Top Secret

 View Only

  • 1.  How to recover a master ACID whose password is lost

    Posted Nov 02, 2016 01:00 PM

    This past summer I took over TSS management for a client I won't name here.  I recently learned that they're testing an MVS upgrade in the sandbox LPAR, and that I don't seem to have an ACID there.  So first I need to log on to the master ACID and create my own ID; after that I can start diagnosing and fixing their problem.

     

    But no one I've asked so far knows the master ACID's password on that LPAR.  I'm pretty sure there's a way to get in anyway—it involves a reply on the operator console, maybe?—but I can't find the procedure in the TSS manuals.  Can someone tell me how it works, please?



  • 2.  Re: How to recover a master ACID whose password is lost

    Broadcom Employee
    Posted Nov 02, 2016 03:30 PM

    Well if this is thier sandbox LPAR, then I hope it would be very similar to thier production LPAR which I assume you have access to. If it is not very similar (STC names), then you will need to create any STC ID's or entries in the STC ACID, required to get the sandbox up, on their production LPAR. Then using the procedure to copy the security file from the backup using TSSXTEND, port the newly created security file to the sandbox LPAR and IPL with it. You may be able to get away with simply restarting TSS, but your best bet is an IPL.

     

    I do not know of a procedure that you speak of to recover the MSCA password, but that doesn't mean that one doesn't exist. I am not all knowing. Just seem to me that a procedure like that would be a pretty big security exposure. And once it is conveyed to you, it cant be un-conveyed.

     

    Alan Scott



  • 3.  Re: How to recover a master ACID whose password is lost

    Broadcom Employee
    Posted Nov 02, 2016 04:50 PM

    Hi Bob,

     

    You can't recover the MSCA's password. As Alan stated in his reply, that would be a security exposure. If no one knows the MSCA password, here are options to reset the MSCA's password:


    ** An SCA with the following can reset the MSCA password by issuing TSS REPL(msca) PASS(xxxx):


    1) ACID(MAINTAIN) or MISC8(PWMAINT) admin authority

     

    AND


    2) If RO21793 (TSS r15) is applied or you are running TSS r16:
    TSS PER(scaacid) CASECAUT(TSSCMD.USER.REPLACE.MSCAPW) 


    After TSS r15 fix RO21793, an SCA will need update access to TSSCMD.USER.REPLACE.MSCAPW in the CASECAUT resource class in order to change the MSCA's password.
    TSS ADD(dept) CASECAUT(TSSCMD.)   (if not already done)
    TSS PER(scaacid) CASECAUT(TSSCMD.USER.REPLACE.MSCAPW) 
    TSS REFRESH(scaacid) JOBNAME(*)  


    ** Another option is an SCA with ACID(XAUTH) can issue a TSS PER(sca) ACID(msca) so the 'sca' acid can submit batch jobs with USER=msca. Then the SCA can run a batch TMP job (IKJEFT01) with USER=msca and in that job, issue: TSS REPL(msca) PASS(xxxx)  


    After doing this, revoke the permit via:
    TSS REV(sca) ACID(msca)

     

    Best regards,

    Bob Boerum



  • 4.  Re: How to recover a master ACID whose password is lost
    Best Answer

    Posted Nov 02, 2016 05:24 PM

    You're right, of course, Bob; it isn't really the password I want to recover, just the ACID.  And somehow I forgot the PERMIT(sca) ACID(master) option; I used that in the production LPAR to get control of the master ACID back when I started.  Of course, in this case someone else would have to do it; I'll have to ask around to find out whether anyone has that authority on that LPAR.

     

    This client is running r15, but I'll ask about R021793.

     

    I had the vague notion that I could log on to the master ACID several times using the wrong password.  I think that locks it up—and it should, because otherwise an attacker could guess at it endlessly.  After it's locked as I recall it needs an affirmative reply from the operator console to allow the logon.  But I wasn't clear on whether it would still insist on the correct password at that point, or whether the reply from the console would be enough.  A little hazy on that detail, I am.

     

    Thanks, all.



  • 5.  Re: How to recover a master ACID whose password is lost

    Broadcom Employee
    Posted Nov 02, 2016 05:00 PM

    There really isnt an easy way aside from having an SCA replace the MSCA password.

     

    The following method I am about to give you will require help from your systems programmers.

     

    1. Create a new TSS proc pointing to a security file that you know the MSCA userid and password. You could always format a new security file with a new MSCA and use it, in the following steps, if you wish.

    2. Bring down the TSS with a temporary shutdown, and  bring up the TSS proc you just created pointing to a different security file.

    3. Signon to TSO with the MSCA from the security file that you just brought up and DONT logoff.

    4. Bring down TSS with a temporary shutdown.

    5. Bring up your normal TSS proc.

    6. Issue a TSS REPLACE(mscsa_acid) PASS(new_password)

    7. Now you can logoff the MSCA and re-signon with the newly assigned password.

     

    Needless to say... dont try this at home, leave it to trained profesdsionals and this should be done during off hours. 

     

    Please let me know if there are any questions.

     

    Regards,

     

    Joseph Porto - CA Top Secret Level 1 Support