When using a "Vault" application for passwords any password changes from "non-vaulted" lpars cannot be be CPF'd.  CPF'd passwords will fail on vaulted lpars and cause problems with the vault application.  CPFTARGET(LOCAL) is set in the LPAR Control Options and passwords are still propagated.

Release : 16.0

Component : CA Top Secret for z/OS

CPFTARGET(LOCAL) only controls how administrative commands are propagated.  To stop the delivery of signon password changes and suspensions change the BROADCAST setting for the target node definitions in the NDT.  For example, on CPFSYSID SYST  change the NDT via the following two commands:

TSS REPL(NDT) CPFSYSID(TSST) CPFNODE(TSSP) BROADCAST(NO)  to change the NDT
TSS MODI CPFNODE(TSSP=REFRESH)

This will stop the signon password changes from propagating to the production machine.