CA SOLVE:Access Session Management and Password Phrases
Password phrases are 9 to 100 character strings that are used in place of passwords. External security managers RACF, CA Top Secret and CA ACF2 support password phrases. Maintenance is now available that provides password phrase support for SOLVE:Access logon, Multiple Application Interface (MAI) and EASINET Network Solicitor components.
Apart from password fields being longer the use of existing passwords is not impacted by these changes.
SOLVE logon and Multiple Application Interface
The PTF’s RO94161, RO94151, RO94141, RO94150, RO94140, RO94149, RO94145, RO94136 update SOLVE Management Services and Multiple Application Interface to accept password phrases in all circumstances where passwords are used. This includes logon, password change, terminal lock and MAI user verification.
Configuration
In order to implement password phrases the SOLVE region must be configured to accept mixed case passwords and use a security setting that supports password phrase validation. The RUNSYSIN control member must specify XOPT=PWMIX and SEC=NMSAF. SEC=PARTSAF is not supported for password phrases.
Logon
The SOLVE logon panel is changed to have a single password field of 100 characters. Data entered longer than 8 characters will be treated as a phrase.
Password change
The password change panel password and new password fields are changed to be two fields that total 100 characters.
MAI User Verification
The MAI User Verification panel password field is changed to be two fields that total 100 characters.
Security processing
The NMSAF and NMSAFF security options are modified to request verification with the PHRASE operand when appropriate. User written exits will need to be modified detect phrases and use the PHRASE operand on RACROUTE calls if applicable. Word 6 of the logon parameter list now points at a 100 character field that may contain a password or pass phrase.
&SECCALL Verb
The PWD and NEWPWD operands of the &SECCALL verb now accept up to 100 character input. The values for PWD and NEWPWD must be consistent in specifying passwords or password phrases.
VTAM Logon Data
An application such as EASINET may be passing userid and password as bind user data to achieve single signon to the SOLVE:Access region. In order to achieve the same effect when using a password phrase then the /PARMS LOGONUSRDATA parameter group needs to be updated to specify PHR in order to accept phrases. Otherwise the first word of the phrase will be treated as a password and the remaining data as a menu option. When the PHR setting is used the password phrase must be blank padded to 100 characters if a menu option is specified.
&USERPW and MAI session scripting
The &USERPW system variable used in MAI scripting returns the password or password phrase entered when the user logged on. Session scripting procedures will need to change according to the requirements of the application being accessed. Implementation of passtickets and use of the PASSTICKET operand on DEFLOGON statements should be considered for those applications that do not support password phrases.
EASINET Network Solicitor
EASINET is a facility for customization of 3270 network access. It provides for custom logon panels and can provide single signon capability through user verification and passing logon data containing an already verified password.
The &SECCALL CHECK function can now be used to verify a user with a password phrase. However, many applications may not support a password phrase in session bind data. SOLVE and NetMaster products require a configuration change to accept password phrases (See VTAM Logon Data above).
PTFs RO94160, RO94157, RO94152 provide a subsystem for user verification with a password phrase and subsequent passticket generation for a nominated application. A sample $EASIPHR procedure that uses this subsystem is also provided. The sample demonstrates using multiple fields to accept password phrases as input and using the subsystem to verify the user and password phrase. The subsystem generates a passticket for the SOLVE region. The passticket value is then specified on the &LOGON verb used to pass the session. The distributed $ACINIT is updated to contain an example of the PASSPHR subsystem definition.
Note: $EASIPHR is an example only and is not intended for production use.