Highlighted
Super Contributor.
Super Contributor.
371 views

ACF2 Password sync failure

This is a new IDM 4.8 install.  The driver is working and adding new accounts to ACF2 but the password is not synchronized.  The sync appears to work in the trace but when the user logs in, the prompt replies PASSWORD NOT MATCHED

[01/30/20 18:47:48.393]:ACF2 ST:Remote Interface Driver: Received command: SUBSCRIBER REPLY(10).
[01/30/20 18:47:48.393]:ACF2 ST:Password synchronization command status detected.
[01/30/20 18:47:48.393]:ACF2 ST:Restoring operation data to output document
[01/30/20 18:47:48.408]:ACF2 ST:SubscriptionShim.execute() returned:
[01/30/20 18:47:48.408]:ACF2 ST:
<nds dtdversion="2.0">
<source>
<product build="201712172108" version="4.7"/>
<contact/>
</source>
<output>
<status event-id="IDMVAULT2D-nds#20200130234746#4#1:5cfdd1d9-ad3f-4e4f-a008-475cce6b7fb3" level="success"/>
<status event-id="pwd-subscribe" level="success">
TU$DDD TU$DDD VISSE, CRAIG
CLKX() CO() DEPT() GRP() KEYX() LVL() SCOPX() SO<operation-data>
<password-subscribe-status>
<association>TU$DDD</association>
</password-subscribe-status>
</operation-data>
</status>
</output>
</nds>

 


Peggy Townsend
Novacoast
Labels (1)
Tags (1)
0 Likes
4 Replies
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Hi,

What are your sub-pass-to-phrase GCV's set to? I say the plural there, as i believe, for some reason, there may be more than 1 definition in the standard out the box driver. You might have to check in "Driver Config -> Driver params" as well as the various GCV screens.

Cheers,

Steve

0 Likes
Highlighted
Super Contributor.
Super Contributor.

Both are set to no.  The pass phrase feature is not enabled on ACF2 locally.


Peggy Townsend
Novacoast
0 Likes
Highlighted
Super Contributor.
Super Contributor.

All passwords come through as expired.  There is a global setting to expire passwords set by a third party and they don't want to change that.  I've learned that when using the fanout, the IDMMODPW script was altered and NOPSWD-EXP was added to make the command look like this:

CHANGE TE$XXX PASSWORD(********) NOPSWD-EXP

It appears we need the same change in the new driver but the mainframe team can't figure out how to make the mod.  Has anyone done this or something similar?


Peggy Townsend
Novacoast
0 Likes
Highlighted
Super Contributor.
Super Contributor.

This was my fix.  I had to add it after the policy that appends the ACF2CMD.

<rule>
<description>Password Change</description>
<conditions>
<and>
<if-operation mode="nocase" op="equal">modify-password</if-operation>
</and>
</conditions>
<actions>
<do-set-local-variable name="varPswdCmd" scope="policy">
<arg-string>
<token-xpath expression='add-attr[@attr-name="ACF2CMD"]/value[2]'/>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="regex" name="varPswdCmd" op="equal">.*NOPSWD-EXP</if-local-variable>
</and>
</arg-conditions>
<arg-actions/>
<arg-actions>
<do-append-xml-text expression='add-attr[@attr-name="ACF2CMD"]/value[2]'>
<arg-string>
<token-text xml:space="preserve"> NOPSWD-EXP</token-text>
</arg-string>
</do-append-xml-text>
</arg-actions>
</do-if>
</actions>
</rule>

 


Peggy Townsend
Novacoast
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.