According to IBM APAR OA54790, to allow password phrases for console logons, a RACF profile MVS.CONSOLE.PASSWORDPHRASE.CHECK is required for passphrase enablement on consoles. What needs to be done in Top Secret?

The OPERCMDS(MVS.CONSOLE.PASSWORDPHRASE.CHECK) resource needs to be owned and permitted to the ALL record in Top Secret.

     TSS ADD(dept) OPERCMDS(MVS.CONSOLE.PASSWORDPHRASE)   

(if not already done. NOTE: The OPERCMDS resource only allows up to 26 characters in the resource name in the TSS ADD command, which is why the command above is for MVS.CONSOLE.PASSWORDPHRASE and not MVS.CONSOLE.PASSWORDPHRASE).CHECK. The OPERCMDS resource allows up to 39 characters in the TSS PERMIT command, so the fully qualified resource can be permitted.)

where 

'dept' is the department ACID to own the resource

     TSS PER(ALL) OPERCMDS(MVS.CONSOLE.PASSWORDPHRASE.CHECK) ACC(ALL)

Per the IBM documentation:

**
Consoles password phrase support becomes enabled on a system when the security profile is defined. There is no authority access checking from a user ID perspective.

The consoles function checks for the existence of a security profile in the OPERCMDS class to cover the MVS.CONSOLE.PASSWORDPHRASE.CHECK resource.

For example, the following RACF command can be used to define the profile:

REDEFINE OPERCMDS (MVS.CONSOLE.PASSWORDPHRASE.CHECK)

If the profile exists, the new LOGON panel display is revealed which will allow for either the new password phrase input or the standard eight (8) character passwords.

After enabling password phrases, active consoles need to be recycled to pick up the setting. If the console is not recycled, the 8-character password processing remains in effect for that console. There are several ways to recycle the console so the new password state is used:
     • Place the console in standby mode (VARY CN(*),STANDBY) and then take the console out of standby mode by pressing the enter key on the console.
     • Vary the console offline (VARY CN(cnname),OFFLINE) and then back online (VARY CN(cnname),ONLINE). Note that the online request must be made from another active console.
     • Re-IPL the system.
     • Note that SMCS consoles do not support standby, so they must be logged off and then reconnected to z/OS.

Note that during the process of an operator logging on, z/OS may issue messages referring to passwords. In these messages, passwords mean either passwords (8-byte variety) or password phrases.
**

So after permitting OPERCMDS(MVS.CONSOLE.PASSWORDPHRASE.CHECK) to the ALL record, the active consoles should be recycled to pick up the new setting following one of the bullets above.