Q: Question:
I have had a stable CICS/6000 environment for many months.
Now CICS died and DCE is unhappy. SFS had also failed ...
out of space. We fixed that. Any ideas on the following?
I use SMIT CICS to start CICS. I get the following message
in console.msg.
ERZ4527E/0087 11/06/94 17:07:22 beever : AIX DCE security
service returned error: 'Invalid password (dce / sec)'
---------- ---------- ---------- --------- ---------- ----------
R: Response:
It appears CICS/6000's passwords (between the DCE registry
and its keytab file) have become out of sync.
A keytab is a file of passwords. Since CICS/6000, like all
other DCE principals, must authenticate, CICS/6000 retrieves
its password from a keytab file when it authenticates with
DCE. This is a normal convention with servers in the DCE
world. For security purposes, access to the keytab file is
only allowed to servers that will be accessing passwords,
and the passwords are encrypted.
To correct the situation in the default CICS/6000
environment, do the following as root and cell_admin.
- change CICS/6000's password in the registry
(you can use 'smitty chpass' for this. The principle you
are going to change is cics/ and your
principle is cell_admin. Remember the password you use for
CICS/6000 as you will also be supplying the same password
on the next command.)
- change CICS/6000's password in the keytab file.
- cd /var/cics_regions/
- # rgy_edit
rgy_edit=> ktadd -p cics/ -pw -f keytab
rgy_edit=> quit
#
(where is the same password that you gave CICS
in the first step)
At this point you should be able to start your CICS/6000
again. This procedure was validated using CICS/6000
V1.1.1.
---------- ---------- ---------- --------- ---------- ----------
Q: Question:
How can I set the appropriate "bits" so that CICS, etc., are
not killed by expired passwords in the future?
---------- ---------- ---------- --------- ---------- ----------
R: Response:
CICS/6000 uses a DCE principal to authenticate as when it
starts so that secure communication with other DCE based
servers is possible.
CICS does not change the password of the principal during
any of its operation. By default, the password is also
flagged as "never expiring".
The reason that your cached password and the real password
were mismatched is a mystery. Since CICS never changes the
password, the original password set and cached during
CICS/6000 configuration should be valid indefinitely.
To verify that password expiration is disabled, authenticate
to DCE as the cell_admin DCE principal. Execute the "klist"
command and see that the "Password Expires: Never" is
displayed.
---------- ---------- ---------- --------- ---------- ----------
*====================================================*
| This entry has been edited for Library/INFO status.|
*====================================================*
DW NK ( upgrader: D73FA09
---------- ---------- ---------- --------- ---------- ----------
This item was created from library item Q674693 FDVBH
Additional search words:
CICS CICS6000 DASYS DEC94 DW FDVBH INVALID INVALIDATE NK OZNEW
PASSWORD START UP 6000
WWQA: ITEM: RTA000051167 ITEM: RTA000051167
Dated: 12/1996 Category: KIX6000
This HTML file was generated 99/06/24~12:43:19
Comments or suggestions?
Contact us