Skip to Content

Using

This topic describes the tasks that you can perform using the BMC AMI Security Self Service Password Reset (SSPR) product:

Accessing SSPR

In a web browser, specify the URL in either of the following formats:

  • http://sysID:port/sspr/ (for unencrypted connections)
  • https://sysID:port/sspr/ (for encrypted connections that are configured with AT-TLS)
    Here, substitute the following values:
  • For sysID, use the address or name of the system on which SSPR is running.
  • For port, use the networking port number.

The BMC AMI Security Self Service Password Reset window is displayed, on which you can reset, unlock, and set up user IDs.

(SPE2410)The footer of the BMC AMI Security Self Service Password Reset UI displays information such as the current user ID, the product name, and the current release and version details. 

SSPRwindow_SPE2507.png

Warning

Important

  • The product displays only the menus that you are permitted to access. If you do not have the required level of authority to log on to SSPR, your connection might be rejected even if your user ID and password are correct.
  • (SPE2410) The footer of the BMC AMI Security Self Service Password Reset UI displays information such as the current user ID only after you log on to the product. 

Resetting a password

After you have created SSPR security credentials, you can submit password reset requests. To create SSPR security credentials, see Creating-your-SSPR-security-credentials.

  1. Access the BMC AMI Security Self Service Password Reset window.
    For more information, see Accessing BMC AMI Security Self Service Password Reset.
  2. On the User ID box, enter your user ID.
  3. Click the System list and select the required system.
    By default, the System list displays your local system. To display the System list, you must define the SystemList parameter. For more information, see Configuring-SSPR-parameters.
    Warning

    Important

    If you select multiple systems, the password reset is processed independently for each system based on its authentication requirements. For more information, see Resetting a password on multiple systems.

  4. Click Reset.
    Warning

    Important

    (SPE2507) Any credential you enter in SSPR (such as a PIN, access code, security‑question answer, password, or passphrase) is masked by default. To view the value you entered, click Show_icon.png. To hide it again, click Hide_icon.png.

  5. Enter the PIN number you created during the setup process and click Continue.

  6. If your user credential configuration includes an access code, you are prompted to enter it. Depending on the configuration, enter one of the following kinds of access code:

    • Automatically generated access code: You receive an email with an access code and the panel expects the code within 15 minutes.
    • Fixed access code: Enter your fixed access code (such as an employee ID) and click Verify Access Code.
      The access code is validated against the encrypted value in the RACF database. If successful, you can continue to the next step.
  7. Enter answers to the security questions (up to three, depending on configuration). Enter the same way as during the setup process, including punctuation and spaces. Then click Verify Answers.

  8. If passphrase support is enabled, click Reset Password or Reset Passphrase.

    • (For password reset) On the Password Reset Service page, enter your new password twice for verification and click Continue. If the new password does not comply with the installation password format and content standards, it is rejected. 
    • (For passphrase reset) On the Password Reset Service page, enter your new passphrase and click Continue.
    Warning

    Important

    If both password and passphrase fields are displayed, you need to complete only one.

  9. If SSPR is configured for simultaneous password resets on multiple systems, select the system or systems in which to reset the password. The password is reset immediately on the local system and a request queued to the remote systems.
    A status panel displays the reset status on each system:

    • Click Refresh Status to update the status display.
    • Click Close to complete the password reset processing.

    You can now log in to your mainframe services with the newly entered password.

Resetting a password (or passphrase) on multiple systems

When you select multiple systems during a password reset, SSPR authenticates you using the methods that the local system requires (for example, PIN, access code, or security-question answers). After local authentication succeeds and you enter a new password (or passphrase), SSPR attempts to reset the password (or passphrase) on each selected remote system using the authentication data you provided for the local system. For each remote system, SSPR validates only the authentication methods that the remote system requires. If a remote system requires fewer methods than the local system, any extra data you provided is ignored; if a remote system requires a method that was not collected locally, the reset fails on that remote system only (the local reset is not affected).

SSPRdisplays a per-system result in the status table. You might need to click Refresh Status to update the table.

For the password (or passphrase) reset to succeed on each selected system, the following conditions must be satisfied:

  • Your user ID exists on that system.  
  • You completed SSPR setup on that system.  
  • The authentication data required by that system (such as PIN, acces code, or security-question answers) matches the data stored for your user ID on that system.

If any of these requirements is not met, the reset fails on the affected system only, while other systems still succeed.

Here are a few common scenarios and outcomes that you might encounter when you reset a password on multiple systems:

ScenarioOutcome
User is not defined on a remote system you selected

SSPRdisplays the following message for that remote system:

R_ADMIN ERROR - (user might not be defined on the remote system)

The following message is displayed for the local system which you authenticated:

Password reset completed successfully

Remote system requires an authentication method that was not collected locally

For example, the local system requires only an access code, but a remote system requires a PIN, or the local system did not collect security-question answers that a remote system requires.

One of the following messages is displayed for the affected remote system(s):

  • A PIN code is needed to use RESET on the remote system 
  • One or more Memorable words are needed to use RESET on the remote system

The following message is displayed for the local system:

Password reset completed successfully

SSPRsetup not completed for the user on a selected remote system

The following message is displayed for that remote system:

Password Reset not setup

Other systems that meet requirements complete the reset and the following message is displayed:

Password reset completed successfully

Authentication data differs across systems

For example, the values stored on a remote system (for example, PIN, access code, or security-question answers) do not match what you entered during the local authentication.

That remote system rejects the reset and one of the following messages is displayed for the affected remote system:

  • PIN code rejected
  • Memorable word 1 rejected

The following message is displayed for the local system:

Password reset completed successfully

All systems meet requirements and the stored authentication data matches

The following message is displayed for each selected system:

Password reset completed successfully

Unlocking a user ID

The BMC AMI Security Self Service Password Reset unlock service is a configurable option and allows users with a valid password to unlock (resume) their user ID should it be revoked.

Users can unlock a user ID by using either a current password or an expired password.

SSPRprovides Multi-factor Authentication (MFA) compound in-band support (mfaToken:esmPassword). To use MFA you must specify Authenticate MFA in the HTTPServer block (SRVSYS1) for BMC AMI Resident Security Server. For more information, see RSS server configuration parameters.

Before you begin, make sure that you have created SSPR security credentials.

  1. Access the BMC AMI Security Self Service Password Reset window.
    For more information, see Accessing BMC AMI Security Self Service Password Reset.
  2. On the User ID box, enter your user ID.
  3. Click the System list and select the required system.
    By default, the System list displays your local system. To display the System list, you must define the SystemList parameter. For more information, see Configuring-SSPR-parameters.
  4. Click Unlock.
  5. For multiple systems, select the system(s) to unlock.
  6. Enter your valid password or (if passphrase support is enabled) a passphrase for each system and click Continue.​​
    Warning

    Important

    (SPE2507) Any credential you enter in SSPR (such as a PIN, access code, security‑question answer, password, or passphrase) is masked by default. To view the value you entered, click Show_icon.png. To hide it again, click Hide_icon.png.

  7. After you enter a valid password, a status panel displays the unlock status on each system:
    • To update the status display, click Refresh Status.
    • To complete the password reset processing, click Close.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Security Self Service Password Reset 2.3