If the MSCA ACID becomes suspended, what are the option(s) to unsuspend the ACID?
An SCA acid has scope over the MSCA, so as long as the SCA ACID has the appropriate admin authority, an SCA ACID can remove the SUSPEND, replace the password, etc.
If there is a situation where the MSCA becomes suspended and none of the SCAs can signon to remove the suspend, there are 2 options:
- If the MSCA's previous password is known:
- From the console, enter:
F TSS, TSS
- This should result in the following prompt:
nn TSS9273A ENTER TSS COMMAND PASSWORD (Where 'nn' is a reply number).
(Where 'nn' is the reply number and 'xxxxx' is the MSCA's previous password).
- If this is successful, the following prompt should be issued:
nn TSS9272A ENTER <TSS COMMAND> OR <END>
nn,TSS REMOVE(msca) SUSPEND
- If necessary, continue to reply to each nn TSS9272A ENTER
<END>with another CA Top Secret command. For example, if the MSCA was suspended for inactivity, the password can be replaced via:
nn,TSS REPLACE(msca) PASSWORD(xxxx)
Once this is done, see if the MSCA can signon. If it can, reply nn,END to end the command session on the console. If the MSCA still cannot signon, issue whatever command(s) are necessary to give the MSCA what it needs to signon.
- If the MSCA's previous password is NOT known:
- Format a new security file. There is sample jcl in member TSSMAINS in the CA Top Secret SAMPJCL library. There is no need to be concerned with the values specified for the required parameters (in SECPARMS member in the SAMPJCL library) other than SCA=MSCA/PASSWORD.
- Change the CA Top Secret startup proc to point to this newly allocated security file (in the SECFILE DD statement).
- Do a temporary shutdown of CA Top Secret:
- From the console, issue P TSS.
- You will be prompted to enter 'T' for temporary or 'Z' for end of day.
- Reply with 'T' (r nn,T) for temporary.
- If an acid is defined for the console and that acid has the CONSOLE attribute, the shutdown will occur. if not, there will be another prompt for an acid and password and it will be necessary to reply with an acid and password that has the CONSOLE attribute.
- Bring CA Top Secret up pointing to the newly allocated security file.
- Sign on as the MSCA (from the SCA=MSCA/PASSWORD used when allocating the new security file).
- Change the CA Top Secret startup proc to point to the old security file (in the SECFILE DD statement.)
- Do another temporary shutdown of CA Top Secret but leave the MSCA signed on.
- Bring CA Top Secret up pointing to the old security file.
- From the MSCA account that is signed on (from step 5), remove the suspend from the MSCA. (Reset the password if necessary.) The same can be done if there are other SCA acids that are currently suspended. If they are suspended because if inactivity, remove the suspend and replace the password.