ACF2

 View Only
  • 1.  Implementation steps for PWPHRASE

    Posted Jul 15, 2019 05:35 PM
    Our requirement is to enable PWPHRASE, where PWPHRASE should be enabled for 90% of the users, these users should be able to login using password phrase only. The remaining 10% of the IDs are legacy IDs that require password signon only. What is the best approach and ACF2 settings required to accomplish this requirement.

    GSO PWPHRASE ALLOW 
    GSO TSO PWPHRASE
    For IDs that should authenticate using password phrase only, enable PWPONLY as logon ID attribute.
    For IDs that should authenticate using password only, enable PWPORPWD.
    We will enable NOCMD-CHG, to ensure end users are not allowed to set password phrase using ACF2 CHANGE command. This is to ensure that IDs that should authenticate using password only are not able to set password phrase. For IDs that should authenticate using password phrase only, a password phrase will be set by IAM team. 

    Will the above mentioned steps accomplish the requirement?


  • 2.  RE: Implementation steps for PWPHRASE
    Best Answer

    Broadcom Employee
    Posted Jul 16, 2019 03:07 PM
    We do have a Knowledge article on setting up pass phrases, Article 48022.  

    https://ca-broadcomcsm.wolkenservicedesk.com/wolken/esd/knowledgebase_search?articleId=48022
     
    Most shops have not implemented pass phrases due to the amount of work involved in setting up a unique password phrase for every user, and then passing that information to the user in a secure method.

    Remember, you need to make sure that all your applications on the mainframe need to be able to accept password phrases.

    What you have suggested would work.  Has any community members implemented password phrases that can offer your "best practice"?



  • 3.  RE: Implementation steps for PWPHRASE

    Posted Jul 16, 2019 03:35 PM
    Hi Ken,

    We did enable pwphrase for another customer, but the PTFs for PWPONLY is not implemented yet, will test it in their system, after applying the PTFs.
    We did not set pwphrase for any user, rather an entry was created for each user in PWPHRASE user profile records, and notified users to set a new pwphrase via customer password management portal.
    The 90% pwphrase / 10% password is for another customer, hence wanted to confirm for a best approach. Yes, we have engaged all support teams to verify pwphrase compatibility.

    Thank you for the confirmation, I will test the implementation plan in our test environment.