ESP Workload Automation

Hello!

We are testing the usage of the PASSWORD command to store passwords for Windows (NT) jobs. I have a couple of questions about how to do this the right way.

1.       Under what type of account should Windows agents be run if you are specifying user names in job definitions, and storing passwords using the PASSWORD command

2.      Is it possible to clean up old user ID's that were previously stored if you have forgotten their passwords?  Currently it seems that you must know what the password is in order to delete a user.

3.      If you used incorrect syntax to store a password, is there a way to determine how the password got stored or "clear" the password so that you can attempt to store it correctly, or rectify the situation some other way?

Thank you very much for your help!

Jonathan Calloway

Batch Scheduling Specialist

Operations Support

Office: 423.535.7342

Cell: 423.309.2547

-

Please see the following link for the BlueCross BlueShield of Tennessee E-mail disclaimer:  http://www.bcbst.com/email_disclaimer.shtm

Hi Jonathan, 

It is best to run the agent as root or system account when using USER statements(passwords). Then it is possible to use local security in the agent to prevent someone from running as root or system account. 

The answer to the second and third questions is the same. 

In order to modify or delete the existing password WITHOUT knowing the password the user must have UPDATE authority to the ESP.PASSWORD profile. 

2¢

Don,

That makes since because this morning I finally got this:

ESPWSS4132E You are not authorized to update password entries

So. . . would you be willing to provide a little guidance on how to update security for this? 

Thanks!

Jonathan

Don,

I have a couple of other related questions

-On Windows, does the agent need to run as a local system account (I realize you mentioned root, that would be for UNIX)

-Are any additional configurations needed on Windows agents in order to run Windows jobs as alternate IDs that are stored using the PASSWORD command?

Thanks!

Hi, 

The USER that the agent runs as will need to be able to update the agenthome directory. Running the agent as a USER will make it easier to access NAS locations. 

Just to clarify a previous post. If the UNIX agent runs as root then there is no password needed. If the UNIX agent runs as a user, then all jobs must run as that user. This is not true on Windows. 

The security team can help you add UPDATE to the ESP.PASSWORD profile. The steps vary depending on whether it is ACF2, Top Secret or RACF. 

Don,

According to our mainframe administrator, the RACF group that I am in has UPDATE rights to ESP.PASSWORD RACF facility.  However, when I attempt to delete something, I get a message telling me that I do not have access.  Here is the command input and results below:

The command sent to the server is: password list user(bcbst\f68095a)

User ID, Type, Qualifier, Name

bcbst\f68095a, -, -, -

Last update by D57219N at 09.01 on WEDNESDAY AUGUST 4TH, 2010

ESPWSS000 -->

The command sent to the server is: password delete user(bcbst\f68095a)

ESPWSS4132E You are not authorized to update password entries

ESPWSS000 -->

Hi, 

The 4132E message says you don't have authority. 

The user attempted to update or delete a password entry and did not supply a verification password. The SAF check for UPDATE access to SAF resource PASSWORD failed.

The security team should be able to see a message in the log with exactly the profile that it failed on. 

If it is Top Secret the security team can do a TSSSIM to see where you are failing. 

Don

Don,

Our Security team verified that I have what I need.  I also ran the command again, and they were unable to find RACF related messages about it.  At this point, I think I will open a ticket.