reset on those systems.

Passphrase support

When you activate passphrase support in SSPR, users with a defined passphrase can also reset their passphrase, unlock their user ID with a passphrase, or set up their credentials with a passphrase. The passphrase only option controls whether users with passphrases can use SSPR with a password or passphrase, or only with a passphrase.

When passphrase support is enabled, but a user has not defined a passphrase, passphrase support is disabled for that user and the user can continue to use SSPR with a password.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*