Resetting MASTER SCA Acid.

Document ID : KB000012257
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

 

Is MASTER SCA password connected/dependent in any way to the customer encryption key that is specified in control statements on TSSFAR job in KEY=?

How is the password reset executed? Can any SCA issue the password reset command?

Can those who know the password logon to TSO with MASTER SCA ACID?

Environment:
z/OS
Answer:

 

The encryption key is used to encrypt the records stored in the security files. The passwords are encrypted depending on your CA Top Secret option AESENC. 
If you want to implement AES 256 you must apply RO86945 with RO88796 RO91603 RO91447 and to run TSSMAINS with the related AES 256 option AES256ENCRYPT. 

To set a new password for the MSCA (using ADDTO or REPLACE), an SCA must have UPDATE access to entity TSSCMD.USER.cmd.MSCAPW in the CASECAUT resource class, 
where cmd is the command being issued. 
This authority is required even if the administrator already has ACID(MAINTAIN) or MISC8(PWMAINT) authority.

Additional Information:

 

For more details about password reset clisk to the link below:

 

https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/creating-security-administrators/restricted-administrative-authorities-casecaut-resource-class