It's all about the answers!

Ask a question

Jazz authentication method (startbfa.sh)


Sally Kwok (112) | asked Apr 01 '19, 10:31 p.m.

I am dealing with the password compliance on RTC. Currently, we have an id with non expiry password that logs on from z/OS agent to RTC server. Non expiry password will not be allowed soon, thereafter password will be expired every 90 days.
We are trying to find a way to log onto the RTC server with certificate authentication, so that we don't have to change the password every 90 days.
The comments inside the shell script startbfa.sh which handles the jazz authentication specifies that there are 4 ways:
1. USERNAME_PASSWORD_POLICY,                               
    (requires JAZZ_USER, JAZZ_PASSWORD_FILE)            
2. CERTIFICATE_FILE_POLICY,                                
    (requires JAZZ_CERTIFICATE_FILE, JAZZ_PASSWORD_FILE)
3. SMART_CARD_POLICY,                                      
    (requires JAZZ_SMARTCARD set to true, JAZZ_USER)    
4. REGISTRY_POLICY,                                        
    (requires JAZZ_REGISTRY)                            

Does anyone know anything about SMART_CARD_POLICY or REGISTRY_POLICY?

Thanks.

One answer



permanent link
Ralph Schoon (63.1k33646) | answered Apr 02 '19, 6:24 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

 For all I know, the only option to have is to get an exemption for the functional users. Otherwise you have to change the password. For some purposes you can use an encrypted password file, which you might be able to change at a central place.



I am not sure what Jazz Registry is. Maybe zOS specific. I can only see USERNAME_PASSWORD_POLICY,                                
    (requires JAZZ_USER, JAZZ_PASSWORD_FILE) in my build system toolkit/build engine

I know other users have saved this by using a mix of file based user registry (to store the functional users password that do not change) and LDAP where the regular users is configured.



Comments
Sally Kwok commented Apr 02 '19, 9:14 a.m. | edited Apr 02 '19, 9:42 a.m.
Thanks for the reply. However, our organisation also does not allow functional id to have non expiry password. We are trying to avoid the use of password file, as this means we will need to change the password every 90 days.

We are looking for an once off set up solution, e.g. having a pass-ticket.
I had a read on this:

I am not sure how it applies to z/OS.
Anyone has hands-on experience on this?

Also, I look at the JAZZ_AUTH_METHOD:

It mentions these 3 policies
USERNAME_PASSWORD_POLICY
CERTIFICATE_FILE_POLICY
KERBEROS_POLICY

They are different to the 4 policies mentioned inside the shell script startbfa.sh (comment section). Which ones is correct?


Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.