Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

Jazz authentication method (startbfa.sh)

Questions
Tags
Users
Badges
Sally Kwok
(112) Apr 01 '19, 10:31 p.m.

I am dealing with the password compliance on RTC. Currently, we have an id with non expiry password that logs on from z/OS agent to RTC server. Non expiry password will not be allowed soon, thereafter password will be expired every 90 days.
We are trying to find a way to log onto the RTC server with certificate authentication, so that we don't have to change the password every 90 days.
The comments inside the shell script startbfa.sh which handles the jazz authentication specifies that there are 4 ways:
1. USERNAME_PASSWORD_POLICY,                               
    (requires JAZZ_USER, JAZZ_PASSWORD_FILE)            
2. CERTIFICATE_FILE_POLICY,                                
    (requires JAZZ_CERTIFICATE_FILE, JAZZ_PASSWORD_FILE)
3. SMART_CARD_POLICY,                                      
    (requires JAZZ_SMARTCARD set to true, JAZZ_USER)    
4. REGISTRY_POLICY,                                        
    (requires JAZZ_REGISTRY)                            

Does anyone know anything about SMART_CARD_POLICY or REGISTRY_POLICY?

Thanks.

0 votes

1 answer
1,738 views
0 votes

One answer

Permanent link
Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER (63.9k33648) Apr 02 '19, 6:24 a.m.

 For all I know, the only option to have is to get an exemption for the functional users. Otherwise you have to change the password. For some purposes you can use an encrypted password file, which you might be able to change at a central place.



I am not sure what Jazz Registry is. Maybe zOS specific. I can only see USERNAME_PASSWORD_POLICY,                                
    (requires JAZZ_USER, JAZZ_PASSWORD_FILE) in my build system toolkit/build engine

I know other users have saved this by using a mix of file based user registry (to store the functional users password that do not change) and LDAP where the regular users is configured.


0 votes

Comments
Sally Kwok
Apr 02 '19, 9:42 a.m.
Thanks for the reply. However, our organisation also does not allow functional id to have non expiry password. We are trying to avoid the use of password file, as this means we will need to change the password every 90 days.

We are looking for an once off set up solution, e.g. having a pass-ticket.
I had a read on this:

I am not sure how it applies to z/OS.
Anyone has hands-on experience on this?

Also, I look at the JAZZ_AUTH_METHOD:

It mentions these 3 policies
USERNAME_PASSWORD_POLICY
CERTIFICATE_FILE_POLICY
KERBEROS_POLICY

They are different to the 4 policies mentioned inside the shell script startbfa.sh (comment section). Which ones is correct?


Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 6,121

Question asked: Apr 01 '19, 10:31 p.m.

Question was seen: 1,738 times

Last updated: Apr 02 '19, 9:42 a.m.

Confirmation Cancel Confirm