Topic
  • 5 replies
  • Latest Post - ‏2015-08-25T07:08:06Z by franzw
frisalde
frisalde
73 Posts

Pinned topic Provisoning RACF account without password

‏2013-07-03T17:40:42Z |

Hi everybody,

I am trying to create a RACF account without password.

I have defined a Automatic Provisioning Policy where the entitlements are defined, except the password attribute. By means of granting the role to an user, I am able to trigger the automatic provisioning. Ie, a RBAC based model.

Nevertheless, as you can see on the screenshot the password attribute is passed to the adapter. Neither adapter documentation nor service.def profile says password is required.

Any clue?

 

Attachments

  • franzw
    franzw
    393 Posts

    Re: Provisoning RACF account without password

    ‏2013-07-03T19:16:39Z  

    IIRC the only way you can avoid a password on provisioning is by removing the erpassword attribute from the profile....

    The way it works OOB is that the system generates a password based on the PASSWORD policy - if you include the password in the PROVISIONING policy that will override the password.

    There are some settings on the profile that governs the password on restore :

    com.ibm.itim.remoteservices.ResourceProperties.PASSWORD_NOT_ALLOWED_ON_RESTORE
    com.ibm.itim.remoteservices.ResourceProperties.PASSWORD_NOT_REQUIRED_ON_RESTORE

    You can look the finer detail up in the formal documentation.

    HTH

    Regards

    Franz Wolfhagen

  • frisalde
    frisalde
    73 Posts

    Re: Provisoning RACF account without password

    ‏2013-07-04T17:37:55Z  
    • franzw
    • ‏2013-07-03T19:16:39Z

    IIRC the only way you can avoid a password on provisioning is by removing the erpassword attribute from the profile....

    The way it works OOB is that the system generates a password based on the PASSWORD policy - if you include the password in the PROVISIONING policy that will override the password.

    There are some settings on the profile that governs the password on restore :

    com.ibm.itim.remoteservices.ResourceProperties.PASSWORD_NOT_ALLOWED_ON_RESTORE
    com.ibm.itim.remoteservices.ResourceProperties.PASSWORD_NOT_REQUIRED_ON_RESTORE

    You can look the finer detail up in the formal documentation.

    HTH

    Regards

    Franz Wolfhagen

    Thanks Franz for your reply.

    As far as I know this behaviour is new in ITIM 5.0. On previous releases I don't think it worked as now. Besides, the adapter documentation should be amended, as you can see on the screenshot, the password is not required :-0

    On the other hand, I have just realized that when a password is provisioned by a provisioning policy, the adapter checks if it is compliance with the password policies, isn't it?

    Regarding the password on restore setting, I don0't think it take effect in the add acount process. :-(

     

    Attachments

  • franzw
    franzw
    393 Posts

    Re: Provisoning RACF account without password

    ‏2013-07-04T18:56:47Z  
    • frisalde
    • ‏2013-07-04T17:37:55Z

    Thanks Franz for your reply.

    As far as I know this behaviour is new in ITIM 5.0. On previous releases I don't think it worked as now. Besides, the adapter documentation should be amended, as you can see on the screenshot, the password is not required :-0

    On the other hand, I have just realized that when a password is provisioned by a provisioning policy, the adapter checks if it is compliance with the password policies, isn't it?

    Regarding the password on restore setting, I don0't think it take effect in the add acount process. :-(

     

    I am pretty sure this is behavior is consistent since 4.5 - but no reason to argue about that :-)

    Passwords are IIRC never required -. this would not make sense as you would need to enter them on any account change - and this would require that the administrator should know the password or it would be changed on every account change - this behavior you can test as it is how services normally is set up...

    I am also pretty sure that the adapter NEVER checks the password - if it is checked this is part of the workflow - the adapter knows nothing about the policies. I normally recommend NOT to provision the password like this - it is much better to send the password (or use another secure method) to the user - when the password is created by the password policy it is ensured compliant and (relatively) random.

    The password on restore settings was just to show the only (to me) known behavioral password settings - and to make them know to whoever reads these forums :-)

    Regards

    Franz Wolfhagen

  • joe@ibmdev
    joe@ibmdev
    1 Post

    Re: Provisoning RACF account without password

    ‏2015-08-24T19:03:29Z  
    • franzw
    • ‏2013-07-04T18:56:47Z

    I am pretty sure this is behavior is consistent since 4.5 - but no reason to argue about that :-)

    Passwords are IIRC never required -. this would not make sense as you would need to enter them on any account change - and this would require that the administrator should know the password or it would be changed on every account change - this behavior you can test as it is how services normally is set up...

    I am also pretty sure that the adapter NEVER checks the password - if it is checked this is part of the workflow - the adapter knows nothing about the policies. I normally recommend NOT to provision the password like this - it is much better to send the password (or use another secure method) to the user - when the password is created by the password policy it is ensured compliant and (relatively) random.

    The password on restore settings was just to show the only (to me) known behavioral password settings - and to make them know to whoever reads these forums :-)

    Regards

    Franz Wolfhagen

    Hello Franzw,

     

    I have RACF Adapter issue need your help! when it is configured (without using SURROGAT User ID on service form), the connection is OK. but when try to reconcile only ONE test  account, I got following error message:

     

    DBG:15/08/24 15:13:20 Encryption libary successfully initialized in NON-FIPS mode
    DBG:15/08/24 15:13:20 Masking SIGTERM
    DBG:15/08/24 15:13:20 adkRegisterCallback: MaxThreads for STATUS set to constant ADK_DEF_MAX_THREADS 3 
    DBG:15/08/24 15:13:20 Managed Resource Agent RACFAGENT, Version 6.0.10088
    DBG:15/08/24 15:13:20 Agent Development Kit - Version 6.02
    DBG:15/08/24 15:13:20 enRole Resource Management API - Version 6.02
    DBG:15/08/24 15:13:20 Encryption library:  OpenSSL 1.0.1g 7 Apr 2014
    DBG:15/08/24 15:21:36 Processing Test Connection request, trans id = 0
    DBG:15/08/24 15:21:36 racfTestConn: adapter_user ISIAGNT
    DBG:15/08/24 15:21:36 racfTestConn: racfRelease RACF 7790
    DBG:15/08/24 15:21:36 racfTestConn: start up 20150824121320Z
    DBG:15/08/24 15:21:36 racfTestConn: last status 20150824122136Z
    DBG:15/08/24 15:21:36 racfTestConn: End of function
    DBG:15/08/24 15:22:02 racfReco.reco_open: Reconciliation job dataset name is SIMCDS.ISIMRACF.CNTL.
    DBG:15/08/24 15:22:02 racfReco.reco_open: Reconciliation output dataset name is SIMCDS.ISIMRACF.SAVE.
    DBG:15/08/24 15:22:02 racfReco.reco_open: recocmd is submit 'SIMCDS.ISIMRACF.CNTL(RECOJOB)' JOBCHAR(R) USER( ISIAGNT)
    ERR:15/08/24 15:22:03 tsoCmd: RECOJOB was not submitted ]
    ERR:15/08/24 15:22:03 tsoCmd: result is: USER NOT AUTHORIZED FOR SUBMIT+
    ERR:15/08/24 15:22:03 racfSearch: failed to initiate reco_open
    DBG:15/08/24 15:22:04 Successfully pipelined 0 entries

    Then if I submit the same request second time, I got following message (the ERROR: ENTRY SIMCDS.ISIMRACF.SAVE NOT FOUND+, this is because the process itself delete the file needed)

    DBG:15/08/24 15:44:33 racfReco.reco_open: Reconciliation job dataset name is SIMCDS.ISIMRACF.CNTL.
    DBG:15/08/24 15:44:33 racfReco.reco_open: Reconciliation output dataset name is SIMCDS.ISIMRACF.SAVE.
    DBG:15/08/24 15:44:33 racfReco.reco_open: recocmd is submit 'SIMCDS.ISIMRACF.CNTL(RECOJOB)' JOBCHAR(R) USER( ISIAGNT)
    ERR:15/08/24 15:44:34 tsoCmd: result is ENTRY SIMCDS.ISIMRACF.SAVE NOT FOUND+
    ERR:15/08/24 15:44:34 tsoCmd:  return code 8 
    ERR:15/08/24 15:44:34 tsoCmd:  ERROR: ENTRY SIMCDS.ISIMRACF.SAVE NOT FOUND+
    ERR:15/08/24 15:44:34 tsoCmd: RECOJOB was not submitted ]
    ERR:15/08/24 15:44:34 tsoCmd: result is: USER NOT AUTHORIZED FOR SUBMIT+
    ERR:15/08/24 15:44:34 racfSearch: failed to initiate reco_open
    DBG:15/08/24 15:44:35 Successfully pipelined 0 entries

     

    Question 1: what exact command would resolve this issue:  USER NOT AUTHORIZED FOR SUBMIT+ ?

    Question 2: does reconcile ONE account mean scoped reconcile?  According to RACF Adapter doc, looks scoped reconcile need some other settings. what we really need here is reconcile some specified accounts, each time, just reconcile one account. We don't configure any SURROGAT USER ID on service form. we prefer to use same RACF Adapter User ID ISIAGNT to do everything (reconcile and change password)

     

    Thanks a lot in advance!

     

     

  • franzw
    franzw
    393 Posts

    Re: Provisoning RACF account without password

    ‏2015-08-25T07:08:06Z  

    Hello Franzw,

     

    I have RACF Adapter issue need your help! when it is configured (without using SURROGAT User ID on service form), the connection is OK. but when try to reconcile only ONE test  account, I got following error message:

     

    DBG:15/08/24 15:13:20 Encryption libary successfully initialized in NON-FIPS mode
    DBG:15/08/24 15:13:20 Masking SIGTERM
    DBG:15/08/24 15:13:20 adkRegisterCallback: MaxThreads for STATUS set to constant ADK_DEF_MAX_THREADS 3 
    DBG:15/08/24 15:13:20 Managed Resource Agent RACFAGENT, Version 6.0.10088
    DBG:15/08/24 15:13:20 Agent Development Kit - Version 6.02
    DBG:15/08/24 15:13:20 enRole Resource Management API - Version 6.02
    DBG:15/08/24 15:13:20 Encryption library:  OpenSSL 1.0.1g 7 Apr 2014
    DBG:15/08/24 15:21:36 Processing Test Connection request, trans id = 0
    DBG:15/08/24 15:21:36 racfTestConn: adapter_user ISIAGNT
    DBG:15/08/24 15:21:36 racfTestConn: racfRelease RACF 7790
    DBG:15/08/24 15:21:36 racfTestConn: start up 20150824121320Z
    DBG:15/08/24 15:21:36 racfTestConn: last status 20150824122136Z
    DBG:15/08/24 15:21:36 racfTestConn: End of function
    DBG:15/08/24 15:22:02 racfReco.reco_open: Reconciliation job dataset name is SIMCDS.ISIMRACF.CNTL.
    DBG:15/08/24 15:22:02 racfReco.reco_open: Reconciliation output dataset name is SIMCDS.ISIMRACF.SAVE.
    DBG:15/08/24 15:22:02 racfReco.reco_open: recocmd is submit 'SIMCDS.ISIMRACF.CNTL(RECOJOB)' JOBCHAR(R) USER( ISIAGNT)
    ERR:15/08/24 15:22:03 tsoCmd: RECOJOB was not submitted ]
    ERR:15/08/24 15:22:03 tsoCmd: result is: USER NOT AUTHORIZED FOR SUBMIT+
    ERR:15/08/24 15:22:03 racfSearch: failed to initiate reco_open
    DBG:15/08/24 15:22:04 Successfully pipelined 0 entries

    Then if I submit the same request second time, I got following message (the ERROR: ENTRY SIMCDS.ISIMRACF.SAVE NOT FOUND+, this is because the process itself delete the file needed)

    DBG:15/08/24 15:44:33 racfReco.reco_open: Reconciliation job dataset name is SIMCDS.ISIMRACF.CNTL.
    DBG:15/08/24 15:44:33 racfReco.reco_open: Reconciliation output dataset name is SIMCDS.ISIMRACF.SAVE.
    DBG:15/08/24 15:44:33 racfReco.reco_open: recocmd is submit 'SIMCDS.ISIMRACF.CNTL(RECOJOB)' JOBCHAR(R) USER( ISIAGNT)
    ERR:15/08/24 15:44:34 tsoCmd: result is ENTRY SIMCDS.ISIMRACF.SAVE NOT FOUND+
    ERR:15/08/24 15:44:34 tsoCmd:  return code 8 
    ERR:15/08/24 15:44:34 tsoCmd:  ERROR: ENTRY SIMCDS.ISIMRACF.SAVE NOT FOUND+
    ERR:15/08/24 15:44:34 tsoCmd: RECOJOB was not submitted ]
    ERR:15/08/24 15:44:34 tsoCmd: result is: USER NOT AUTHORIZED FOR SUBMIT+
    ERR:15/08/24 15:44:34 racfSearch: failed to initiate reco_open
    DBG:15/08/24 15:44:35 Successfully pipelined 0 entries

     

    Question 1: what exact command would resolve this issue:  USER NOT AUTHORIZED FOR SUBMIT+ ?

    Question 2: does reconcile ONE account mean scoped reconcile?  According to RACF Adapter doc, looks scoped reconcile need some other settings. what we really need here is reconcile some specified accounts, each time, just reconcile one account. We don't configure any SURROGAT USER ID on service form. we prefer to use same RACF Adapter User ID ISIAGNT to do everything (reconcile and change password)

     

    Thanks a lot in advance!

     

     

    Be aware that this is not an official support forum - if you need official support you need to raise a PMR to IBM support.

    Q1 : you problem is that your user does not have sufficient access rights to do what it is trying to do - consult your RACF adapter documentation for the needed access rights and take that to your RACF security admins...

    Q2. I have no idea of what you mean by a scoped reconciliation - I have not worked in the RACF area for a long time - but I am pretty sure this can be clarified by support very quickly.

    HTH

    Regards

    Franz Wolfhagen