Configure IBM i Target Accounts

This section describes the configuration steps for IBM i (formerly AS/400) target accounts.
capam332
This section describes the configuration steps for IBM i (formerly AS/400) target accounts.
2
Prerequisites for IBM i Target Accounts
To configure IBM i target accounts, ensure that the following tasks are completed:
  • Add a device (target server) with Password Management as the device type.
    If you are adding an AWS IBM i device, use the private IP address in the Address field of the account. Some features do not function properly when you use the public IP address.
  • Add a target application for the target server. This step includes associating IBM i with the host on which the account resides. See Add an IBM i Target Connector.
To add an IBM i Target account using the CLI, see IBM i Target Connector CLI Configuration.
Create an IBM i Target Account
Follow these steps:
  1. Select
    Credentials
    ,
    Manage Targets
    ,
    Accounts
    . The Target Account page appears with a list of existing accounts.
  2. Select
    Add
    . The Add Target Account page appears.
  3. Select the
    Host Name
    magnifying glass to find an existing target server, filling the Host Name and
    Device Name
    .
  4. Select the
    Application Name
    magnifying glass to find an existing target application on the target server, or select 
    +
    to create a target application. Select or create an IBM i type of target application.
    The IBM i appears on the Add Target Account page.
  5. Enter the
    Account Name
    . The account name must be unique for a given target application and must be the account name that the target system uses.
  6. Select the
    Password View Policy
    for the account.
  7. Enter an initial account
    Password
    or select the Generate Credential key icon to generate a default password.
  8. On the
    Password
    tab, Select
    Discovery Allowed
    to discover accounts on the IBM i system. Select the appropriate synchronization option:
    • Update only the Credential Manager Server: Passwords are updated only in Credential Manager. Credential Manager and target system passwords can differ.
    • Update both the Credential Manager Server and the target system: Password updates are performed both in Credential Manager and on the target system to maintain consistency.
  9. On the
    IBM i
    tab, do the following steps:
    1. Select the
      Account Type
      :
      • User
        : Use a regular user account.
      • Administrator
        : Use an administrator account.
    2. Select the Change Process:
      • If you selected
        User
        as your
        Account Type
        , select
        Use the following account to change password
        and type the name of or use the magnifying glass icon to specify an account that is of the Administrator account type for the same IBM i application.
      • If you selected
        Administrator
        as your
        Account Type
        , use either
        Change Process
        option.
      • (Optional) If you are adding or updating an account and you do not know the existing password, select the
        Force password change
        checkbox. The existing password gets changed, even though the account is not in sync.
    3. Select
      OK
      to save.
Your new IBM i target account is added to the list of accounts on the Target Accounts page.
Configure PAM to Allow Non-Administrative Users to Unlock IBM i Target Accounts Without Administrative Privileges.
This feature provides self-service password unlock for privileged users who are inadvertently locked out of an account whose password they have permission to view. However, we strongly recommend that administrators that provision privileged account access consider the security and compliance policy implications of configuring this functionality. Self-service unlock events are included in the
session log
for auditing purposes.
This procedure describes how to configure PAM to enable local non-administrative user to unlock an IBM i target account that has been locked for some reason, such as in the following example scenario:
  1. A user logs into PAM and accesses a target account for an IBM i system and checks out the credentials. The target account is assigned a password view policy with the following options set:
    • Check-out / Check-in
    • Change Password on View
  2. Later on, the user attempts to login to the IBM i system from an external terminal emulator using the password they checked out earlier but it is no longer valid for one of the following reasons:
    • The
      Force check-in after
      period configured in the password view policy has expired and the password has been rotated
    • A local administrator has changed the password on the IBM i system.
  3. The user reattempts to use the password until they exceed the maximum number of allowed failed login attempts configured on the IBM i system and the account is locked.
Configure the Server
Complete the following procedure to configure
Privileged Access Manager
to allow non-administrative users to unlock locked IBM i target account.
Follow these steps:
  1. Navigate to
    Credentials
    ,
    Manage Targets
    ,
    Accounts
    ,
  2. Select the target account for the IBM i system and select
    UPDATE
    .
  3. In the
    Update
    dialog that opens, select the
    IBM i
    tab.
  4. Select the
    Use the following account to change password
    option and specify the name of a target account that has privileges to unlock the account on the IBM i machine.
  5. Set the
    Unlock locked account
    option.
  6. Select
    OK
    to save.
Unlock Situations
The following unlock situations only apply when PAM is configured to allow non-administrative users to unlock IBM i target accounts without administrative privileges as shown earlier in this section.
Privileged Access Manager
unlocks a locked IBM i account and generates a new password when any of the following actions occurs:
  • If the associated password view policy has the Change Password on View option set, a standard user checks-in the existing password associated with the locked account.
  • A
    Privileged Access Manager
    administrator with the necessary privileges rotates the password.
  • A scheduled job rotates the password.
Logging
This feature includes an audit trail which attributes unlock events that occur as a result of this functionality in the session log (
Sessions
,
Logs
). To isolate such events, use the following filter parameters:
  • Column=Details
  • Value=unlock
For example:
The
User Name
field indicates whether the unlock was performed by a standard user, an administrator, or a scheduled job.
Discover IBM i Services and Scheduled Tasks
You can use account discovery to manage credentials of multiple IBM i services and scheduled tasks.
PAM
can use the target account to manage changes and updates for any services and scheduled tasks that use this account. You do not have to update the password on an individual service or scheduled task basis.
This procedure is for local IBM i accounts. To discover services and scheduled tasks for Active Directory accounts, see Discover Services and Scheduled Tasks for AD Accounts.
Prerequisite
Before you run account discovery, go to the Account Discovery tab of the IBM i Target application. Select the discover option for services or tasks. You can select both.
Discover Services and Tasks
To discover new tasks and services on IBM i accounts, follow these steps:
  1. Select
    Credentials
    ,
    Discovery
    .
  2. On the Scan Profiles tab, select
    Run
    for the profile of the account you want to update.
    If a profile does not exist, follow these steps:
    1. Select
      Add
      .
    2. Give the profile a
      Name
      .
    3. On the Servers tab, select the Server that is associated with the remote account.
    4. Select
      Run
      .
  3. Select the
    Discovered Accounts
    tab.
    IBM i accounts that have updates available display a green checkbox under the Updates Available column.
  4. Select the
    Update
    button for the IBM i account with updates available.
    The Update Discovered Accounts window appears. Available Services and Scheduled Tasks appear on their respective tabs.
  5. Select
    OK
    .
  6. Select
    Yes
    when you are prompted to Update Selected Accounts.
  7. To see a list of services and scheduled tasks:
    1. Select
      Credentials
      ,
      Manage Targets
      ,
      Accounts
      .
    2. Select the Services and Scheduled Tasks tabs to display the list accounts.
To remove tasks and services from an IBM i Target Accounts, follow these steps:
  1. Select
    Credentials
    ,
    Manage Targets
    ,
    Accounts
    .
  2. Select the account that you want to modify.
  3. Select
    Update
    .
  4. Select the Services or Scheduled Tasks tab.
  5. To delete a service or task, select the
    X
    next to the entry.