CA ACF2

Tues Tip: Implementing Password Phrase with CA ACF2

  • 1.  Tues Tip: Implementing Password Phrase with CA ACF2

    Posted 07-24-2014 09:19 AM

    Implementing Password Phrase

     

    Set up your desired password phrase restrictions/options using the ACF2  

    GSO PWPHRASE record.  This record is similar to the GSO PSWD record (for 

    1-8 char passwords).  These are all documented in the ACF2 Administrator 

    Guide, Chapter 14 (GSO Records) under PWPHRASE.                         

                                                                            

    When you set the GSO PWPHRASE record to specify ALLOW, then the next      

    IPL or start of ACF2 will activate this support or to activate this support

    immediately issue the console command:  F ACF2,REFRESH(PWPHRASE)   

     

    To allow use of Password phrase in TSO set the GSO TSO record to specify

    PWPHRASE, then the next IPL or start of ACF2 will activate this support or to

    activate this support immediately issue the console command: 

     

       F ACF2,REFRESH(TSO)

                                                                          

    To see the options in effect, issue the  SHOW STATE  command (from TSO) and

    the password phrase settings will be shown under "PASSWORD PHRASE (PWP)

    OPTIONS IN EFFECT:". Issue the SHOW TSO command (from TSO) and check the

    "PASSWORD PHRASE LOGON=YES|NO" setting.

     

    Password Phrase Settings

     

    LOGONID PWPALLOW|NOPWPALLOW

           This field overrides the NOALLOW specification on the GSO PWPHRASE

           record BUT NOT the GSO TSO NOPWPHRASE.

     

    GSO TSO PWPHRASE|NOPWPHRASE

           TSO Setting MUST be set for TSO usage of Password Phrase.

     

    GSO PWPHRASE ALLOW|NOALLOW    ** Global setting except for TSO

                ALPHA(0|nnn)

                CMD-CHG|NOCMD-CHG 

                HISTORY(0|nn)

                LID|NOLID

                MAXDAYS(100|nnn) 

                MAXLEN(100|nnn)

                MINDAYS(0|nnn)

                MINLEN(9|nnn)

                MINWORD(1|nnn)

                NUMERIC(0|nnn)

                REPCHAR(null|0|nn)

                SPECIAL(0|nnn)

                SPECLIST()

                TEMP-AGE|NOTEMP-AGE

                WARNDAYS(1|nnn)

     

    Details on the LOGONID Password Phrase PWPALLOW|NOPWPALLOW parameter can be

    found in the r15 CA ACF2 for z/OS Administration Guide, Chapter 3:

    Maintaining Logonid Records in section 'Logonid Record Fields'.

     

    Details on the GSO PWPHRASE Password Phrase ALLOW|NOALLOW parameter can be

    found in the r15 CA ACF2 for z/OS Administration Guide, Chapter 14:

    Maintaining Global System Options Records in section 'Password Phrase

    Record (PWPHRASE)'.

     

    Password Phrase PWPHRASE Profile Records

     

    The PWPHRASE segment of the USER profile is used to retain user password phrase

    control information and history.

     

                PWP-EXP|NOPWP-EXP

                PWP-HST(0|nn) **

                PWP-MAXD(0|nnn)

                PWP-TOD(date) **

                PWPA1TOD(date) **

                PWPHRASE(password phrase)

     

    ** Note: This field is managed internally by CA ACF2 and cannot be modified by

            the ACF command.

     

     

    Password Phrase Related Informational Logonid Fields

     

    PSWD-DAT       Specifies the date of the last invalid password or

                  password phrase attempt.

    PWP-VIO(count) Specifies the number of password phrase violations

                  that occurred on PSWD-DAT.

     

     

    TSO Notes:

     

    • If your logonid has the PWPALLOW option on but the GSO PWPHRASE record has

      NOALLOW, you will not be able to use a password phrase for TSO logon unless

      the GSO TSO PWPHRASE is set.

       
    • All password phrases must be entered in single quotes for TSO logon.

      Otherwise, they will be confused with other TSO logon parameters such as

      RECONNECT or FSCREEN.

       
    • See Misc Note 7)

     

     

    Details on the GSO TSO Password Phrase PWPHRASE|NOPWPHRASE parameter can be

    found in the r15 CA ACF2 for z/OS Administration Guide, Chapter 14:

    Maintaining Global System Options Records in section 'Time-Sharing Options

    and Defaults (TSO)'.

     

    CICS Notes:

     

    • ACF2/CICS CTS 4.2 support maintenance and CICS/TS 4.2 or above is required. 
    • To use Password phrases in CICS the ACF2/CICS SIGNON parameter

      TRANONL=CESL|tranid must be specified to identify the transaction code

      designated as a sign-on request with a password or a password phrase.

      CESL-Specifies the standard CICS-supplied transaction ID that designates a

      sign-on request with a password or password phrase.

       
    • Password Phrases are mixed case, for CICS(CTS)  "Each terminal must be

      capable of mixed-case data entry. This is controlled by the UCTRAN

      definition within the TYPETERM CICS RDO definition used for terminal

      autoinstall processing or by the UCTRAN definition for TERMINAL..." 

      Quick signon is not allowed for Password phrases.

     

    Details on the ACF2/CICS Password Phrase parameter can be found in the

    r15 CA ACF2 for z/OS CICS Support Guide, Chapter 5: CICS Interface Parameters

    in section 'SIGNON-Sign-on Control Options'.

     

    Misc Notes

     

    1. When implementing Password Phrase an administrator must set user's first

      Password Phrase, from that point moving forward the end users can change

      their password phrase. The only other option is for the end user to set

      their own first Password Phrase using the TSO ACF command processor(if

      allowed).

       
    2. After implementing the use of Password Phrases there is no way to prevent

      user's from utilizing passwords except by having an administrator change

      all user's passwords to an unknown value.

       

      Password phrases may be used for user authentication with applications that

      support password phrases. You may have both a password and a password phrase

      defined to your Logonid. Password phrases are not required to be specified.

        
    3. Password phrases may be used for user authentication with applications that

      support password phrases. You may have a password and a password phrase

      defined to your Logonid. Password phrases are not required to be specified.

       
    4. You can authenticate passwords for applications that support only

      passwords. However, passwords and password phrases are mutually exclusive

      for authentication. You may authenticate using only one, a password or

      password phrase, but not both, during a single authentication process for

      applications that support both passwords and password phrases.

    5. If the password of password phrase is expired, the user will be prompted

      to enter a new password or new password phrase depending on what is

      entered(password or password phrase) and what is expired. For example

      if a password is expired and then at the 'ACF82006  ACF2, ENTER PASSWORD OR

      PASSWORD PHRASE -' prompt a password phrase is entered, the user will not

      receive the 'ACF01017 PASSWORD FOR LOGONID logonid HAS EXPIRED'.

       
    6. The logonid PWPALLOW|NOPWPALLOW does not pertain to TSO signons. If

      GSO TSO PWPHRASE and GSO PWPHRASE ALLOW is set TSO users will receive

      the ACF82006 prompt for password or password phrase regardless of the

      logonid PWPALLOW|NOPWPALLOW.

       
    7. The logonid PWPALLOW|NOPWPALLOW overrides the GSO PWPHRASE NOALLOW for

      other environments except for TSO.