Implementing Password Phrase
Set up your desired password phrase restrictions/options using the ACF2
GSO PWPHRASE record. This record is similar to the GSO PSWD record (for
1-8 char passwords). These are all documented in the ACF2 Administrator
Guide, Chapter 14 (GSO Records) under PWPHRASE.
When you set the GSO PWPHRASE record to specify ALLOW, then the next
IPL or start of ACF2 will activate this support or to activate this support
immediately issue the console command: F ACF2,REFRESH(PWPHRASE)
To allow use of Password phrase in TSO set the GSO TSO record to specify
PWPHRASE, then the next IPL or start of ACF2 will activate this support or to
activate this support immediately issue the console command:
F ACF2,REFRESH(TSO)
To see the options in effect, issue the SHOW STATE command (from TSO) and
the password phrase settings will be shown under "PASSWORD PHRASE (PWP)
OPTIONS IN EFFECT:". Issue the SHOW TSO command (from TSO) and check the
"PASSWORD PHRASE LOGON=YES|NO" setting.
Password Phrase Settings
LOGONID PWPALLOW|NOPWPALLOW
This field overrides the NOALLOW specification on the GSO PWPHRASE
record BUT NOT the GSO TSO NOPWPHRASE.
GSO TSO PWPHRASE|NOPWPHRASE
TSO Setting MUST be set for TSO usage of Password Phrase.
GSO PWPHRASE ALLOW|NOALLOW ** Global setting except for TSO
ALPHA(0|nnn)
CMD-CHG|NOCMD-CHG
HISTORY(0|nn)
LID|NOLID
MAXDAYS(100|nnn)
MAXLEN(100|nnn)
MINDAYS(0|nnn)
MINLEN(9|nnn)
MINWORD(1|nnn)
NUMERIC(0|nnn)
REPCHAR(null|0|nn)
SPECIAL(0|nnn)
SPECLIST()
TEMP-AGE|NOTEMP-AGE
WARNDAYS(1|nnn)
Details on the LOGONID Password Phrase PWPALLOW|NOPWPALLOW parameter can be
found in the r15 CA ACF2 for z/OS Administration Guide, Chapter 3:
Maintaining Logonid Records in section 'Logonid Record Fields'.
Details on the GSO PWPHRASE Password Phrase ALLOW|NOALLOW parameter can be
found in the r15 CA ACF2 for z/OS Administration Guide, Chapter 14:
Maintaining Global System Options Records in section 'Password Phrase
Record (PWPHRASE)'.
Password Phrase PWPHRASE Profile Records
The PWPHRASE segment of the USER profile is used to retain user password phrase
control information and history.
PWP-EXP|NOPWP-EXP
PWP-HST(0|nn) **
PWP-MAXD(0|nnn)
PWP-TOD(date) **
PWPA1TOD(date) **
PWPHRASE(password phrase)
** Note: This field is managed internally by CA ACF2 and cannot be modified by
the ACF command.
Password Phrase Related Informational Logonid Fields
PSWD-DAT Specifies the date of the last invalid password or
password phrase attempt.
PWP-VIO(count) Specifies the number of password phrase violations
that occurred on PSWD-DAT.
TSO Notes:
If your logonid has the PWPALLOW option on but the GSO PWPHRASE record has
NOALLOW, you will not be able to use a password phrase for TSO logon unless
the GSO TSO PWPHRASE is set.
All password phrases must be entered in single quotes for TSO logon.
Otherwise, they will be confused with other TSO logon parameters such as
RECONNECT or FSCREEN.
- See Misc Note 7)
Details on the GSO TSO Password Phrase PWPHRASE|NOPWPHRASE parameter can be
found in the r15 CA ACF2 for z/OS Administration Guide, Chapter 14:
Maintaining Global System Options Records in section 'Time-Sharing Options
and Defaults (TSO)'.
CICS Notes:
- ACF2/CICS CTS 4.2 support maintenance and CICS/TS 4.2 or above is required.
- To use Password phrases in CICS the ACF2/CICS SIGNON parameter
TRANONL=CESL|tranid must be specified to identify the transaction code
designated as a sign-on request with a password or a password phrase.
CESL-Specifies the standard CICS-supplied transaction ID that designates a
sign-on request with a password or password phrase.
- Password Phrases are mixed case, for CICS(CTS) "Each terminal must be
capable of mixed-case data entry. This is controlled by the UCTRAN
definition within the TYPETERM CICS RDO definition used for terminal
autoinstall processing or by the UCTRAN definition for TERMINAL..."
Quick signon is not allowed for Password phrases.
Details on the ACF2/CICS Password Phrase parameter can be found in the
r15 CA ACF2 for z/OS CICS Support Guide, Chapter 5: CICS Interface Parameters
in section 'SIGNON-Sign-on Control Options'.
Misc Notes
- When implementing Password Phrase an administrator must set user's first
Password Phrase, from that point moving forward the end users can change
their password phrase. The only other option is for the end user to set
their own first Password Phrase using the TSO ACF command processor(if
allowed).
- After implementing the use of Password Phrases there is no way to prevent
user's from utilizing passwords except by having an administrator change
all user's passwords to an unknown value.
Password phrases may be used for user authentication with applications that
support password phrases. You may have both a password and a password phrase
defined to your Logonid. Password phrases are not required to be specified.
- Password phrases may be used for user authentication with applications that
support password phrases. You may have a password and a password phrase
defined to your Logonid. Password phrases are not required to be specified.
- You can authenticate passwords for applications that support only
passwords. However, passwords and password phrases are mutually exclusive
for authentication. You may authenticate using only one, a password or
password phrase, but not both, during a single authentication process for
applications that support both passwords and password phrases.
If the password of password phrase is expired, the user will be prompted
to enter a new password or new password phrase depending on what is
entered(password or password phrase) and what is expired. For example
if a password is expired and then at the 'ACF82006 ACF2, ENTER PASSWORD OR
PASSWORD PHRASE -' prompt a password phrase is entered, the user will not
receive the 'ACF01017 PASSWORD FOR LOGONID logonid HAS EXPIRED'.
The logonid PWPALLOW|NOPWPALLOW does not pertain to TSO signons. If
GSO TSO PWPHRASE and GSO PWPHRASE ALLOW is set TSO users will receive
the ACF82006 prompt for password or password phrase regardless of the
logonid PWPALLOW|NOPWPALLOW.
The logonid PWPALLOW|NOPWPALLOW overrides the GSO PWPHRASE NOALLOW for
other environments except for TSO.