ACF2 GSO PSWD considerations with PAM


Article ID: 239000


Updated On:


ACF2 ACF2 - z/OS ACF2 - MISC CA Privileged Access Manager (PAM)


When attempting to set up Privileged Access Manager to manage ACF2 user's passwords, multiple errors were seen due to configurations between the 2 products not being compatible. This article is to document the ACF2 GSO options that needed to be modified to allow PAM to manage passwords. 


1. PSWDSIM preventing password reset

PSWDSIM in the ACF2 GSO PSWD record is greater than 0. Use of PSWDSIM requires the ability to prompt for the user's old password. If a user attempts to change their password through any method where prompting is not possible, the command fails. Turning off password similarity checking by setting the PSWDSIM to 0 allows PAM to reset an ACF2 user's password.

2. MAXDAYS/MINDAYS and PSWDMAX/PSWDMIN preventing password reset/causing expired passwords

MAXDAYS/MINDAYS in the user lid record and PSWDMAX/PSWDMIN in the GSO PSWD record forces a password change by a non-privileged user to only happen within a certain time range from the last password change. MAXDAYS and PSWDMAX force the password to expire after a certain amount of time. MINDAYS and PSWDMIN prevents a non-privileged user (or a privileged user trying to change their own password) from changing their password within the amount of days set. This helps prevent password cycling where a user cycles though their password history in a matter of minutes in order to continue using their same password. However, in the case of managing passwords through PAM, it could prevent PAM from resetting a password if the password reset is being done within the amount of time specified in this parameter.

3. PSWDFRC preventing password sync

The default PSWDFRC setting in the GSO PSWD record causes a password set by an administrator to expire on first login. This is used so a user changes their password to something unknown to the administrator that is setting passwords. In the case of PAM, it can prevent the password set through PAM to not sync since the password has expired upon setting it. Changing this field to NOPSWDFRC allows the password set by PAM to not expire until the date that is specified in MAXDAYS/PSWDMAX.