As Dave mentions, we used a dedicated ssh server. I wrote a unix rexx (U1) which is called by Cyberark through SSH. Via the unix rexx U1 another REXX is called via the EXEC command (let's say T1).
In T1 we interprete the parameters given by cyberark, being userid and password. Via zSecure's CKGRACF interface we implemented the password change. CKGRACF is chosen, because it's more flexible in scoping the userids which are allowed for password resets. The owner of the target users is a specific group and that group is scoped via CKGRACF (XFACILIT/FACILITY class profile CKG.SCP.ID.*.ownergroup.* We allowed the SSH server access to the CKGRACF commands: CKG.CMD.USER.REQ.PWNOHIST CKG.CMD.USER.REQ.PWSET.EXPIRED CKG.CMD.USER.REQ.PWSET.NONEXP CKG.CMD.USER.REQ.PWSET.NOPASSWORD CKG.CMD.USER.REQ.PWSET.NOPHRASE CKG.CMD.USER.REQ.PWSET.PASSWORD CKG.CMD.USER.REQ.PWSET.PHRASE CKG.CMD.USER.REQ.RESUME This way, the ssh server can manipulate all users passwords which have as owner "ownergroup" , but nothing else. If you don't have zSecure, you can also use the RACF ALU command, but that is much less flexible in scoping. regards, Luc ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
