IIRC the SYSCONS (HMC Console) does not have logon capability so you should be able to do the reply from there in a worst case scenario
-----Original Message----- Walt Farrell On Tue, 10 Aug 2010 17:13:27 -0500, Pommier, Rex R. <rex.pomm...@cnasurety.com> wrote: >Ken, (and any others who would like to weigh in on this), > >We were playing with this on our sandbox just now, and came across an >interesting scenario. There are 2 of us here who are RACF SPECIAL. As >you know, if a SPECIAL user types in the wrong password too many times, >instead of simply revoking their account, RACF will toss message >ICH301I to allow another attempt. Unfortunately, the console and the >system apparently get caught in a twilight-zone type loop. We couldn't >log onto the console as a different ID to respond to the message >because all RACF logons were stacked up behind the message! I tried to >reply to the ICH301I message from an SDSF session and that, too, >locked. Fortunately I was logged onto a different console already >(thanks, IBM, for not implementing console timeouts :-) ) and was able >to respond to the RACF message. The affected console then rapid-fire >logged off and on each of the IDs that we had tried to log on to. > >I think that alone will probably be enough to convince management that >activating console logon requirements is a bad idea. > You might consider setting up automatic logon, and allowing the automatic IDs the authority to issue the REPLY command. -- Walt Farrell IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
